Who are you really talking about when you talk about your organization’s business resiliency team? Most likely, you’re actually referring to a collection of teams representing different areas—such as business continuity planning, IT disaster recovery, incident management, and crisis management. And that’s just internal teams; more often than not, there are also external groups—such as third-party suppliers and outsourcing vendors—who also have a role to play in the resiliency of their own organizations as well as those they support. Getting all these disparate groups aligned and working toward the same goals and priorities is critical to building a truly resilient business. To understand why it’s so important, let’s look at what happens when teams aren’t aligned—and what you can do to help get them on the same page.
Case in Point #1: IT Recovery and Business Recovery
Business processes rely heavily on IT systems. In fact, today’s organizations are complex tapestries of business activities, systems, people, information and external partners. Take a company’s payroll process, for example: The business may be counting on payroll operations to be up and running within a couple of hours of an interruption—but what if the IT systems that support payroll operations require 12 hours to resume normal operations? Connecting the separate parts so that each is aware of the other’s ability to recover their processes and systems creates opportunities for business continuity and IT disaster recovery teams to work together to avoid unnecessary delays.
Case in Point #2: Incident Management and Crisis Management
The incident management team deals with day-to-day issues, while the crisis management team deals with major problems—but when the two are able to coordinate closely, the entire business benefits. Close coordination between them enables the two teams to decide together if, for example, an incident needs to be escalated to crisis status—and if not, to handle it without involving the crisis team. When a crisis response is invoked, the “all hands on deck” posture creates expense and inconvenience for everyone; a strong link between the two teams can help avoid going to that extreme unnecessarily.
Case in Point #3: Business Continuity and Third-Party Governance
Business continuity planning and management teams have long been charged with creating and maintaining plans to support critical processes in the event of a business interruption. Today, however, those processes are typically part of a complex, interconnected web of systems and people. This is why alignment between business continuity and third-party governance teams is vital to business resiliency; it enables communication of business continuity requirements to the third parties the organization relies on for aspects of its critical processes, so that the those parties can ensure their recovery plans and capabilities are aligned with those of the internal organization. This is especially important if, as is more and more often the case, the organization is outsourcing something extremely critical—data center operations, for example—to a third party.
As you think about these examples of the consequences of having teams in place that aren’t fully aligned in their priorities, it’s a worthwhile exercise to think about your own teams: Where are they in lockstep about post-disaster priorities, and where are they in conflict? Do they share information effectively? If not, what’s the potential fallout in the event of a disaster? How can they work together better in the interest of weaving resiliency into the fabric of your organization?
3 Steps Toward Business Resiliency You Can Take Right Now
First, download the e-book 4 Paths to Integrated Business Resiliency to learn more about how to make your business more resilient. Then take a look back at previous posts on using business impact analysis and process improvement models to build resiliency. Finally, keep an eye on this space for the next and final post in our series on business resiliency, about the importance of visibility.
This is a Security Bloggers Network syndicated blog post authored by Patrick Potter. Read the original post at: RSA Blog