Many organizations today outsource various aspects of resilience, such as developing business continuity and disaster recovery plans, performing business impact analyses and conducting test exercises. Organizations that invest proactively in resilience typically perform most or all resilience functions, like BC/DR, internally. For others, outsourcing is the name of the game for tasks such as BC/DR planning, business impact analyses and conducting test exercises.
Organizations that have not made a significant commitment to -- or investment in -- business continuity and disaster recovery are more likely to outsource certain functions to feel marginally prepared. They may, for example, need to satisfy requirements from current or potential customers that need confirmation of existing resilience activities.
Outsourcing business resilience services is not a new concept, but in the last 10 years it has improved. BC/DR offerings today are more sophisticated than in years past and typically cloud-based, making them available to most firms. Products and services are easily adaptable to today's business needs. Below, we reexamine the nuances of outsourcing resilience.
Outsourcing has been proven to save money and increase productivity by transferring functions such as IT operations to experienced third parties. Outsourcing firms can be located virtually anywhere and increasingly use cloud-based platforms to build and deliver business resilience services, such as providing reliable business continuity and disaster recovery planning. Concerns still exist regarding where outsourced work is done, particularly if it's in a different country. However, many of these concerns can be mitigated through effective management control over outsourced resources.
This article is part of
Outsourcing begins by defining what needs to be done, identifying resources available to perform the work, obtaining funding and securing senior management support. Many firms are available to provide BC/DR services ranging from program development and exercising to data backup/storage and emergency recovery sites. Some are brick-and-mortar, while others are cloud-based managed service firms. Resilience consulting firms can provide assessments, as well as plan development, exercising and maintenance on a one-time or ongoing basis.
For larger business requirements, such as data backup/application storage and recovery, backup data centers and alternate workspaces, major firms such as IBM, Amazon, Microsoft and Regus offer many different options, typically with cloud components.
Do your due diligence
Before searching for prospective resilience outsourcing firms, analyze your needs by asking the following questions:
- What are your resilience requirements?
- What needs to be outsourced?
- What type of an outsourcing arrangement is needed?
- What products/services are needed?
- What funds are available?
- What is senior management's position on outsourcing?
- What risks are associated with outsourcing?
- What vendors are qualified and available?
- What steps need to be taken?
Based on questions 1 and 2, the following minimum business resilience services should be available from vendors, ranging from managed service providers to consulting firms:
- Assessments of existing operations
- Assessments of existing plans
- Risk assessments
- Business impact analyses
- Strategy development
- BC/DR plan development
- Policy development
- Plan exercising
- Threat awareness and training
- Plan maintenance
- Program management
- Data backup and recovery
- Alternate office space
- Network/infrastructure resilience
- Software/application selection
If you're not totally sure of your requirements, consider releasing a request for information to gain more knowledge of prospective suppliers and their offerings. If you know your outsourcing requirements, issue requests for proposals (RFPs) to obtain formal price quotes and have it reviewed by your legal department.
In any RFP, be sure to address the following:
- Availability of required technologies and management services
- One-time and recurring costs
- Ability to support project goals, deliverables, performance and fulfillment requirements, and liquidity damages
- Vendor profile, strategy and mission
- Evidence of vendor stability and reputation
- Vendor financial status, such as reviews of audited financial statements
- Staff capabilities, such as project management, technical experience and credentials of employees
- Evidence of methodologies that address quality, regulatory compliance and security
- Examples of successful projects; customer references
- Infrastructure stability and disaster recovery abilities
- Security and audit controls
- Legal and regulatory compliance, including complaints or litigation
- Policy regarding use of subcontractors
- Insurance coverage, such as liabilities, errors and omissions
- Vendor corporate policies and initiatives for resilience and security
As we proceed through the next decade, resilience programs still focus on protecting staff, company assets and shareholder interests. Business resilience services from third parties today are sophisticated, flexible and adaptable. Resilience professionals must ensure that the business stays in business, by maintaining business continuity during interruptions and facilitating a swift recovery. As the level of acceptable downtime gets closer to zero, outsourcing resilience functions like business continuity and disaster recovery is a popular way to ensure business survival while keeping pace with changing business dynamics.