Hello, my reading friends!
My previous post (rus) on Habr was about how the Business Continuity Management function started, as well as about its relations with other corporate functions. In fact, it was quite theoretical.
This time, I’d like to tell you about some practical vectors of procedures and tools implementation as regards to Business Continuity Management, or BCM, along with Operational Resilience, or OpRes. Plus some real initiatives that can follow the BCM & OpRes introduction in a company and the associated with it investigation of the corporate landscape and procedures.
What comes to mind when you hear about Business Continuity? Or maybe when they tell you they are going to introduce BC in your company?
I believe most of you, who have heard about it or have dealt with it before, think that it is all about answering all sorts of questions like "What procedures are in place in your dept.?", "What risks can you identify as regards to these procedures?", "How would you evaluate the losses (in monetary equivalent, please) in case your procedure shuts down?" and so on, and so forth.
Naturally, this will cause frustration in many, if not all of you, as none of you will see any practical use in that. Such a negative attitude will also gain momentum as similar questions (or maybe the same ones?) are usually asked during regular audit inspections, as well as during recurrent Risk Control Self Assessment, or RCSA – in case your company promotes a risk-oriented culture.
Those familiar with IT security could call that "on-paper" security, whereas other might call it "compliance". Both things matter, but for many people their advantages remain unobvious.
What if we try to reveal some practical aspects in the BCM procedure? Something that can be implemented in a company. Let me get ahead a bit – corporate staff must never have thought of most of those as associated with BCM and OpRes.
I am Sergei Rogachev, an expert in development and implementation of procedures for business continuity management, operational resilience, and non-financial risks (NFR). I am always willing to share my expertise and eager to communicate with people concerned at my issue-related Telegram channel Continuity & Resilience.
Now, I will give you ten practical steps in BCM & OpRes, which will be useful in case they are integrated into a corporate landscape and which are far from being "on-paper". And I will also articulate some objectives possible and provide some cases of such initiatives operation.
Notes:
Objectives and business cases aren’t comprehensive and should be studied independently whenever a specific initiative is being worked on.
One more side note. Some of your data systems might be doing twice or thrice the work, or even more, and that is why in your company it can be reasonable and expedient to integrate new things into one of the existing systems. In case you configure data flows properly, you might save a lot both during integration and the consequent maintenance.
Moreover, certain initiatives can be proposed only depending on your current situation, maturity and the current IT and business landscape of your company.
This list of initiatives has been accumulated from my personal experience I have got in several dozen projects in different companies and industries as the subject-matter expert, or SME, the BC manager and owner of BCM and IT- & IS-risks functions.
Initiatives list
Integration of BCM & OpRes procedure and tools with Task and Bug Managers.
Business cases:
Monitoring of critical problems with information systems and products;
Tracking the execution progress as regards to work roadmaps, as well as backlog of tasks and previously made remarks (and even elimination of vulnerabilities and risk mitigation);
Timely discovery of significant changes in the corporate IT landscape and products, making of a risk register;
Automation of BCM procedures.
Integration with the infrastructure and application level monitoring system.
Or a united monitoring center can be established together with the security service, administrative service, and IT security, but don’t forget about separate access rights. The world has seen such cases.
Business cases:
Immediate discovery of failures in critical components of the IT landscape, as well as disruption and risks associated with business procedures. Plus notification of those who manage the functions and the business procedures;
Accounting of shutdown and reaction times in case of situations and issues;
Making of the base for SLA, SLO, SLI, OLA, KPI, and OKR for teams, as well as the employees;
Integration in compliance with DevOps, DevSecOps, and SRE practice approaches, and methods;
Design and redesign of Performance Management methodology;
Timely notification of regulators (if required).
Integration with the ITSM system.
Business cases:
Statistical data about incidents and issues, as well as responsible parties and system owners;
Access to information about incidents and issues coming reasons and their elimination;
Design, redesign, and control of the corporate Performance Management procedure.
Integration with the Asset Management system.
