Thursday, June 22, 2006

Protection vs. Resiliency: The New Standards for BCM...

The latest AT&T Business Continuity Study has been published and the results are surprising. Operational Risk Professionals should take note that 28 percent of the companies do not have adequate plans in place to cope with natural or other disasters.

AT&T Inc.'s fifth-annual Business Continuity Survey released Tuesday, which polled about 1,000 CIOs and IT executives at U.S. companies with more than $10 million in annual revenue.

Nearly 30 percent of executives who participated in the survey said their company has suffered from a disaster. Eighty-one percent of executives said cyber security is part of their overall business plan for interruptions in 2006, up from 75 percent in 2005.

Eight out of 10 companies have revised plans in the past 12 months, including 48 percent that say they've been updated in the past six months. Of those companies with plans in place, 40 percent say they have not tested their plan in the past year.

Companies in Los Angeles, Miami, New York and Washington, D.C. were among the most prepared and made their disaster recovery plan a high priority, compared with those less prepared in Detroit, St. Louis and Seattle.


Since 40 percent of those with plans in place have not tested in the past, the real question is why? Is it the lack of time or resources and money? Is it the fear that new planning will have to take place once "Lessons are Learned"? It may be all of the above. Dr. Sean Gorman a Ph.D from George Mason University has some answers that may become the standard for a "Methodology for Critical Infrastructure Resiliency."

His argument is this:

The first step in any comprehensive plan for ensuring the resilient operation and reliable delivery of services is the establishment of a methodology by which standards and metrics can be set. There needs to be a common methodology by which stakeholders can objectively quantify investment in business continuity by measuring resiliency.


His work at FortiusOne is catching the eye of Venture Capitalist's since the Operational Risk tools that he and his team are developing have significant impact with any firm with Enterprise Risk Management priorities. This includes financial hedge funds as much as the large commercial retailers who have logistics, transport and supply-chain applications.

FortiusOne’s target market encompasses both the public and private sector. The former includes federal, state, local and international segments, with primary emphasis on Homeland Security, National Defense, Intelligence and Emergency Management for critical infrastructure vulnerability assessments and consequence management.

FortiusOne’s private sector market addresses risk analysis for the Banking/Financial Services, Transportation, Energy, Telecommunications, Insurance and general Supply Chain segments with primary emphasis on business continuity planning, business optimization and disaster recovery. Market size exceeds $40B and is upward trending in both public and private sectors. Recent events and consequences related to hurricane Katrina, terrorist threats and attacks, and corporate management/mis-management events have created intense interest in FortiusOnes’s products and services.


Infrastructure Resiliency Methodology provides the enterprise with the business case for investment. How do you know where to spend valuable budget dollars to get the most value for your investment in terms of increased resiliency? The fact is that you have to test, exercise and provide scenario simulations to find the failures. This will provide the operational impact and economic analysis that management and the Board of Directors need to authorize budgets that have a significant return.

There is more help on the way for Business Continuity Management (BCM) as PAS56 evolves into BS 25999:

BS25999 v PAS56

PAS56, published in 2003, provided a series of recommendations for business continuity management good practice. It was always intended to be the forerunner of a new standards for BCM (BS 25999). The first draft has been commented on and returned as of June 19th. If you liked what you have seen in ISO 27001 then you will see a similar approach in the next relase of the Code of Practice for Business Continuity Management, BS 25999 Part 1. This standard is not intended to be a beginners guide to BCM and will not cover the activities of emergency planning.

In this new code of practice the taxonomy is established:

Resilience: Ability of an organization to resist being affected by an incident.

The Homeland Security Advisory Council (HSAC) Critical Infrastructure Task Force is setting the policy and the pace for the future. "While protection is a necessary component of building resilience, resilience is not an inevitable outcome of strategies that focus on protection." This provides the foundation for changing our mindset from Critical Infrastructure Protection (CIP) to Critical Infrastructure Resiliency (CIR).

No comments: