SERVAAS VERBIEST (SV): Welcome to IT Availability Now, the show that tells stories of business resilience from the people who keep the digital world available.
I'm your host, Servaas Verbiest, and today I'm joined by Darion Wisely, Consulting Solutions Principal at Sungard AS, and we're going to be discussing business continuity and the common gaps found in many BCP plans.
Thanks for joining us today, Darion.
DARION WISELY (DW): Thank you for having me on, Servaas.
(SV): Very, very excited to talk about this topic. BCP is a high priority for most organizations, due in most part to recent events like COVID-19 and the global supply chain crisis, the issues that are taking place in Europe with the war between Russia and Ukraine and the burden of the potential onset and threat of increased cyber attacks, mainly ransomware.
But while all businesses can agree that business continuity is important, not many essentially take the time to update their plans and adapt their strategy accordingly. This can lead to gaps in these plans because over time, the threat landscape changes radically.
So now more than ever, organizations are taking a closer look at their ability to maintain operations during disruptions. With that said, how have business continuity plans traditionally been managed?
(DW): There are a number of ways companies have approached managing a program that deals with business continuity, which is the process of ensuring that a company or an organization's critical processes can continue during some type of disruption. And as we all know, over the last few years the types of threats have grown into areas we really haven't seen before.
So traditionally, companies will take a person and say, “Okay, you go out and figure out how to do business continuity.” That person sometimes is in a leadership role, sometimes they're just someone that is good at getting things done and they get tapped to go out and figure out how to do it. And it turns out to be more of a ‘check the box' type of exercise, versus some companies that actually take a very program approach and say, “Hey, we need to really embed this in how we do business.”
That approach includes more traditional program management and oversight, and those programs tend to have more success and longevity versus the very common ‘check the box’ where companies will implement and do some work to get something done or get plans in place or capabilities in place but then they're done, and they move on to the next challenge in business versus keeping some focus to ensure that the continuity capabilities that they implemented are sustained.
(SV): And let's be honest, check the box effort gets check the box results, right?
(DW): That's right.
(SV): So, what's changed about the way you approach business continuity planning, and can you give us some insight into why you've made that change?
(DW): Sure. We have over the past few years had to think about the new threats we’re dealing with. First, everybody's aware of COVID, the pandemic we went through. We'd never seen a case where governments all over the world decided to shut down the economy, shut down people actually going to their workplace.
It was interesting. Companies that actually have done some business continuity work, or were working with us over a number of years, found that responding to this new event was “Hey, people couldn't come to work anymore. So we had to figure out a way so they can work from home.” We all know the technology's there with virtual desktops and virtual communication now available. A lot of companies have that capability but didn't roll it out to everyone. They rolled it out to some, but a lot of people were just still using regular desktop settings at work, so they had to quickly change their approach to where people can work.
What is fascinating - because companies were very successful in doing this - is that the ones that I worked with and talked to following the event found that they felt much more prepared because of the work we'd done, because of the testing and the exercising and the planning that went into it. “What are we going to do if we have an event?” Just having that discussion, they practiced how to respond to an event like this and felt much more prepared to do so and were able to implement these capabilities quickly.
It’s funny. I think back on companies we were telling, “Look guys, you really need to start thinking about putting laptops on everybody's desk and getting away from desktops because of the mobility capability.” Your work from home strategy doesn't work if you don't do that because they didn't have VDI. So a lot of them understood that requirement, but actually implementing it was a challenge. But that's all changed now and the strategy of work area for the planning work we now do has become much easier because everybody really now has that capability to work virtually.
So that's one of the things. The other thing we've learned recently is this whole ransomware threat we're dealing with. We need to now consider not just a technology failure, which is one of the areas we focus on when talking about business recovery or business response strategies. What happens if you don't have access to your technology? What are you going to do? Well, now we need to look at it and split technology and data because of ransomware. Now we have to ask the question and start thinking about what we are going to do if we don't have access to our data. Can we implement manual workarounds for a short period?
Because there are big differences in how we recover from a ransomware event today versus how we recover from a technology event. So critical business processes need to plan for that today. Those are two examples of some of the recent changes and threats we're dealing with as the world continues to change.
(SV): It's an ever-evolving marketplace where we're gonna have to take a step back, whether it's delivering on one of these engagements or a business trying to go at it on their own, and really look for these gaps with the understanding that things like remote work, and testing and trying to plan for a loss of data are just table stakes.
