Achieving Enterprise Resiliency and Corporate Certification
–By Thomas Bronack, CBCP–
Do all of your recovery personnel understand the full range of recovery disciplines used by your firm? Do you have a recovery organization chart defining functions, assigning people to positions, and showing work flow? Is your recovery operation as efficient as you would like it to be? Can people function across recovery disciplines should the need arise due to personnel shortages or unplanned for disaster events? Have you utilized industry best practices to create and support recovery operations? Are audit controls built into your recovery operations? Is gaining a corporate certification for recovery operations a goal of the company? Are you afraid your company’s reputation could be affected by a disaster event? Any of these problems can hurt your company and its clients.
When an emergency occurs, most companies will activate the Emergency Operations Center (EOC) where First Responders take control and direct recovery operations. Unfortunately, First Responders are usually from the Emergency Management discipline and may not be familiar with Business Continuity Management or Workplace Violence Prevention. Valuable time and decision making abilities can be lost due to the different languages and tools used by the various recovery disciplines, thereby exposing the business to confusion, extended outages, and loss of reputation.
The goal of this document is to provide a method to develop a common recovery language and toolset that can be used by all recovery disciplines, resulting in better communications, faster recovery times, and a more safeguarded reputation. Domestic and International Corporate Certification guidelines are reviewed to help establish a foundation upon which the company can implement recovery operations, while Best Practices are examined to help direct the creation of recovery operations in adherence to industry accepted practices. Integrating audit controls within recovery operations will ensure that your recovery plans and procedures meet industry best practices and can be reviewed by auditors to guaranty compliance.
By following these guidelines, your company will be prepared to incorporate new and updated recovery techniques as they are introduced and accepted by the industry. You will also be confident that you are developing recovery operations that have a wide acceptance by the industry.
The steps followed to “Achieving Enterprise Resiliency and Corporate Certification” include:
1. Problem Definition – where your company is today and what your organization must do to improve recovery operations by implementing a common recovery language and toolset that will optimize recovery communications and efficiency. The goal of this phase is to identify any gaps and exceptions (e.g., compliance, recovery operations, command centers, incident management, etc.) that need to be mitigated through better controls.
2. Solution Formulation – define the best solution to achieve Enterprise Resiliency for your company (combining recovery operations, developing a common recovery language, and creating a common recovery toolset). The goal of this phase is to determine how to best mitigate uncovered gaps and exceptions, while establishing a foundation upon which Enterprise Resiliency and Corporate Certification can be achieved.
3. Implement Enterprise Resiliency – will combine recovery operations into a common recovery discipline and develop a common language and toolset for recovery operations. It is not designed to eliminate the current recovery disciplines, but rather to help them communicate better. Common tools will allow for the gathering of information needed to support recovery operations and better respond to disaster events.
4. Utilize Best Practices – by using industry accepted Best Practices you will be assured that whatever recovery process is developed it will have a solid foundation upon which recovery operations can be optimized. This will both protect the company better and allow for corporate certification should you choose to go in that direction.
5. Integrate Enterprise Resiliency – will provide for new and changed components to be included in recovery operations without personnel having to perform additional steps that are outside of their everyday functions and company standards. Adherence to System Development Life Cycles and Version and Release Management will insure that the recovery environment is constantly maintained in a current state. Documentation, awareness activities, and educational services must be provided to employees and other personnel affected by recovery operations, with certifications sought for key personnel.
6. Emergency Response Planning Environment – a recovery environment that protects against threats and business interruptions, while adhering to compliance requirements, will be constructed by following the direction of this document. The Emergency Response Planning environment is fed by the Crisis Management, Business Continuity, Disaster Recovery, and Workplace Violence Prevention processes. It is responsible for creating company response plans (Security Plans, Evacuation Plans, Salvage Plans, Restoration Plans, and Recovery Plans), National Response Plans (OSHA, etc.), and better Crisis Communications.
7. Gaining Corporate Certification – will be a company decision that management will have to make, but following the guidelines included in this document will allow you to create a solid recovery operation that can support corporate certification through best practices, integration, and audit ability. Adherence to certification guidelines described in this document will lead to gaining a corporate certification supported by both international (BS25999) and domestic (CERT Resiliency Engineering Framework) certification
8. Enterprise Resiliency Environment – once completed recovery operations will have a specific structure that interfaces with all aspects of the organization. It will incorporate the Emergency Operations Center (EOC), Command Centers, Lines of Business, Emergency Response Management, Business Continuity Management, and Business Integration into a cohesive operation sharing a common language and a common set of tools.
Tom Bronack has been in Information Technology for over 30 years. His technical background started at IBM in the NY Banking Office where he was a mainframe hardware CE and software PSR. He held the positions of Computer Risk Manager, Technical Support Manager, Capacity and Performance Manager, NE Regional Systems Engineering Manager, and Systems Programming Manager before starting his own firm in 1980 where he offered consulting, sales, and managerial assistance to a large number of firms. His Disaster Recovery, Business Recovery, Emergency Management, and Workplace Violence Prevention experience is based on a strong knowledge of how companies are structured, the functions performed by personnel, and how work flow is accomplished. His contributions have proven very helpful to many companies seeking compliance safeguards, performance improvements, and the implementation of recovery operations that best protect personnel and company assets. Mr. Bronack can be reached at firstname.lastname@example.org.