Business success is often couched in terms of growing and maintaining the customer base and launching innovative products. Most recently, these business growth strategies have been complemented by a focus on business resiliency. Specifically, how does the business continue to attract new customers, retain existing customers and launch new products and services when faced with disruption? Put this way, business resiliency starts to sound a lot like business continuity/disaster recovery.
IT auditors are no strangers to business continuity. During the risk assessment phase of the audit planning process, auditors collaborate with the business to identify challenges to meeting organizational objectives. Specifically, during business continuity discussions, details around recovery times of applications/systems; awareness and education through tabletop exercises or drills; and business impact analyses (BIA) are refined. A useful but also challenging tool in business continuity planning is consideration of different scenarios. The enterprise must decide, of all the possible scenarios that it could face, which scenarios should be included in the business continuity plan and how should the selected scenarios be prioritized? As long as enterprises have used scenarios, a struggle has existed between the reality of available resources and a desire to be prepared for anything through inclusion of all possible scenarios in the business continuity plan – which is just not feasible.
Not making the struggle any easier is the ongoing global pandemic. Some enterprises had included pandemics in their business continuity plans while other organizations had not. For those enterprises that had not considered pandemics, COVID-19 reinforced the known challenge of not having resources to plan for everything yet wanting to be prepared for everything. As enterprises attempt to reconcile the reality of available resources and the desire not to be caught off guard by an unplanned event, the following are a few considerations:
- Take a high-level look at scenarios and identify commonalities rather than assuming a granular approach. For example, if similarities were identified for pandemics and natural disasters, a common assessment of disruption in service from suppliers and third-party vendors (supply chain) could be performed. Similarly, common identification of any potential single points of failure related to geography could be made.
- Leverage benefits of the cloud. Cloud has been adopted by most enterprises in some form (e.g., SaaS, PaaS, or IaaS). Examples of frequently cited reasons for cloud adoption are increased application/data accessibility or potential cost savings under payment structures where payment is only made for resources used. In addition to these benefits, there is opportunity to view those cloud computing perks as part of business continuity scenarios.
- Educate. Keep people informed and maintain a notification system to reach those who need to act and those who need to be aware. Having the mechanisms to bring people together when an impact occurs allows you to rely on the experts, even if a specific scenario was not imagined ahead of time.
During the recovery phase of an event (if the hecticness of that time allows), the enterprise has an opportunity to use the existing business continuity plan for future planning. Assessing the successes and the areas for improvement identified during an event can be very valuable. Coupled with a balanced approach to scenarios, this use of real-time knowledge of a current event can contribute greatly to business resiliency.
Editor’s note: For additional resources on this topic, download ISACA’s new IT Business Continuity/Disaster Recovery Audit Program.