MHA Consulting CEO Michael Herrera discusses the Business Continuity Management (BCM) trends that he and his team have experienced across their global customer base in 2013:
- Business Continuity staffing in most organizations is not increasing. Many organizations continue to either staff minimally or use outside consultants to augment the program. Business units are having to take more accountability for their plans and use the continuity staff as Subject Matter Experts (SMEs). MHA continues to heavily augment or serve as the BCM or Disaster Recovery Office for a good number of its clients.
- Business Continuity Management (BCM) is the new Business Continuity Planning (BCP). The majority of organizations are renaming their enterprise continuity programs to Business Continuity Management.
- Enterprise Risk Management (ERM) is integrating BCM into its process and utilizing the information gathered through BIAs and Threat & Risk Assessments to support identification of risks and exposures; a good sign.
- The Business Impact Analysis (BIAs) study remain as the foundational component to drive the development of the BCM program. However, senior management is continually looking for us to refine the BIA process, shorten business unit participation time in the studies and ensure the rigor in the process is strong enough to clearly identify the most critical activities and dependencies. A common weakness in most BIA studies is not having management sign off on the results which affects alignment discussions between IT and business.
- We see Recovery Time Objectives (RTOs) continue to get shorter and shorter (e.g., no downtime, 1 hour, 4 hours, etc.) in many of the companies we worked at in 2013. The influx of complex technology and automated workflows and customer demands for uptime require business activities and dependent systems/applications to be recovered in timeframes that mandate “real time” recovery strategies that can be activated immediately, a challenge few companies can support at all levels which causes gaps between the RTOs and the Recovery Time Actuals (RTAs).
- The new norm for tolerance for data loss or Recovery Point Objectives (RPOs) across critical business activities is zero or near zero in many companies due to the use of complex technology and automated workflows that virtually eliminate manual workarounds. However, in many cases, senior management continues to believe they don’t need the data backup technology to meet the RPOs because they believe they can work manually for a period of time. We also find cases where IT cannot afford the technology to provide the short RPOs and/or the business has no idea what their RPOs are currently or what they should be.
- Business and IT RTO/RPO Alignment – Alignment remains a critical gap across a majority of companies whether they are small, medium or large. Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) continue to be driven by Information Technology (IT) versus by the needs of the business.
- Emergency Notification Systems – The use of ENS is becoming widespread. However, organizations routinely struggle with the processes to effectively and efficiently notify associates, getting good contact information from associates and holding testing on a regular basis. However, ENS is only good if we have electricity for our technology.
- Big Data -We have heard a lot about “Big Data”; the monster sized database warehouses that drive today’s businesses. In the old days, data warehouses had low recovery priorities, however, Big Data is now driving mission critical applications requiring short RTOs and RPOs, a huge challenge for Information Technology.
- Companies continue to struggle with Recovery Strategies particularly for the business units of the organization. Yes, work at home will work but only for a limited time and Information Security concerns are limiting its use. Information Technology strategies are making it easier and easier to recover the critical systems and applications. The problem that remains is how will my business get to that data based on their strategy. It is our opinion, that in today’s complex business environments recovery strategies for RTOs of 72 hours need to be fully in place before an event occurs.
- Our most mature clients (financial, utilities) are holding live Recovery Exercises. They shut down production operations and migrate production work to their alternate sites (data center and business) for a day to validate their plans and strategies. Other clients are building in resiliency through diversity of operations which permit them to transfer work loads across their network. But sadly to say, recovery exercises at many organizations are limited to desktop plan reviews, a minimal examination of true recovery capability.
- Customer Audits are filling the inbox of the BCM Office and lowering staff productivity. The sheer number and diversity of questions is requiring management to spend hours completing these audits and reviewing them with the customer. We strongly recommend to our clients to build a Customer Audit process to streamline it, ensure consistency in responses, minimize the opportunity for unauthorized information to be disclosed and take less time.
Overall, 2013 was a good year for BCM. Companies are continuing to recognize the need for BCM in their environments. I was reminded by our Director of Operations that BCM is still a relatively new field and we are still figuring out how to make it a refined, streamlined process.
Happy New Year to You from MHA Consulting