4 trends in business continuity management

To help a business in an unforeseen situation, it is necessary to use effective methods of continuity management. How does the use of modern methods help companies to work stably even during force majeure?

About the expert:

Sergey Kudryashov, Partner of the Department of Management Consulting at DRT.

Business continuity management (BCM) does not always save you from unexpected situations, and here’s why:

  • you are not in full control of the continuity;
  • the system can exist “for show”;
  • processes can only really work in one department (for example, IT);
  • it may turn out that the scale of the disaster is not regulated by the means of the NSS, but requires the organization of anti-crisis management. The use of exclusively UNB funds in a crisis is fraught with a belated response, subsequent incorrect and untimely decisions, panic, loss of data and funds, and, finally, a stoppage of the enterprise.

What to do in such cases?

Continuity Management Methods

Here are four current trends in the development of business continuity management, which are most in line with the latest changes in the work of enterprises.

Operational stability (Resilience)

The idea of ​​the approach is to ensure a balance between the work of risk management, crisis management and continuity teams, as well as an understanding of how the organization is present not only in the management of various kinds of risks (reducing the likelihood of an event), but also in responding to them (the actions of employees at the onset of events of various scales – from ordinary incidents to crises). This approach allows you to understand how the company covers the entire range of events that need to be responded to.

Cyber ​​stability (Cyber ​​Resilience)

This trend can be described as linking cybersecurity to continuity. How does it happen in practice? The company has backed up all systems (backups), calculated RPO (Recovery point objective – the maximum period for which data can be lost), has a backup data center, etc. However, modern cyber attacks are unpredictable and destroy backups or encrypt them, from -for which there is often nothing to restore.

How to find a solution? In such circumstances, it is worth thinking about analyzing existing network configurations and organizing backups, designing a modern cyber-resilient backup and recovery architecture, protecting backups, providing a secure recovery environment, as well as coordinated incident response by IT, IS teams and business.

Preparation of anti-crisis teams

Very often, management hopes that “this will never happen” to the company, and if it happens, then “they didn’t get out of such situations either.” Due to overestimation of their abilities and underestimation of risks, managers react late to a crisis situation, because of this they make wrong and untimely decisions, and in the end, employees panic.

Where is the exit? Crisis management is not the same as continuity management – these are events of different scale. You cannot make a plan to get out of the crisis in advance, since the crisis, as a rule, is unique in comparison with the interruption of individual processes. That is why the way out of the crisis should be coordinated by the existing management teams. In case of a lack of experience among employees, it is necessary to train teams, working out various scenarios, and recruit those of them who show themselves to be the most ready for the anti-crisis center.

Flexible business continuity management, or Adaptive BC – Adaptive Business Continuity

Most often it happens that the management does not want to delve into the essence of the matter. Analyzing the business impact of the entire enterprise becomes a long and laborious process, continuity plans are outdated instructions, and testing becomes an exam (instead of practicing skills, employees are assessed). The combination of these circumstances leads to the fact that the continuity management system is difficult to use, and it begins to degrade.

Features of the Adaptive BC method are the refusal to conduct business impact assessment and risk assessment, as well as the avoidance of a rigid goal setting for recovery time. In this case, recovery time is not a goal, but a constraint. This method does not require detailed plans, and brief documents are used as a guide. In addition, the need for management support should only be where it is needed. Adaptive BC contrasts training with testing, which means that training and informing employees must be included in the plan. And, finally, you can build the UNB not sequentially, but starting from any element, depending on the current business needs.

Case DRT

The separation of the Russian and Belarusian offices from the Deloitte international network and the formation of DRT became a crisis challenge for the company in terms of business continuity.

Several issues arose:

  • we were given a strict deadline for exiting the international network – two months;
  • we were deeply integrated into the global IT infrastructure;
  • we had over 200 critical applications (55% of the total applications) running processes that support business in our country and Belarus.

Thus, we were faced with the task of transferring all employees to new “IT-rails” within 60 days without violating business processes.

However, the Department of Information Technology conducted an analysis and concluded that the transition from one system to another would require a complete shutdown of the organization for a whole month. This would mean that the company had to stop all projects and send employees into forced downtime.

Of course, such a scenario could not suit anyone. Moreover, there were no even assumptions about sending the IT infrastructure to “free/independent swimming”. There was nothing to rely on. We also faced a lack of skills for IT professionals who are used to doing basic functions – administration, support, and so on – and they were not taught to “save the world”. The situation was aggravated by the fact that it was necessary to act quickly, otherwise the company could not stand it.

We chose the Adaptive BC methodology to make the infrastructure rebuild go smoothly. The internal IT team included employees providing business continuity and IT consulting services. Thus, we combined all the forces of internal services and customer service and began to work.

Three steps to the goal

All the work done can be divided into three stages.

The first stage (definition of restrictions)

We have defined several parameters for ourselves: volume, cost, time, places, people and things.

Scope: the whole company DRT.

Cost: reasonable and sufficient to keep the company.

Time: 60 days.

Locations: offices in our country and Belarus (eight offices).

People: unavailability of 20% of IT staff (during such situations, some employees start to quit, leave, etc.).

Things (material objects): proceeded from the complete unavailability of all IT systems on the day and hour X, when the switch is pulled, and set a course for further restoration of all IT systems within three months.

The second stage (ensuring recoverability)

We started working in two streams. The first stream involved determining the recoverability of processes and the availability of resources, competencies and procedures at the moment – this is what the emphasis is on in Adaptive BC. We have determined for ourselves the current recovery level of 45%. In terms of competencies, the figure was slightly higher, but there were clearly not enough procedures to ensure the alternative operation of business processes. Next, we redistributed the internal resources of employees – transferred the skills that the continuity team had to IT specialists and other support services.

The second stream ran in parallel. It was used to plan the order of restoring IT systems and services, because at the same time we had to “turn off” one infrastructure and build in the second one. For the second stream, it was important to clearly spell out further actions on the points. When predicting the recovery time of IT systems, it was necessary to understand what critical applications are needed to ensure continuous operation. Accordingly, in all areas where the timing of the restoration of IT systems did not fit into the interruption of work, we prepared organizational support (that is, procedures, plans) that would allow us to live for some time without a system that is absolutely perfect for us. critical.

Third stage (migration)

At this stage, the key point was the continuous interaction of continuity specialists, the IT team (engaged in the restoration of services) and all other employees. To do this, detailed information was posted on the internal information portal about which services will be available when, what fallback options are provided and at what points, and who is responsible for all this. General instructions for employees were also sent by e-mail and voiced at meetings. The whole process was as transparent as possible, and it was possible to track where we are at the moment.

Earlier than expected

The migration of IT systems was completed a week ahead of schedule. During this time, we implemented 20 continuity plans, migrated more than 100 critical applications and organized the continuous operation of more than 200 processes. We ourselves “pulled the switch” and ruled out interruptions in the activities of the organization. All the work was done by our own employees without attracting additional resources from outside. The new Adaptive BC technique really helps to survive in the face of time constraints.

Leave a Reply