02 July 2004

“Managing Risk for Corporate Governance” – A 1SecureAudit Education Series

By Peter L. Higgins

Corporate Directors are responsible for Continuous Continuity of the Enterprise

The modern enterprise today that understands the myriad of potential threats to its people, processes, systems and structures stands to be better equipped for sustained continuity. A Business Crisis and Continuity Management (BCCM) program is a dynamic change management initiative that requires dedicated resources, funding and auditing.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”. A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are “Loss Events” that could have been prevented or mitigated all together.

According to the best practices from several sources, the Board of Directors is responsible for the BCCM of an organization. The following testing techniques must be used to ensure the continuity plan can be executed in a real-life emergency:

· Table-top testing: Discussing how business recovery arrangements would react by using example interruptions

· Simulations: Training individuals by simulating a crisis and rehearsing their post-incident/crisis management roles

· Technical recovery testing: Testing to ensure information systems can be restored effectively

· Testing recovery at an alternate site: Running business processes in parallel with recovery operations at an off-site location

· Test of supplier facilities and services: Ensuring externally provided services and products will meet the contract requirements in the case of interruptions

· Complete rehearsals: Testing to ensure the organization, employees, equipment, facilities and processes can cope with interruptions

The best practices talk about a BCCM that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise. As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.


Having survived several large quakes in Southern California in years past, I’m not sure that all of the testing in the world can prepare people for human behaviors that come from within. People literally lose all sense of common sense when you are on the 42nd of the 50+ skyscraper and without any warning it physically sways a couple feet to the left and a few more feet to the right. Believe me, the issue is not the testing itself, it’s how to create a real enough scenario that you get similar behaviors out of unsuspecting people.

Certainly the largest organizations realize that the threats are taking on different forms than the standard fire, flood, earthquake and twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial. What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.

Visit: 1SecureAudit

No comments:

Post a Comment