With all that in mind, what are the gaps you're consistently seeing as you go through these engagements and interact with these organizations?
(DW): I think the biggest gap that I see - and I see it over and over again when I'm having a discussion with a potential new client - they commonly ask me this: “How do companies achieve success in standing up a business continuity program?” Most companies, not all but most, have been pretty successful in doing it with their technology. It's kind of inbred in how they operate, right? Because they're dealing with failures all the time, and having to react to those failures, some small, some large, so they’re really good at doing that, but not on the BC side.
And so coming in and, like we said earlier, building the plans and checking the box and moving on to other issues does not work. One of the keys to ensuring that you can sustain a program like that is leadership visibility into the program. So we have established goals and objectives for the program: what are we going to protect, and how are we going to do that? Understanding that and leadership having visibility into that capability.
You'd be surprised how often we run into instances where the leadership feels that they're in a good place with either BC or DR. But when you start really looking under the hood, you find that the capabilities they thought were there, really aren't because things have changed. And if you don't keep up with that change, your program and your capabilities to respond in a timely manner are greatly diminished. And we see that time and time again with respect to managing a program. That's a big gap, leadership not having visibility into the program, and it causes all kinds of downstream challenges.
(SV): Almost like ripples in a pond, right?
(DW): Exactly. Exactly. The program fails to get funded, or some companies will sign one person and it’s all on their shoulders to do everything. Typically what happens is they do what they're asked to do and then they move on to something else and it’s not maintained. The best approach, I think, is a committee of leaders across the organization that have the responsibility to ensure that the program is maintained, gaps are remediated and testing and training are occurring on a regular basis. That is where we have the most success in an ongoing successful capability.
(SV): Okay, so basically that's the metaphoric duct tape to plug any holes, just to make sure you have governance and you regularly review it. But is there anyway - and I know this might be a tall ask - to avoid creating these gaps altogether, or is that just something that's more of the dream instead of the reality of execution?
(DW): Yeah there's some truth in that for sure because these gaps are going to show up even in a more mature program. It happens. We get called in to do gap analysis, or what we call program assessments. I only usually do that with a company that does have an active program, but maybe they're not getting the results they were hoping for and are not sure why. So we'll come in and take a look at what they're doing and how they're doing it and be able to kind of show them what the challenges are and how they can fix a program.
Doing an assessment like that can be very helpful for a program that's active, but I wouldn't do that for a company that really doesn't have a true program in place and they're looking to try to get it started but have done starts and stops in the past and don't really understand why they haven't had the success they expect. That usually comes down to how they've set it up, whether they set it up for success or failure.
It's interesting. We'll see these programs be owned by an executive in IT, in HR, in legal and in risk and compliance. All over. Very, very commonly in IT because IT is so good at establishing resiliency within their environment, that there's an assumption that they can do it with business as well. But that can become very challenging for an IT group needing the time of the business to actually do this work. So it's better, frankly, if the ownership of the business continuity program is run and the oversight comes from the business.
And I would also say that business and disaster recovery or technology recovery shouldn't be separate. It's a common goal to provide continuity. Technology is just one of the legs that has to be addressed. So bring them together. I see it's a common mistake because the skill sets necessary to run both are very different, so they become two silos and they report up to different leadership within the organization, and they really never come together. I like to build an organization that avoids that so they're all working towards the same goal with respect to availability of business processes.
(SV): That makes sense because they have the same outcome. So it really isn't efficient or effective to have divergent execution, even if there are different components that are required to actually do the work.
I appreciate the way that you've run through each component of this because this is really a big pill to swallow for a lot of organizations. You've got to have the right expertise and balance cost, risk and culture to really hold multiple components of the organization accountable so that you're not planning for failure, but you're planning for success in an event where failure can take place.
(DW): Absolutely correct.
(SV): Darion, I really appreciate you joining us today. Thank you for your time.
(DW): Thank you for the opportunity, Servaas. I really appreciate it.
(SV): It's always good to talk about executing successfully in a time where failure can occur versus planning for failure.
That was Darion Wisely, Consulting Solutions Principal at Sungard Availability Services.
You can find the show notes for this episode at SungardAS.com/ITAvailabilityNow.
Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they’re available.
IT Availability Now is a production of Sungard Availability Services.
I’m your host, Servaas Verbiest, and until next time, stay available.