The Case for Business Continuity Management
Krell, Eric, Business Finance
Globalization, regulatory mandates, and recent natural and man-made disasters have pushed BCM into the C-suite and the boardroom.
The debate over whether business continuity management (BCM) is an IT issue or a finance issue is moot: It's both, and then some. True, the discipline grew out of IT's disaster recovery practices, but today BCM is clearly an overarching business concern - and an increasingly critical one. * Prompted by a rising tide of terrorist attacks, natural disasters, and less newsworthy but equally expensive power outages, regulatory bodies and corporate boards are pressing executive teams to expand and strengthen their organization's resiliency. As a result, more and more finance functions are assuming ownership of enterprise BCM strategies. Regardless of whether finance owns those capabilities, though, CFOs should carefully measure the cost of continuity and determine the level of risk their company is willing to assume. To do so, they must understand the discipline's drivers, investigate emerging BCM frameworks and review their organization's options for fortifying its BCM activities.
Bill Teuber brings a unique perspective to BCM. He's CFO and executive vice president of EMC Corp., a Hopkinton, Mass.-based provider of products and services for information storage and management. Teuber and his staff play a key role in managing the company's continuity practices. And Teuber also keeps tabs on customers' BCM capabilities, which EMC's products support.
"With business continuity, there is a gap between expectations and reality," says Teuber. "I've seen that here, in other companies and in surveys." A widely circulated 2003 survey conducted by EMC with RoperASW crystallized that disparity. Fifty-two percent of surveyed IT executives in U.S. companies reported that their organization's critical data would be "very vulnerable" in the event of a business interruption. However, only 14 percent of surveyed business executives - who worked in the same companies as the IT people - shared that view.
The survey also examined respondents' estimates of the time their organization would need to resume normal business operations after an interruption, a measure referred to in BCM parlance as the recovery time objective (RTO) or recovery point objective (RPO). The business executives' estimate was three days shorter than that of the IT executives.
Fortunately, the expectation gap has narrowed somewhat, according to a comparable 2004 survey by EMC, and it continues to close, BCM experts report.
Teuber has been methodically driving convergence between BCM perceptions and reality for several years now at EMC. "We went around the organization identifying what the business thinks they have in terms of a business continuity management requirement and then compared that to what they actually had," he says. "There was a disparity."
He adds that it's "incumbent on the business in the collective sense, on the operation side and the service side," to ensure that there is agreement on the appropriate level of BCM support for key processes and IT systems and on whether that support exists and is kept current. That requires prioritization at the highest levels of the company. Corporate leaders must ask: What are our most important processes? What human and technical resources support them? How long can we afford for those processes to be offline?
A Regulatory Flood
At many organizations, those questions have yet to be raised in the right quarters. "BCM has moved out of the corner of the computer room, but it hasn't " cascaded throughout the entire organization yet," notes Peter Maloney, CFO of Snocap, a San Francisco-based provider of digital licensing and copyright management services for the digital music marketplace. But he notes that "awareness is rising all the way up to the audit committee in the boardroom."
The forces nudging BCM concerns upward include globalization, the increasing frequency and impact of natural and man-made disasters, and the growing complexity of the compliance environment. …