Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2012 > August
2012

RSA Archer Suite

August 2012 Previous month Next month

So you're in the mood for soup again? Then let's get cookin!

 

If you remember from my last blog on the subject, our goal is to turn the vast number of Business Continuity Management (BCM) related regulations, methodologies and best practices you have to consider (aka, your regulatory alphabet soup) into a scrumptious recipe you can enjoy (ok, at least a list you can digest and actually do something with...).

 

Remember, the first step is to make a good list of those sources that may apply to your business (refer to my earlier blog about how to do that). This is an important starting point since you don't want to leave anything critical out. What you do next is outlined in the recipe below...

 

Eliminate What Doesn’t Apply To You

This step is to understand enough about these sources that you can begin eliminating the ones that don’t apply to you. Once you are comfortable with the list of regulations, methodologies, maturity models and laws you can begin reducing the list. Here are some ways to do that.

 

Laws and Regulations – If a law or regulation applies to your business – follow it! If you have questions or need advice, talk to your legal department.

 

Your Industry – Many of these sources apply to specific industries, such as the Federal Financial Institutions Examination Council (FFIEC) for the financial services industry. Eliminate those that don’t apply to your industry. Although some of these may have great ideas, chances are they are replicated in another source.

 

Where You Do Business – This might be obvious, but include those authoritative sources that apply to the part of the world where your company does business. If the Australian Commonwealth Criminal Code (1994) doesn’t apply to where you do business, that’s a good one to take off your list!

 

Good Practices – This speaks mostly to the methodologies and best practices out there, such as the Carnegie Mellon Resilience Management Model. These models strive to represent best practices or give you a roadmap on how to mature your program. Implement what works for your company – it could be the best practices out there, or maybe it’s just the practice that’s best for you.

 

Business Continuity/Disaster Recovery (BC/DR) Program Maturity Level – Something to consider, especially when you’re determining which best practices or methodologies to adopt, is the maturity of your BC/DR program. Do not eat the elephant all at once; instead, adopt those methodologies that coincide with the maturity level of your program and it will give you good practical advice and steps to help you continue to develop your program in a way that doesn’t outstep your company’s ability to progress along with you.

 

Once you’ve determined you have the right list of sources your company needs to comply with, now you have to determine a few things such as what’s the priority order of the sources that apply to my company? How do I ensure I coordinate compliance across the sources without duplicating or missing something? How will I prove compliance if my program is audited?

 

Now Get Organized

Prioritize First – Of the sources you’ve selected, you’ll now want to prioritize what’s most important to comply with. Come up with a prioritization approach that makes sense for your company. Laws and regulations are typically pretty important, so consider these first. Then you may want to look at industry guidance, then regional guidance, and finally methodologies or best practices that make sense for your business.

 

Coordinate the Sources – This can be a real challenge and requires an organized effort to match up the sources you’re going to comply with to identify where they overlap or differ. Put a comprehensive list together to help you match up those duplicate requirements and consolidate them. Once you have a good list of requirements spanning all your authoritative sources, take it a step further and prioritize the requirements so you can start with what’s most important.

 

Use Your Resources – If you’re thinking about this, chances are that there are others in your company that are too. Work to coordinate your plans with other departments that may have a similar interest in the program – specifically legal, compliance and audit departments. Let them know your intentions and approach and leverage what they’ve done or are doing. If your company uses automated methods, such as a tool suite to manage governance, risk or compliance, leverage that too.

 

Measure and Evaluate – Remember, everything we do in the business world – even compliance – is a cost benefit decision. More and more, BC/DR is not only becoming an executive strategic imperative but also a discipline that must show proven results – quantitative and qualitative. So, it’s important to set goals, measure your progress, self-evaluate and report your results. Be proactive and vocal too! We practitioners know BC/DR is an invaluable discipline, but to the executive or business partner that has many priorities, it’s often just another one on the list. You have to prove how critical BC/DR is and that you’re reducing risk to the company. An automated tool suite can be a great way to track your plan, measure your results and evaluate it all.

 

A word about audits – Now, I don’t speak for all auditors out there, but having been one for 15 years, here’s my perspective. There are always those audits (or auditors) that will evaluate each and every requirement of the audit subject to the ‘t’. If this type of authoritative source, or others like it, is a requirement for your program, make sure you build it into your compliance approach. Additionally, I performed audits across many companies, industries, organizations and topics and I always appreciated the group that had a logical, well-organized, justifiable, documented plan and program. Be organized, show and prove what you’ve done and this will go a long way. It may not be perfect or prevent any and all findings, but some feedback is always good.

 

Keep Your Eyes Open – In today’s global business world, one thing is for certain and that’s change. Be aware of changes in the authoritative sources you follow, as well as new sources that emerge and their implications on your business and program. Also be aware of changes to your business, such as acquisitions (that may require additional authoritative sources), divestitures (that may reduce sources you have to comply with), or other business changes that may have downstream effects on your program.

 

In Conclusion

So, back to that bowl of soup – is it looking more palatable now? There's still alot of work to do, but hopefully this approach will give you some food for thought to help you organize your soup into something that makes sense. Another great source is your BC/DR colleagues in your industry or location. Ask them how they've done it – our industry is filled with people that are a wealth of knowledge and experience. I’m also interested in your feedback, and if I can ever help in any way, send me a note.

 

Good luck and bon appétit!

BCM Alphabet Soup

Posted by PatrickP Employee Aug 13, 2012

Did you ever eat alphabet soup as a kid? Maybe you still do…anyway, I remember that I would try and try to spell words and make sentences, all to have the letters swirl around and become confused all over again and again. It was great eating, but frustrating if you’re trying to organize your bowl of soup.

 

So, why am I talking about alphabet soup and how does this apply to Business Continuity Management (BCM) or Information Technology Disaster Recovery (DR)? In case you haven’t noticed, we BC/DR folks live in a world of regulatory alphabet soup. Did you know there are well over 100 regulations, methodologies, maturity models, guidelines and laws – what I’ll call, “authoritative sources” that have something to say about BC or DR? They are regional, country-specific, by industry, by topic, practical advice, best practices and more. I don’t know about you, but it makes my head hurt thinking about it, let alone trying to comply with them!

 

I’m not making light of these sources in any way because they serve their own purposes and some excellent thought and preparation has gone into them, but this is my current bowl of alphabet soup – ISO22301…BS25999…HB292…NFPA1600….ITIL…NIST…Z1600, well you get it. So, my quandary as a business is how do I determine which of these sources to comply with? Which of them actually apply to my business? How can there be so many varied sources, and are they really that different? Do they all say the same things and how do I coordinate them all?

 

Our friends at Disaster Recovery Journal have done a great job to compile and coordinate these sources for our reference (for example, see http://www.drj.com/tools/tools/dr-rules-and-regulations.html), but it still begs the question – which sources do I comply with and why? Once I’ve figured that out, what if there are conflicts between the sources and how do I prioritize them? Further to that point, how do I institute these requirements into my existing program? And if I do, will these authoritative sources provide me with good guidance or are they just a checklist of requirements? Even scarier is what if I’m audited? How do I prove my program is compliant? Finally, how do I explain and justify this to executives and business partners? (this is an entirely different blog…)

 

These and others are good questions that are being asked in BC/DR programs of all levels of maturity. It can be daunting to weed through the morass and put together a coordinated program that you can actually manage, so my next blog will give some practical guidance on how to do just that.

 

Stay tuned!

Filter Blog

By date: By tag: