November 2, 2012

Last Updated on January 17, 2024

It’s ironic (if not exactly funny) that the official press release announcing the formalization of our new ISO 22301 Business Continuity and ISO 27031 Information Technology Continuity practice areas was delayed by Hurricane Sandy. On the plus side, our IT and Business Continuity plans “outperformed” their maturity. However, there are always lessons to be learned from an event like this.
Pivot Point’s information technology ran flawlessly throughout the storm and its aftermath. All business-critical systems were available, and the mobile technology (Verizon Wireless) that we are reliant upon proved highly reliable throughout the incident.
But the situation easily could’ve been much worse. Among our lessons learned:

  • Our IT Continuity Plan (ITCP) is not sufficient to address a power/connectivity outage as lengthy as this one will be for many businesses. Our area has some businesses that will not have power for as long as ten days. Had that been us, we would have felt some pain as the outage extended across the month’s end, which is a time when our billing takes place.
  • Our Business Continuity Plan (BCP) largely worked very well. We are fortunate in that we have a largely mobile work force anyway. So as long as our team members can find some power and some Internet connectivity, we should be in decent shape. All of our team has 4G access via cellular and/or MiFi devices – so we had full lines of communication (e.g., text, voice, and email) throughout the event.
  • Ahead of the event sufficient planning, communication, and gathering of business critical data took place to ensure that we could communicate internally as well as with clients that we are actively working with. However, our BCP does not adequately address the non-availability of key resources.

I think the last point is an interesting one that I would venture to guess is a problem with many BCPs. In our case, a business-critical person has been largely unavailable due to catastrophic damage to her home. The challenge is that our BCP to a large extent presumes that business-critical team members will be available.
Clearly we need to reconsider this issue. In much the same way that you establish Recovery Time Objectives (RTOs) for business-critical assets, I think that we need to establish RTO’s for business-critical personnel. In the event that a business critical person can’t be recovered, there needs to be a plan in place to transfer that role to another individual.
Unfortunately, this may be a very challenging situation as there is likely a fair degree of knowledge transfer pre-incident that will need to take place. While this may be possible in a more “predictable” event (like the hurricane) this is really not possible for unpredictable events (e.g., earthquakes, chemical spills, fires). So that leaves us in the unfortunate situation of likely needing to re-architect key business processes to make this information readily available 100% of the time.
For our business, this may very well end up being very challenging and/or expensive. As with any ITCP/BCP it’s always a matter of balancing risk – and I know that the cost/complexity will have to be weighed against the probability that this risk will be experienced.
So take a look at your BCP and consider business-critical personnel and whether establishing a “people” RTO needs to be part of your BCP.

Business Continuity Management

Ensures that your organizations critical business functions will continue to operate in spite of incident or disaster. The ISO 22301 roadmap will help you understand what a Business Continuity Information Security Management System is and guide you, step by step, from preparation through certification.