The critical role of business continuity
Companies cannot afford to let their standard business operations fail for significant periods of time, and moreover, as the level of technological development increases and the competitive environment intensifies, the length of disruptions in business continuity that can be sustained without suffering significant business loss is becoming shorter and shorter.
Maintaining business continuity does not simply happen by itself: the only companies that can reduce the potentially high risks emanating from such disruptions are those that have an adequate, general business continuity strategy, and have developed the appropriate procedures based on it. The business continuity strategy should ideally address all areas where failure could cause significant damages and operational problems for the company, and might endanger fulfilment of the company’s strategic objectives.
Why is the business continuity being threatened by a growing number of dangers that are increasingly difficult to understand?
- Sophisticated supplier and partner relationships
- Increasingly complex technologies
- Growing IT and communications support requirement for normal business processes
- A fiercer competitive environment due to the economic crisis
- The increase in the number of natural disasters with a major, often global impact (see, for example: the effect of the Japanese earthquake and nuclear catastrophe on the global auto industry and the vast number of suppliers that it supports).
What are these areas?
Since nearly all important processes at the business departments of large corporations are now built on IT hardware and services, IT Business Continuity Planning (ITBCP) is increasingly taking on a leading role within general business continuity planning, and it is frequently the analyses and plans made in this area that provide the basis for extending business continuity planning to the business departments.
More and more companies engaged in production however, recognise that the desired level of business continuity cannot be established without ensuring the continuity of value-creation processes and the supply chain, which includes both the processes that are supported by IT, and the fundamental processes that are not IT-based.
The risks of not having a systematic approach
- Do you know, in each instance, what risks are being run by a large company that does not devote adequate attention (and resources, time and money) to business continuity?
- Do you have any idea what factors and threats endanger business processes?
- Do you know what losses could be sustained by a business department if one of these threats causes a significant failure in the IT or production systems that you use?
The greatest risk arises from the fact that without proper systematic analysis, companies are generally unable to satisfactorily answer the above questions.
One possible consequence of this is that due to a delay in taking the necessary measures, the organisation is caught unprepared by a major malfunction, system outage or even an intentional attack or natural disaster. At the same time, even if the company takes the previous measures and reduces the risk in certain areas with various solutions and procedures, without the proper approach – based on a business impact study and risk analysis – it cannot be certain that the company has mitigated the greatest risks, or whether the cost of the applied solution is proportionate to the risk that the solution has actually reduced.
Extending the BCM methodology to production processes
The methodology of production continuity planning is essentially the same as that employed in the general BCM project; in other words it has as its core the analyses developed from the systematic steps mentioned above, and the risk analysis measures that are built on these. Due to the special characteristics of production systems, however, KÜRT’s specialists have had to carry out major methodological developments in the following areas:
New threat factors
Because of the special environments, systems and resources, a new group of threats has to be confronted in comparison to the environments of office or business processes (e.g. an industrial environment, chemicals, constant exposure to liquids, high voltage electrical systems, mechanical impacts, etc.).
Significantly greater resource set
Extending business impact analyses to the entire production process, as opposed to just the business environment, requires the review and handling of a significantly greater number and variety of resources (industrial PCs, production control PLCs, pumps, motors, conveyors, sensors, connectors, etc.).
Extended to the production processes, the methodology must also contend with numerous new processes. These need not only be information processes, but could also be physical processes, the input/output of which may not only be data, but also a tangible, physical product or even a service.
It is plain to see that business continuity planning, when extended to the value creation processes and the supply chain, has to deal with a significantly more complex environment and take into account a great many more interrelated variables, which makes it even more important to apply a systematic approach.
In the interest of mapping the complicated interactions, developing the risk matrix and drawing up the action plans covering the required scenarios, it is advisable to make use of software support for conducting the analyses and developing and maintaining the action plans.
The SeCube Information Security Management System developed by KÜRT, with its advanced algorithms and use of graph theory, is capable of implementing, at a high level, effective support for precisely these types of high-complexity projects. (secube.kurt.hu)
In what areas does the KÜRT PCP methodology assist management’s work?
- Optimal and secure operation
By mapping the resources, processes, threats, and the interactions between them, it is possible to boost efficiency by simplifying certain processes, without compromising the security aspects that are treated as a priority throughout. In other words, the maximum level of operational efficiency can be implemented together with the minimal level of operational risk.
- Minimizing downtime
As a result of the optimisation of processes and operational continuity, downtime can be minimized.
- Optimisation of reserves
Another result of process optimisation is that maintenance reserves can be partially merged with disaster recovery reserves.
- Uniform Inventory
Instead of having a parallel inventory for each geographical area, a common inventory can be used, which significantly eases planning for the mid and long-term development of operations and supporting resources.
- Input data for the master plan
The risk analysis provides important and highly usable input data for preparing and updating the master plan, thus facilitating the optimisation of long-term capacity and resource planning.
- Security vs. minimising reserves + capacities
The pool of backup equipment and reserve production capacity can be downsized without compromising the level of security.
- A rapid return on the investment
Through enhanced efficiency and the assurance of continuous operation (reduced downtime), the project cost is recovered in the short term.
In production continuity planning, we essentially rely on the common Information Security standards (BS25999, ISO 27001, ISO 13335, ISO27005, BS ISO/IEC 27031:2011), although these may naturally be supplemented in keeping with the special requirements of the given area of industry or production.