|
By Lee Milligan
While it's possible to outsource portions of BCP, it probably
isn't practical to consider transferring total responsibility to an outside
company because BCP can only work when a company's internal staff is directly
involved. Understanding what to keep in house and what to outsource is
key to establishing a complete, effective program.
Outsourcing is defined as sending out (work, for example)
to an outside provider or manufacturer in order to cut costs. Outsourcing
BCP, then, would be defined as transferring BCP work outside of the company
to an organization or individual instead of having internal staff do the
work.
Companies may choose to outsource BCP for many reasons.
They may not have the expertise in house to do the job, it may save them
money in certain areas, they may not want to add to staff, and they may
have a mandate imposed by a regulation or other outside driver forcing
them to get a program in place quickly.
Outsourced BCP does not fit into the turnkey model, in which
an outside company builds a complete and operational program. An outside
company can help build a program, but there are too many aspects of BCP
that require the client company's direct involvement. For example, an
outside company can build recovery plans for crisis management, business
departments, and even the technology infrastructure, but in a disaster
event, they can't come in to make the necessary priority decisions about
what, when, and how to recover.
There are, however, some areas that can be effectively outsourced
and later integrated into the overall business continuity program. Below
are some areas that can be considered for outsourcing.
Program Setup and Management
Program planning, selling the initial program to executives and employees,
initial funding, and strategies for developing and implementing the program
can all be enhanced through outsourcing. Planners responsible for overseeing
development and implementation of the program can still make the required
decisions but will have the contracted help available to guide them through
the process. Such experts can serve as the "external" BCP department,
consulting on the hundreds of decisions to be made in setting up and operating
the program. In many ways, this is similar to a relationship with a long-term
consultant, someone who could serve as the BCP Director.
Risk and Business Impact Analysis
There are many vendors in the marketplace that can help companies understand
the threats facing them, and the probabilities of those threats. For instance,
facilities experts can be brought in to analyze offices, plants, equipment,
systems, etc. and point out vulnerabilities that need to be addressed.
Most vendors specializing in BCP can perform a business
impact analysis, interviewing staff and executives to identify and prioritize
the client company's critical processes. They can provide reports showing
which departments are most critical, how quickly they become critical
following an event, and even defining recovery time objectives, dollar,
and customer losses resulting from a BCP event. This is often a good area
to seek outside assistance.
Strategies
As with risk and impact analysis, the development of previously defined
strategies can be a good area to consider outsourcing. In fact, the company
used for risk and impact analysis is probably the company that should
help define and approve BCP strategies.
Plans and Plan Development
There are several different types of BCP plans within a program, such
as emergency response, crisis management, business department recovery,
technology and infrastructure, and others. While external resources are
available to help build these plans, it is difficult to have someone outside
the company actually write the plans without very heavy staff involvement.
The contracted party can come in and interview staff and gather information,
and even do the actual data entry, but identifying tasks and vendors,
setting up teams, etc., are issues better handled by internal staff. If
the internal staff and program manager are not involved in building the
plan, then it's not their plan; they won't know what's in it or the decisions
behind it, and they won't know what to do if something goes wrong during
the plan's execution.
This is especially true with crisis management. Effective
crisis management requires a defined team of specific role players who
understand how the company works and have the authority from executives
to make decisions about how to address a critical situation. While the
vendor resource called in to help with the program can counsel the team
in a disaster situation, it's up to the team to own the problem.
On the other hand, an outside company probably can be more
directly involved in developing technology recovery. While the technical
environment may vary somewhat from company to company, the processes,
teams, and tasks to recover technology are usually more clearly defined.
In some cases, an outside company can provide specific plan structures
that, with some modification, can be made to work for the client company.
They will need to understand the priorities documented in the risk and
business impact findings to help them sequence recovery actions. Some
companies specializing in BCP technology recovery can even contract to
assume processing operations of critical applications and services like
Web sites, e-mail, and other time-sensitive processes immediately upon
recognition of failures within the operating environment.
In summary, while BCP technology recovery, including plan
development, can be outsourced, companies probably can't completely outsource
development of business-specific plans like, crisis management, emergency
response, and other plans unique to them.
Recovery and Program Operation
Hundreds of companies have been outsourcing recovery and program operation
for decades. Most planners involved with BCP have used the services of
a hot site vendor, or have depended on a company to supply PCs and servers
on demand, either for a test or exercise, or as a result of an event.
Most of these third party providers offer excellent technology and DR
consulting and are ready to help clients meet their DR and BCP recovery
needs, whether for recovery of call centers or general business offices,
web and hosting services, or complete recovery of the data center.
Some of the more sophisticated recovery resource companies
are even prepared to absorb all of a client's critical applications and
technology processing automatically, should the primary operation fail.
Working closely with the client's technical staff, they will learn about
the applications, how technology operations are run, and will be prepared
to accept full operational responsibility should a failure occur.
Almost anything is available from a third party at the time
of a disaster. There are companies that can provide furniture, heavy equipment
(like trucks, fork lifts, even manual systems for distribution or light
manufacturing), PCs, servers, internal networking systems, and in some
cases even real estate and logistical support. Often, all that's needed
are prearranged contracts, or a monthly fee for more traditional hot site
or technology equipment.
Program Validation and Verification
External auditors can audit business continuity programs, examining all
aspects, resources, plans, teams, and even depth of training and comprehension
of BCP within the organization. A third party can also be used to develop
test strategies, define test objectives, help to select test participants,
help organize the logistics of the test, manage test activities, conduct
a post mortem, and report back how well the test went. This can be done
in any area of the program, from a crisis management exercise, to a technology
recovery test, to business recovery, to a complete end-to-end test involving
all areas of the BCP program. However, internal staff will be needed to
take part in all tests to ensure they know what to do in an emergency.
Conclusion
While it's possible to outsource portions of BCP, it probably isn't practical
to consider transferring total responsibility to an outside company because
BCP can only work when a company's internal staff is directly involved.
While an outside vendor can help write a crisis management plan, they're
neither prepared nor authorized to make priority or execution decisions
in the middle of a disaster. And while the vendor can help build plans
and strategies to recover critical departments and critical processes
within those departments, they won't be in a position to make the processing
decisions a department head would understand and be authorized to make.
Understanding what to keep in house and what to outsource is key to establishing
a complete, effective program.
About the Author
Lee Milligan is Senior Project Leader for Strohl
Systems Inc. Mr. Milligan has more than 16 years of experience in the
business continuity/disaster recovery profession, and more than 40 years
of business and technology experience. He has developed and implemented
BCP programs covering all business areas including IT, corporate management,
office, crisis management, and continuity of operations for distribution
and sourcing. He served as chairman of a large community-based organization
in his home state of California, has authored several articles, and has
spoken on BCP at a large number of conferences. He can be reached at LMilligan@Strohlsystems.com.
|
