Modeling the Business
Modeling the business is the first big step toward falling in line with risk management aspects of best- practices frameworks, such as COSO (Committee of Sponsoring Organizations of the Treadway Commission), COBIT (Control Objectives for Information and related Technology), ITIL (Information Technology Infrastructure Library), and ISO/IEC (International Organization for Standardization and the International Electrotechnical Commission) 17799:2005, all of which can help with the nuts and bolts of business continuity planning.
“COBIT is a framework for IT control that can be used to mitigate risks once you’ve modeled the process,” Walch says. “COSO is in many respects the counterpart to that on the business side, leaning to business control and governance as opposed to IT controls.
ITIL looks at business continuity, change management, and problem and incident management from a service perspective. All of these frameworks are very complementary to the business modeling process.” ISO/IEC guidelines contain a wealth of best practices specific to information security management.
Increasingly then, an effective strategy for business continuity planning lies first with carefully modeling the business itself. This means gaining an in-depth understanding of business goals, priorities, functions, underlying processes, and the people and expertise involved with those processes. “It’s too easy to get down to the guts of networks, systems, servers, and patches without understanding that the real mission here is to wholesale leather shoes,” says Trent Henry, senior analyst at the Burton Group. “IT has to understand fundamentally the business they’re in the middle of. Then they need to understand the dependencies of the business processes on the infrastructure that they’re running.” This business-impact analysis is generally followed by a technology profile and is a staple of many enterprise business continuity teams. “That begins to pull in risks to the business,” Henry says, “and what aspects need to be prioritized, including people.”
Getting started in modeling a business generally involves extensive interviews, typically in a workshop setting, with senior executives and representatives of the business units. Where you start depends on whether you have gone through part of this process before. “Most companies we see doing this today are in the mature or world-class category,” says Damian Walch, national practice executive of business resilience consulting at IBM Global Services. He adds that the financial services and energy sectors tend to be the ones that come to them for this purpose. “They’ve gone through at least one business-impact analysis before and know which processes are critical.” What they sometimes don’t have a handle on, according to Walch, is the dependences among various business functions and between the business functions and IT.