Alan Calder on IT Governance, information security & ISO 27001

I came across an interesting post on Ireland’s Security Watch blog making the topical connection between bird flu scares and business continuity planning. It rightly points out that a disaster can strike from unlikely sources when you least expect it.

BCP is a very topical subject generally, given the recent introduction of the BS25999 standard. This finally provides a way for organisations to PROVE that they have a robust plan in place to ensure that their business can withstand adverse events. With our increasingly global and interdependent supply chains, more and more organisations are coming under pressure to reassure their major customers and business partners that they are a safe bet.

To help organisations get to grips with the new Standard and the competitive advantage that being certificated represents, we have just published several new books:

* We have brought out a second edition of Disaster Recovery & Business Continuity, a quick guide for small organisations and busy executives. This is based on last year’s successful book but updated to reflect the particular requirements of the new BS25999 Standard.
* For people needing a quick introductory overview of business continuity management we have launched a new BS25999 Pocket Guide. This sets out all the key facts and is a great tool for organisations that are implementing, or set to implement, a business continuity plan and management system. If you need to share practical knowledge between many project team members this is also a very cost effective way of doing it.
* Lastly, to support the take-up of the new Standard we have launched Business Continuity and BS25999: A Combined Glossary. No previous glossary has adequately addressed the full range of terms likely to be useful to a business continuity practitioner. In this book, we have drawn not only from BS25999 but also a wide range of related standards and frameworks, including ITIL and ISO27001, to create a standardised set of terms that should enable professionals to conduct global conversations based on a shared understanding.

Wise words on the topic of business continuity on ComputerWeekly’s website this week. The Business Continuity Institute’s Bill Crichton has stressed that continuity cannot simply be delivered by investing in the right piece of recovery kit. What is required is a far more all-embracing approach that involves policies, procedures and training, just as much as technology.

As I have written before, people often procrastinate over DR/BC measures because they don’t know where to start. The idea of a ‘fix-all’ recovery system may seem deceptively alluring. However, what is much more relevant is a good overview of the disaster landscape and a starter set of checklists, all of which is contained in our recently published book ‘Business Continuity and Disaster Recovery’, which is already proving very popular. This in turn equips the reader with the knowledge to decide which technology investments may genuinely help their continuity planning.

Buncefield, as Grainne Gilmore makes clear in a Times article today, is a wake up call for all those businesses – large and small – that don’t already have fully thought-through and tested business continuity, disaster recovery and contingency plans.

Directors and top management are responsible for the survival of their businesses. Identifying and planning to deal with the full range of potential risks is a fundamental part of that responsibility.

It’s too late to start preparing when disaster strikes – today, when nothing looks as though it’s about to happen, is the best time to start. And our business continuity web page is the best place to make that start.

Shareholders in Primark, a UK budget fashion retailer, would have been concerned when they heard about the fire that, overnight on 2 November, destroyed its offices, distribution centre and a substantial part of the stock, just at the start of the busy pre-Christmas period. Shares in ABF Foods, its parent company, declined about 2% in early trading the next morning.

The shares, however, quickly recovered and then went up. Why?

According to Times Online: “the shares moved back into positive territory following ABF assurances that it was fully insured for stock loss and disruption and that it had moved swiftly to repair its supply chain.”

Clearly, the board of ABF had, at some point, decided about an appropriate level of stock loss insurance and, even more importantly, had made adequate business continuity arrangements that would enable the business to continue trading in spite of a major disaster such as this one.

Is business continuity planning a major board governance responsibility? You bet!

Anyone contrasting the different levels of preparedness of city and state authorities to deal with hurricanes Katrina and Rita can’t have failed to notice that, for instance, Galveston in Texas was somewhat better prepared to handle the imminent disaster than was New Orleans. Sure, the experience of Katrina in New Orleans galvanised everyone from the White House down, but there’s no way that Galveston’s level of continuity and disaster recovery planning could have been put in place in the interval between Katrina’s strike and Rita’s emergence.

This is a good context within which to ask the question: “Is business recovery planning a key governance responsibility?”

Governance is, in a sense, about the preservation and stewardship of an organization. Boards of directors are supposed to be uninvolved in the day-to-day struggle to turn an honest penny and, therefore, to be in the ideal position to take a strategic view of the risks faced by the organization. And continuity risks – which range from ‘Acts of Nature’ through terrorist attacks to IT system failure – have to fall within the range of issues to be considered. Most continuity risks are characterised by a combination of relative unlikelihood and possibly catastrophic impact.

In my book, that makes business continuity planning (here is a collection of resources) a key board responsibility. The sad truth is that very few boards address it properly and that, consequently, most organizations that experience a continuity-threatening event don’t survive – they might struggle on for a year or so but they ultimately fail. Continuity planning is key to the long term survival of all organizations – both big and small.

Galveston treated it as a critical governance responsibility and made appropriate contingency plans far in advance – so should you.