You are in:
- EDITORIAL CONTENT » Information Technology
Taking an holistic approach to continuity planning
In this article, Dave Austin, head of continuity services, Siemens Insight Consulting, aims to explain how the disciplines of Crisis and Incident Management, Business Continuity, IT Continuity and Disaster Recovery link together into one coherent approach to assuring your organisation’s resilience.
A little bit of history may help to explain why there is such a plethora of different terms apparently meaning the same. Those of us who are old enough to remember will have been involved in something called Contingency Planning and in all likelihood we picked this up from our days in the mainframe IT department. As computerisation spread there was some concern that all of an organisations’ key information might become unavailable, and computer crashes were frequent enough to make contingency planning a part of everyday operation. As most of us relied on the giant IBM mainframes we came into contact with those planning for more extreme events, such as Hurricanes and there was a growing realisation that such things applied to us too.
So the concept of disaster recovery planning took hold, a natural extension to our contingency planning but focussed on rather larger and less predictable events. As the IT planning evolved it became increasingly apparent that this subject was not one that could be determined by the IT Department and that this was a business issue needing business management focus. A new term was coined to describe this wider discipline, business continuity. This was an attempt to encapsulate the contingency planning that was required by a business to deal with unforeseen events that might damage it or even drive it out of business, and crucially it emphasised that this was a business oriented process and not an IT job. By the time that the IRA started to target the City of London, business continuity had become a recognised term but it was still an infant, and it has taken some time for it to grow to become widely recognised as a key business management discipline.
What of these other terms then? Disaster Recovery lives on, largely but not exclusively being used to describe the IT Departments recovery plans but other terms have emerged too. As businesses became increasingly dependent on IT, no longer an added extra but core to the running of the business, it became apparent that loss of service followed by an extended recovery was no longer a viable approach to incidents. What was required was a continuous, or near continuous, service which allowed users and customers some form of continuous operation. Systems developed that allowed for geographically dispersed data and processing, even the mainframe world through Geographically Dispersed Parallel Sysplex sought to achieve true IT Continuity, and a new term was born.
Incident Management emerged as a term from a variety of sources, and in truth is still used to describe a large number of rather different forms of event. In IT, an incident might be any failure that results in a call to the Help Desk – from a printer failing in the office to a complete failure of the organisations main computer capability. ITIL and related standards development has led to the adoption of widely recognised approaches, but these are different to how the term incident would be used by (say) the Police, the Fire Service or the Local Authority who may use this to describe something as major as evacuating a town to deal with unexploded bombs. Health and Safety, Security and others will all use this term in a recognisably similar way to the IT Department but each with their own twist on the term.
crisis management
In business continuity, the term Crisis Management took hold. This reflected a perception that there is a material difference between the printer going down and the very existence of the organisation being threatened by the loss of the data centre. Crisis Management plans were written and Crisis Management teams formed, and this reflected a need for top level management to respond rapidly and in a co-ordinated way taking into account the public perception of their organisation, the needs of staff, the strategic goals of the organisation and the need to provide authority to those dealing with the issues on the ground. However many organisations subsequently recognised the pejorative nature of this term, it seemed to imply that a problem had run out of control, and so they have turned once again to using the term “incident management” but now defining this to mean a continuum of events ranging from our printer breakdown to pandemic influenza with carefully defined criteria to determine at what level and how this should be managed. The new British Standard BS25999-1, recognises this evolution and has used the term incident management whilst continuing to acknowledge the widespread use of the term “crisis management”.
So where does this leave us today? Business continuity describes the strategic and tactical capability of the organisation to plan for and respond to incidents in order to continue business operations at an acceptable pre-defined level. For this to be effective one must ensure that one has a clear Incident Management structure to ensure that you can confirm the nature and extent of an incident, take control of the situation, contain the incident and communicate with stakeholders. The subsequent response is then dependent on the effectiveness of the management team in flexibly executing their plans for people, premises, technology, information, supplies and stakeholders. Whilst the IT department may be key in many organisations, it is only one part of a whole organisation response and the execution of the disaster recovery and/or IT Continuity plans is now driven entirely by business priorities.
