As an IT management practice, it seems business continuity planning and management has a long way to go.
In a recent poll of security professionals by Forrester Research Inc. on top business continuity management (BCM) challenges, about one-third of respondents said their BCM programs lacked adequate funding, and another third said their programs focused too much on disaster recovery (DR), at the expense of business continuity. And 32% replied they had no formalized business continuity program at all.
Forrester analyst Stephanie Balaouras, who covers risk and security for the Cambridge, Mass.-based consultancy, said business continuity has been a top priority for IT for years. Public companies must demonstrate adequate BC/DR plans. And increasingly the companies that do business with them are under pressure to do the same.
But drumming up support for contingency planning is always a hard sell, and even harder in a recession, Balouras said. The traditional returns on investment, like increased revenue and fatter profits, don't readily apply. Companies, especially now, are worrying about staying in business rather than what to do in the event of a hypothetical business disruption.
"Under economic pressure, people want to target this for cost-cutting, but the disaster or the downtime isn't going to wait for the recession to be over. It can strike at any time," Balaouras said.
The vast majority of business continuity management efforts have focused on the component owned by IT -- protecting against major disruptions to data centers and core technology systems. In other words, disaster recovery, Balouras said.
The mind-set is familiar to Marty Luffy, CIO at Installed Building Products LLC (IBD), a family-owned construction company based in Columbus, Ohio.
Luffy's eight-person IT team has no DR/BC projects on the docket for 2009, as the company looks to pare budgets by 25%. His team will likely need to scale back the assiduous DR testing it used to do on a quarterly basis; that included replicating all of IBD's critical production systems, connecting them to the network and testing for data access from both internal and remote locations. But he stressed that the company, with 120 locations and about 2,500 employees, is "fortunately in good shape" on DR, thanks to the work IT did in previous years.
Business continuity is another matter, Luffy said.
"Because BC encompasses the entire organization, it is certainly more difficult to get proactive response to business continuity issues from other parts of the organization than it is from the IT departments," Luffy wrote in an email.
Business continuity's low profile is compounded by the fact that in many organizations, IT owns it. "They do not carry the overall clout to force BC-related issues to the top of the agenda in departments outside of IT," Luffy said.
Bruce Barnes, president of Bold Vision LLC, a Dublin, Ohio-based peer-to-peer counseling firm for CIOs, agreed that business continuity planning is still a very broad term to many. As such, he wrote in an email, it "becomes something of a catchall for the many parts of the puzzle." The result is that companies may think they have a business continuity strategy when, in fact, what they have is just disaster recovery.
Business continuity is hard, requiring a deep understanding of the business itself, both in processes and relationships, Barnes said. "That kind of knowledge in many businesses, especially ones in which those areas are continuing to actively evolve and adapt, simply does not effectively exist," he said.
Finally, effective business continuity planning entails dedicated and extensive time away from the day-to-day chores of running the business by perhaps some of the most business-critical folks in the organization.
"In these intensive times, both economically and competitively, that's a tall order for many companies," Barnes said.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer