Business Continuity: Getting it Right

Al Berman of DRI International on How to Rise to Global Challenges
Business Continuity: Getting it Right
When it comes to business continuity and disaster recovery planning, it isn't the cause of the disaster that's the concern - it's the potentially devastating effects.

In a new interview on the topic, Al Berman, president of DRI International, discusses:

  • Today's biggest threats to organizations;
  • The greatest gaps in disaster recovery planning;
  • Three steps organizations can take to improve BC/DR preparedness.
Berman is a CBCP, a member of the ASIS BS25999 technical committee, a member of the Committee of Experts for ANSI-ANAB, a former member of the NY City Partnership for Security and Risk Management and the co-chair for the Alfred P. Sloan Foundation committee to create the new standard for the US Private Sector Preparedness Act (PL 110-53). Over a career that has spanned 25 years, he has served as a President and CIO for a major financial institution, National Practice Leader for Operational Resiliency for PricewaterhouseCoopers and Global Business Continuity practice leader for Marsh.

TOM FIELD: We spoke about a year ago, and we talked about the H1N1 virus. Why don't you give us just a little background on the institute and on yourself for people that maybe didn't hear that interview?

AL BERMAN: Sure. DRI International was founded in 1988, and its job was to be the focus for business continuity and disaster recovery and a compendium of knowledge, and seeking out those issues that would most affect people 20 years ago. Since then, we've grown to an organization that now has certified professionals in over 100 countries. We do training in over 45 countries. We have about 8,000 active members and are expanding throughout the world and specifically in Asia as we speak.

I actually came to DRI about four years ago. Before that I was president of a banking subsidiary. I am a former CIO. And I joined the board about four years ago and became the Executive Director probably about six months after that, and subsequently President.

Disaster Types

FIELD: Now, Al, I was told years ago that when you look at business continuity and disaster recovery, it breaks down into three distinct categories: your natural disasters, your manmade disasters, and pandemic. Do these categories still hold true when you think of business continuity and disaster recovery as a global challenge?

BERMAN: Well, let me give you an insight into business continuity, which actually is cause independent. Before I headed PriceWaterhouse Cooper's practice, I actually worked for a research form, and by 1995 we found 146 causes of disasters. That's 1995 -- no dirty bombs, no nuclear backpacks. So, business continuity really focuses not on causes, but really on effects. When we look at effects, we find it in really four different distinct places.

One, we find it in the facility. A facility has been flooded, it's been burnt down to the ground, it's been affected with SARS or H1N1, but you can't use the facility.

The second one we see is in the business operation. People can't get to work. You have supply chain problems; you have infrastructure problems, but those that really affect the business process.

The third affect we see is in technology -- the traditional viruses, failures of systems, those things that have to deal with communication.

And the fourth one looks at the corporation, intellectual property issues, succession planning, merges and acquisition. It was only a year or so, again, that they almost shut down my Blackberry because of intellectual property issues. So we look at from a business continuity point, really. the effects or the impacts of things and not necessarily the causes, because, as we well know, we don't know what the next cause is going to be.

Biggest Threats

FIELD: Well, that's a good point and a good perceptive. When you look at in that light Al, what do see as today's biggest threats to global organizations?

BERMAN: If we go back about 20 years ago, when we started and it was all about the data centers, and then probably 15 years later we got out of data centers and communications and operations. But I think actually in looking at the global economy, Tom, I think the biggest thing we are concerned about is supply chain. Not only from the traditional business problems, but as well -- in this kind of economy, it was Nissan who had to shut down its operations for three days recently simply because its suppliers couldn't come up with the goods. So they actually had to shut down factories. As we sit in a very tight economy where businesses are not containing big inventories, there is bankruptcy, there are credit problems. We actually are looking at this from a business perspective, and supply chain is becoming a bigger issue. We know it from a terrorist perspective; we know it from a national disaster perspective. But now we're also looking at it from an economic perspective.

FIELD: So how prepared are organizations to respond to supply chain issues as well as other threats to their business continuity?

BERMAN: I think it will depend on the business. Now, when we look at it, we look at regulations that have been very stringent in the financial sector, and despite the economic problems we think the financial sector is the most robust from a real operational resiliency point of view. From an enterprise resiliency point of view, auto failover, having operations in diverse parts of the country and parts of the world, we're seeing it even in manufacturing where we are starting to look at more and more suppliers. So I think we are starting to address the broader issue.

