Ever since the emergence of global business continuity standards over the past seven years, BC professionals in...
the U.S. have been introduced to the concept of a business continuity management system, or BCMS.
This is a structured framework for building and administering a business continuity program within an organization. The BCMS structure is founded on the Plan-Do-Check-Act model that is common in today's international standards, especially those issued by the International Organization for Standardization, or ISO.
From both business continuity and disaster recovery perspectives, the BCMS model can be found in ISO 22301:2012 and ISO 27031:2010, respectively. In this tip, we'll focus on business continuity.
Can you have a business continuity program that does not align with the BCMS model? Yes, and most such programs in the U.S. probably do not align -- at the moment -- with the BCMS framework or Plan-Do-Check-Act model.
Does that mean these programs are wrong or insufficient? No, so long as existing BC programs are in sync with established practices, such as those defined by the Business Continuity Institute (BCI) and DRI International (DRII).
Having said all that, let's now examine a popular approach to building BC plans: specialized BC software. Software is typically used to save time and provide a consistent approach to all aspects of the BC planning process. Most products simplify the process of creating a business continuity plan. Some modular products also facilitate business impact analyses (BIAs), risk assessments (RAs), and even emergency notification. Later in this article, we'll discuss BC software products from vendors including SunGard, eBRP Solutions and COOP Systems.
These systems do not, however, generally assist in creating the administrative framework that supports a business continuity program or department. This framework includes such activities as project management, program funding, securing office space, staffing, performance evaluations, auditing and plan assessments, resource management, training and awareness, conducting risk assessments and business impact analyses, executive briefings, scheduling and conducting BC exercises, and records management. These programs generally perform the activities that BC professionals need to do, such as prepare plans, conduct BIAs and conduct risk assessments.
This administrative framework is also called a business continuity management system.
The good news is that some BC software firms are updating their systems to be aligned with the new global BC standard ISO 22301, specifically the Plan-Do-Check-Act component in the standard.
Does that mean that their systems are better than the others that have not yet aligned with the global standards? No, because so long as the overall plan development process is consistent with established BC practices, software claiming to be "standards friendly" is really no different or better than non-standards-based products.
For a growing number of organizations, such as banks and other financial institutions, pharmaceutical firms, utilities companies, there's a need to be aligned with standards.
Global standards now exist, so there will be a gradual migration to products and services that align with standards. Will everyone use them? Of course not, but they represent a suitable baseline or benchmark for audit purposes and also for competitive purposes.
Let's briefly examine some popular BC software systems from a BCMS perspective. First, we must state that none of these products is currently designed to build a BCMS, as defined in the standards. What they can do is organize and help facilitate a number of the activities that comprise a BCMS, several of which we listed earlier. So in that sense we could say that these systems, and many others like them, contribute to the development of a BCMS.
SunGard Availability Services Living Disaster Recovery Planning System (LDRPS) is part of the SunGard Continuity Management Solution (CMS) product suite and addresses all aspects of the BC plan development process. Its companion products, such as BIA Professional, various assessment modules, emergency notification via NotiFind, incident response via Incident Manager and Test Management address other key BC program or office activities. Pricing ranges from under $2000 to well over $100,000.
Another product -- eBRP Solutions' eBRP Suite, EZplanner -- automates a number of BC activities into one suite of components. The company claims that eBRP Suite is "the only software that incorporates the entire BC planning life cycle". The EZplanner product also provides BC plan development resources. Pricing ranges from under $1,000 to over $20,000.
Strategic BCP ResilienceONE is another modular, multiple-component system that integrates a broad range of BC activities into a single platform, and ranges in price from under $1,000 to over $15,000.
COOP Systems myCOOP is capable of supporting "the full life cycle" of the global BC standard ISO 22301:2012. Pricing ranges from under $1,000 to over $10,000.
INONI Lite is updated to address the ISO 22301 standard. The company states that INONI Lite has "a management system that aids and encourages alignment with ISO 22301." Pricing ranges from under $1,000 to over $15,000.
Could these last two systems be suitable for creating a BCMS? The answer is yes, they are closer than other products because their structures have been tweaked to align specifically with the international standard. The other products can be tweaked to confirm to the BCMS standards, if needed. The addition of administrative oversight and other management structures, coupled with the software, should help users get as close as possible to automating a BCMS.
The good news is that most BC software products can support the creation of a BCMS, but none is designed specifically to create a BCMS, with perhaps the exception of COOP Systems and INONI software. No software has yet emerged that specifically claims to be designed to create a BCMS.
About the author: Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant/auditor and is secretary of the Business Continuity Institute USA chapter and member of the BCI Global Membership Council. He can be reached at firstname.lastname@example.org.