Comparing how-to guides for business continuity standards

Most standards and guidance documents let users decide how to perform specific business continuity tasks. The documents we examined are the DRI International (DRII)/Disaster Recovery Journal (DRJ) Generally Accepted Practices (GAP) and the Business Continuity Institute's (BCI) Good Practice Guidelines (GPG).

Let's begin by comparing the processes associated with performing a risk assessment, a key activity in the early stages of a business continuity plan.

DRII/DRJ GAP:

• Identify and define all potential risks to the process/functions to include regulatory, legal, operational, technological, financial, informational and physical security. Geographic characteristics may also need to be factored in.
• Define applicable threats to the enterprise, such as hurricanes, tornadoes, floods, wildfires, civil unrest, acts of terrorism, mass transportation breakdowns, utility failures, etc.
• Assess the probability of the threat.
• Assess the impact from the threat.
• Quantify/qualify the threat into a risk matrix.
• Identify potential mitigations to reduce, eliminate or transfer the risk.

BCI GPG:

• Tabulate a scoring system for ...
  
  To continue reading for free, register below or login

  Requires Membership to View

  To gain access to this and all member only content, please provide the following information:

  Email Address:
  
  
  

  By joining SearchCompliance.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  To read more you must become a member of SearchCompliance.com

  As an existing member of the TechTarget network please activate your SearchCompliance.com account 

  By joining SearchCompliance.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
  
  TechTarget cares about your privacy. Read our Privacy Policy
  
  
  

  Digg This!     StumbleUpon     Del.icio.us

  
  
  
  

  RELATED CONTENT Compliance Tips FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing New evaluation criteria for Web application security scanners Priorities for your sound regulatory compliance management policy Data loss prevention technology matures but is still no cure-all Threat management for information systems relies on categorization HIPAA-covered entities' first step should be a quality assurance plan Discovery of data breach under HITECH raises big compliance questions D.C. CTO sees compliance, cost savings benefits to cloud computing Does using ISO 27000 to comply with PCI DSS make for better security? Business continuity management and compliance Are mandatory business continuity management standards good business? Effective techniques for continuity risk management, measurement Applying risk assessment to your disaster recovery plan Avoid legal issues in disaster's wake Risk management and compliance FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Mass. data protection regulation passes big test in public hearing Does using ISO 27000 to comply with PCI DSS make for better security? FTC pursuing HIPAA violations as a matter of consumer protection Are mandatory business continuity management standards good business? PCI DSS compliance requires better management of vendor risk PCI DSS compliance requires new vendor management strategy

  RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

  
  
  impacts and probabilities and agree with the project sponsor.

• List threats to the urgent business processes determined in a business impact analysis (BIA).
• Estimate the impact of the threat on the organization using a numerical scoring system.
• Determine the likelihood (probability or frequency) of each threat occurring and weight according to a numerical scoring system.
• Calculate a risk by combining the scores for impact and probability of each threat according to an agreed formula.
• Optionally prioritize the risks according to a formula that includes a measure of the ability to control that threat.
• Obtain the organization sponsor's approval and sign-off of these risk priorities.
• Review existing risk management control strategies, noting where the assessed risk level is out of step with the current risk management strategies for that threat.
• Consider appropriate measures to:
• Transfer the risk, e.g., through insurance.
• Accept the risk, e.g., where impact/probability are low.
• Reduce the risk, e.g., through the introduction of further controls.
• Avoid the risk, e.g., by removing the cause or source of the threat.
• Ensure that planned risk measures do not increase other risks. For example, outsourcing an activity may decrease some types of risk by increasing others.
• Obtain the organization sponsor's approval, a budget and sign-off for the proposed risk management controls.

Next, let's compare the process for defining business continuity strategies:

DRII/DRJ GAP:

• Engage in a dialog with management on reporting process within the organization and expectations.
• Develop or utilize an existing reporting format that is meaningful to direct management, including status, activities for the next period, risks, constraints and potential problems.
• Review the risk assessment(s) when selecting a strategy to ensure that there are no conflicts.
• Summarize risks and continuity timelines and present to senior management project timelines for approval of strategies that are developed.
• Request approval of strategy from a direct manager.
• Seek advice on content for the next approval level.
• Put together appropriate content change for the next approval level.
• Repeat until final approval is achieved at the senior management level.
• Utilize the information in the BIA, ensuring that new critical processes and/or systems are identified.
• Review the "worst-case scenario" for which these strategies might apply.
• Ensure location and human resources issues; environmental risks, customer/supplier chains, etc., are taken into consideration when developing the strategies.
• Have a full understanding of risk acceptance and how it may affect this strategy.
• Identify vital records throughout the organization.
• Understand retention periods for vital records, including electronic and paper.
• Define key aspects, such as location, method and security, for backup and/or storage of vital records.
• Ensure that senior management accepts the program for vital records retention.
• Develop system and data backup strategies that will meet the recovery point objective from the BIA requirements for each critical system identified.
• Review internal resources (e.g., multiple locations with like business functions and technology).
• Search out external business resources using processes such as requests for information, queries to professional organizations, etc.
• Review the following types of recovery alternatives and be prepared to make recommendations:
• Alternative sites or business facilities.
• Cold, warm or hot sites.
• Drop-ship/quick-ship agreements.
• Manual procedures.
• Mitigation.
• Mobile trailers.
• Reciprocal agreements.
• Work from home.
Note: List may not be all inclusive.

BCI GPG:

• Form a business continuity management strategy team.
• Identify the organization's business strategy, objectives and legal and regulatory requirements, and understand how a continuity strategy will support these objectives.
• If a BIA has been conducted, ascertain the effects of a loss of product and services and review its scope, assumptions and findings.
• Consider the strategy for each product and service.
• Provide members of executive management with the report, so they can choose options based on the organization's current and future business strategy.
• Ensure the agreed outline option is signed off by executive management, including the financial and resource provisions.
• Implement an ongoing process to ensure that the strategy is reviewed.
• Utilize some of the following tools to develop the organization's business continuity management strategy:
• A BIA.
• Strategy planning tools.
• Benchmarking against appropriate national and international standards.
• Political, environment, social and technical analyses.
• Cost-benefit analysis (including stakeholder, legislative and regulatory assessment).
• SWOT analysis (strengths, weaknesses, opportunities, threats).
• Financial planning and management.

As you can see, the steps to address these two activities vary greatly, despite the fact that their ultimate outcomes should be virtually the same.

In this article we have compared two well-known guidance documents that provide more than simply what should be done in a business continuity (BC) project. While the amount of process-level detail is still perhaps not as extensive as we might like, these two documents show that "how-to" information is certainly available and can help you progress through a complex BC planning process.

Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years' experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter. Write to him at editor@searchcompliance.com.