Continuity Central recently asked RSA Archer about business continuity software usage. Here are the results of the interview:
Continuity Central: What trends are you seeing in the way business continuity managers are using specialist business continuity software?
RSA Archer: At RSA Archer, we see more focus being placed on substantive business impact analyses, understanding the organization better, workflow and more balanced and comprehensive reporting. There is movement away from a one size fits all approach and shifts toward making business continuity planning and provisions commensurate with the risk and impact of losses as well as impacts over time, making BC planning a risk and cost/benefit decision. Also, BC managers are using BC software that enables them to establish relationships and dependencies between business processes, people, locations, information and technologies.
Continuity Central: Our recent Business Continuity Software survey shows that just over half of BC managers (53% of 470 respondents) currently use specialist BC software. Is that figure lower or higher than you would expect? Why do you think that more people don't use specialist BC software?
RSA Archer: This is about what I would expect for several reasons. More organizations don't use BC software because of budgetary issues and they can't convince senior executives of the benefits because they haven't properly assessed the risks. Some organizations are in industries where BC planning isn't prevalent, or they may only have one resource performing planning as a 'check the box' activity for regulators.
Continuity Central: The above survey asked respondents to rate the BC software they use on a scale of 1 to 10 for various aspects. The area with least satisfaction was 'Ease of Use'. Is this a surprise to you? Why?
RSA Archer: BC software takes learning and getting used to a new tool, as well as maybe new ways of doing BIAs, documenting plans, etc. Users are accustomed to and perceive spreadsheets and Word documents as being easier to use because of familiarity and the inherent flexibility to change templates and enter information 'on the fly'. This same flexibility is a detriment at a program/administration level because of the lack of consistency, control, workflow and reporting.
Continuity Central: What would you say are the main advantages of using specialist BC software over standard software such as Microsoft Excel and Word?
RSA Archer: Best practices and standards (ISO 22301/22313) are built in, as well as consistency, control, workflow and reporting. Some tools, like Archer, are integrated with other related disciplines like compliance, incident management or vendor management.
Continuity Central: Do you think that demand for ISO 22301 certification will result in increased use of specialist BC software?
RSA Archer: Yes. Based on the rigor recommended by the standard, the need for specialist BC software that aligns with the standards (22313 as well) will increase. Also, workflow, analysis and automation that these tools provide will continue to drive usage up.
Continuity Central: In general do you think that the way people use specialist BC software is changing?
RSA Archer: Yes, I believe the way people use the software is changing. For example, risk management is an area most BC teams only perform in a very cursory manner or just based on location specific risks. The question of 'what can go wrong' is driving an increased focus on better risk management capabilities not found in most BC software. Users also want software that integrates with related areas to BC, such as managing continuity of third parties, incident management, security and compliance. Standalone systems just aren't adequate enough for growing, complex and global organizations that need to manage these interrelated disciplines.
The RSA Archer responses were provided by Patrick N. Potter, CBCP, CISA | GRC Strategist, Business Continuity and Audit. For more details: http://www.emc.com/security/rsa-archer/rsa-archer-business-continuity-management.htm