Business cases:
Information about some of the data systems catalogue, products, and services, as well as their maintenance and update;
Real-time access to aggregated information about (data, information, objects) assets of the company for risk evaluation;
Registration of the asset owners and the parties responsible for them.
Integration with uCMDB.
Business cases:
Information about the composition of information systems, configuration units, and asset owners;
Timely notification about modification of the information system components, emergence of new components, or decommissioning of the legacy components;
Possibility to register correctness and sufficiency of standby capacity;
Proactive discovery of insufficient capacity and associated risks, integration with the Capacity Management procedure.
Integration with the HRSM system.
Business cases:
Timely notification about new roles emergence or their modification within the corporate perimeter;
Notification, registration, and update of information about responsible parties and owners of functions, procedures, products, and services within the company;
Identification of risks associated with the Access Management procedure, like timely cancellation of access rights and blocking of accounts used by the employees dismissed;
Maintenance and update of communication channels in case of IT-related incidents and crises.
Integration of DR tests into auto-tests within the product release pipeline.
Business cases:
Proactive performance of DR tests (functionality recovery tests) in accordance with pre-planned scenarios during the product release stage – auto-tests as regards to integration, performance, and functionality tests;
Significant reduction of T2M corporate products and services, as well as increase of the product development efficiency.
Integration with the GRC system.
Business cases:
United automated system for registration of control means and their implementation statuses;
Synchronization of risk management and BC procedures management, as well as exchange and update of insufficient data between the risk, audit, and BC functions without duplicative attraction of the employees and business users of procedures and information systems (which helps the employees stay focused on their direct duties and ensures higher work efficiency in general).
Integration with the EA (Enterprise Architect) corporate systems.
Business cases:
Identifying critically important data sources in the systems and their relation to information systems and products of the company;
Finding single points of failure, or SPoF, in information systems/products interaction.
Integration with systems that report to external regulators (in some sectors).
Business cases:
Timely notification and compliance with regulative requirements;
Procedure automation and work efficiency enhancement.
Rest assured that this is far from a comprehensive list of practical steps used to introduce the Business Continuity and Operation Resiliency procedure that can be used and are likely to be good for your specific company. Still, the choice is up to you.
Where does it take us?
Resources
Surely, such integrations are fully featured project activities that can hardly ever be implemented without the necessary initiation, planning, fund allocation, the team, the sponsors, and final implementation with consequent maintenance.
Basis
The most careful readers must have noticed that I haven’t mentioned a rather important thing, and this issue keeps pending – ‘What am I going to integrate with all these systems?’
As a basis, the tools that the company already has got can be used. They can be the classical Jira, a sharepoint portal, or any other CMS system of an Intranet portal that the company has got in place or is going to introduce. There is another option possible, too. There can be some independent dashboards with the necessary information output into one of the BI systems. This can work, too, no problem.
The task is to choose a tool that the company already has got (in case the budget is limited, but does it often happen otherwise?) and is not going to decommission or put out of operation, something that ensures sufficient EOL/EOS and can obtain data from the systems required. Mind this is an independent and rather important task of finding a target solution.
Competences
Another thing is that such initiatives impose certain requirements (and rather high ones) to qualification of your staff involved into implementation or management of BCM & OpRes procedures. Well, they really can’t just appear out of nowhere without proper preparations for reasons quite obvious.
For such initiatives to come into existence, leave alone their security and consequent maintenance, one should have understanding of how IT architecture, IT infrastructure, ITSM, DevOps, IT security, and other things work. To say nothing of theoretical knowledge about risks, audit, business intelligence, and so on.
Btw, shortly I am going to post about qualifications required for a BCM & OpRes manager and if you are interested in such topics and other relevant information join in specialized channel NFR, Business continuity & Resilience.
Anyway, all these steps are implementable. In the long run, the companies will benefit from them, and this benefit can be digitized in real money. They will also help with sorting out the mess and maintaining the order in a contemporary company’s landscape.
Good luck!