If we look at the supply chain ... we look at each of the components that make up the successful process or service delivery, and we are looking harder at it. We're trying to make our suppliers more resilient, and as you can tell from a lot of companies and from a lot of regulations, they are now doing extensive testing with their suppliers when they do business continuity or disaster recovery testing.

Biggest Gaps to Fill

FIELD: When you look at all these issues we've talked about -- and suppliers are a great one to bring up. You've talked about supply chain. We've seen natural and pandemic disasters in recent times. Where do you see the biggest gaps within organizations to be prepared to continue their operations?

BERMAN: I think it runs a total gamut from those who don't believe anything is going to happen to those who are really looking at what are their alternatives. And again, in this economy, with fewer suppliers because of bankruptcy and credit crunch, we're seeing a lot of single-source and sole-source suppliers. I think the issue now is to look for alternative suppliers from alternative supply chains and being very careful of what regions of the world we are getting those suppliers from. So I think the biggest gap we're getting now is an analytical gap. I think like everything else, we should be able to at least acknowledge what our problems are in the next year or so for most major corporations.

FIELD: Okay talk to me about the analytical gap. What do organizations have to do to address that in particular?

BERMAN: Well, when they start to look at impacts, we recommend that they do an upstream analysis. Upstream being those people who you are dependent upon. So, if you look at the business from order to cash and each of the components within it, you want to know who is feeding you. It is very difficult to figure out who you are feeding, but just for example if you don't get something and you're sitting at corporation, you always know who to call. So this upstream analysis is really starting to help corporations identify the sources of information or products -- who the source is, and how reliable they are. Through analytics and that process we are starting to look in three real fields. One, if you look from a manufacturing point of view, they are looking at the production line to see what the backup is for that production line. Secondly, they are looking at the production itself. So if you look at production line for failure in production in the line, you are really going to now look for what happens if the site fails. Third, there is a huge amount of being looked at the corporate entity. How sound are they financially? How credit-worthy are they? What are the intellectual property issues that they are facing? What other legals they may be facing? What is the possibility that they will be bought out by a competitor? So those are the issues we're really starting to look at supply chain, and it really does run that whole gamut.

FIELD: Now let me give you a chance to give a little commercial for DRI International. Tell us a bit about what you are doing today that is unique and how you are preparing business continuity professionals.

BERMAN: As you know, we've been certifying professionals for the last 20 years. Recently we've added two new certifications, and one of them interestingly enough is supply chain. About a year ago, we actually created what is known as a Certified Business Continuity Vendor. It came out of the demand from our certified professionals asking which vendors really could they depend on -- which vendors had the knowledge and the broad base which they could identify with. We created the certification to map out a professional certification, so the vendors have to go through the same training, they have to pass the same exam, and they have to pass the credential process, and this has really done a lot to clarify who is a qualified vendor and who is selling Ginsu knives last week. It has really helped the community.

The second thing we're doing in response to what is now the Private Sector Preparedness Act and the Accreditation of Corporations is we've created an audit certification. That audit certification will be used by companies to one, internally certify themselves to see if they are ready for an audit, first-party certification if you would. Secondly, to train those people who will eventually be what are called certified bodies, those who will certify corporations as to preparedness on the PS Prep Program.

Improving Preparedness

FIELD: Al, a final question for you. We're headed toward 2011 right now. Give me the three steps an organization can take starting today to improve their business continuity and disaster recovery preparedness for the next year?

BERMAN: Well, I think there are things they should be doing. One is, obviously, we favor preparedness. I think the first thing corporations should do is do an honest evaluation of where they sit against standards, ours and the one most often used in professional practices that DRI has built over the years, and get an honest evaluation of it. Secondly, look at what kind of steps they can take to reduce the gaps where they really do feel vulnerability. The third one, strangely enough -- and we found this from a number of corporations -- is to map their insurance to the business continuity plan in terms of business interruption insurance. When we talk about supply chain, contingent business interruption insurance -- that is, insuring against the failure in that supply chain -- and then look at extra expense and those things that would be associated with the recovery. So I think the idea of identifying the problems, trying to figure out where you are, and then looking at true risk, including insurance, would be the three steps I think I would take.


About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.