Contact

2770 Research Drive

Rochester Hills, MI  48309

Business Continuity Management

Business Continuity Planning/Disaster Recovery (BCP/DR) solutions have not received the investment attention from IRM platform vendors as some of the other enterprise solutions. One of the biggest hurdles to integrating BCP capabilities into an organization’s risk management software platform has been the lack of a good asset repository (called a Configuration Management Database- CMDB). Since tracking assets accurately is vital for a BCP program to function, technology enablement has been slowly coming. Many specialized (standalone) tools were built just to process BCP/DR information and were never meant to integrate with risk management tools. With the advent of asset management platforms integrating risk management and incident response capabilities, it is now possible to perform the critical portions of the BCP/DR process within a single platform. 

 

There are several BCP standards and guidelines that are available to help direct an organization with maintaining a business continuity management program. As an example, the FFIEC has recently released guidance on its expectations for financial services institutions around BCP as part of the IT Examination handbook dated February 2015. The FFIEC states:

 

Business continuity planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery. This enterprise-wide framework should consider how every critical process, business unit, department, and system will respond to disruptions and which recovery solutions should be implemented. This framework should include a plan for short-term and long-term recovery operations. Without an enterprise-wide BCP that considers all critical elements of the entire business, an institution may not be able to resume customer service at an acceptable level. Management should also prioritize business objectives and critical operations that are essential for survival of the institution since the restoration of all business units may not be feasible because of cost, logistics, and other unforeseen circumstances.

 

This planning process represents a continuous cycle that should evolve over time based on changes in potential threats, business operations, audit recommendations, and other remediation efforts as well as test results. All of these functions are tailor-made for an IRM platform to process.

 

Common capabilities around the business continuity planning process we normally expect to see within an IRM platform include the following:

 

  • IT Asset Management        

  • Business Continuity Planning

  • Business Impact Assessment

  • Risk Assessment

  • Risk Management

  • Monitoring and Testing

 

BCP functionality is a good fit for IRM technology platforms due to the benefits of integration with other existing capabilities.  For example, the following capabilities can be leveraged by the BCP processes:

 

  • Threat and vulnerability management

  • Incident management

  • Notification and alerts

  • Workflow

  • Assessment process

  • Linkage with risk register, control libraries (including policies), and asset repositories

  • Scenario analysis/modeling

  • Reporting

  • Asset CMDB

  • Risk scoring model

  • Remediation planning

 

One of the weaknesses related to getting BCP functionality integrated into IRM technology platforms has been related to the quality of the organization’s CMDB. Having up-to-date and accurate asset information, which includes the information needed to track accountability, is critical for BCP/DR processes. 

 

Sargon Solutions has many years of experience assisting organizations with establishing BCP/DR programs and automating those related capabilities. Common use cases we see from clients include the following:

  • Business Impact Analysis Process

  • CMDB Linkage

  • Integrated Risk Calculation