TORONTO — A misconception that it’s “”only about the technology”” and a lack of executive commitment may be holding some organizations back from developing a reliable business continuance plan.
“”Many organizations do not have the desired level of commitment from senior executives. This is
an enterprise-wide process that has to be driven from the top-down. Failing to make risk management decisions is not acceptable,”” said David Johnson, manager, security and technology solutions, Ernst & Young. “”Prudent risk management is more than a figure of speech.””
The joint E&Y/Telus event, Business Continuity — Never Optional, Now Required, was held Thursday to help business executives understand what it takes to survive in the event of a disaster.
When a company is considering a business continuance plan (BCP), they are really looking at sustaining customer service says Peter Pereira, chief information officer with Telus. “”It’s about protecting a company’s ability to serve its customers.””
And while earthquakes and terrorism are often cited as the big threats, even the smallest event can cause serious down time with customers.
“”From a business perspective, a disaster can be a burst water pipe in the computer room or failure of a telecommunications provider,”” said Johnson. “”You have to ask yourself ‘In an emergency, what will your customers need? How will you meet those needs?'””
Johnson says a BCP should be business-driven but many senior executives fail to view it as a necessary task that spreads across the enterprise and not just with the IT department. “”It used to be about losing/recovery of computer systems, telecommunications, but the emphasis has changed from recovery to availability.””
But the reality is that creating a BCP should be no different than any other document that applies to business processes.
“”Much of the fear we have is fear of the unknown, but we do business planning every day — this is nothing new. It’s about putting it all in the context of the business perspective,”” said Pereira. “”Think of it as an enterprise-wide risk management plan/program.””
And once established, the BCP must be constantly tested. Pereira cited an incident in which he decided to test a system at Telus and in two minutes hacked into those belonging to his strategic planning team while they were in a meeting.
“”You have to constantly test it — test everything,”” he said.
Telus has created a full-time executive-level position called the Telus Corporate BCP director which oversees the IT BCP planner and the business unit planners.
“”But the key is commitment from the top,”” he said.
Some critical things to identify before embarking on a plan, according to Johnson:
• Reviewing potential threats to business continuity and ass