Can You Demonstrate Business Continuity Readiness?

The traditional disaster recovery plan was often something that sat on a shelf, looked at periodically, and handed to an auditor or member of the board upon request.  Today, demonstrating a DR plan exists, that it is part of an overall business continuity plan, and that it is actually followed and works is often a requirement for establishing a business relationship.

Proof of active business continuity management is something many businesses request before signing a critical agreement.  In other words, does the supplier of critical goods and services take steps to continue delivery when something breaks?  If not, stepping away from the table to look for an organization which understands the importance of uninterrupted service and product delivery is increasingly common.

In a Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, 80 percent of respondents claimed they had to provide proof of business continuity readiness during the previous 12 months (Businesses Take BC Planning More Seriously, Stephanie Balaouras, Forrester, 26 Feb 2009).  The following graph from the survey results depicts sources of the requests.

Using information in the survey and my own experience over the past five years, I made a list of people, businesses, or agencies who might ask you to demonstrate the resiliency of your information infrastructure.

  • Business auditors: Internal and third party auditors want more today than a DR manual.  They want to understand how you approach Business Continuity Event Management (BCEM), from a failed server or switch to unavailability of the data center.
  • Regulatory auditors or courts: The HIPAA is just one of several government regulations, both in place and emerging, which include information availability requirements.  Further, requests for proof of effective BCEM might be part of a discovery request for events which caused financial damage or physical injury.
  • Recipients of your products and services: You’d like your customers to consider you their primary supplier of a critical service or product.  However, their BCEM plan might dictate proof that all critical suppliers can react quickly to internal interruptions or to interruptions by their suppliers.  This means not only do you have to demonstrate you can recover, you must also show you’ve asked the same of your suppliers. 

In addition to these situations, there is often a general expectation that certain services will be available.  For example, I don’t believe any business users of Google mail services asked the provider to demonstrate continuity capabilities—this includes me.  There was a general perception that a cloud services provider understands the need and ensures continuous delivery.  That doesn’t seem evident by the Google online services stoppage this week, but I’m sure we all learned something about expectation setting—including Google.  What unknown expectations do your customer have?

Creating and managing a BCEM program consists of a series of steps, steps which can take several months if you haven’t already started.  However, it will be a resource commitment with an ROI demonstrated by improved existing-customer satisfaction and new-customer confidence in your ability to support their operations.

The following will help jumpstart your BCEM efforts:

Copyright © 2009 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.