ITIL looks at business continuity, change management, and problem and incident management from a service perspective. All of these frameworks are very complementary to the business modeling process." ISO/IEC guidelines contain a wealth of best practices specific to information security management.
Increasingly then, an effective strategy for business continuity planning lies first with carefully modeling the business itself. This means gaining an in-depth understanding of business goals, priorities, functions, underlying processes, and the people and expertise involved with those processes. "It's too easy to get down to the guts of networks, systems, servers, and patches without understanding that the real mission here is to wholesale leather shoes," says Trent Henry, senior analyst at the Burton Group. "IT has to understand fundamentally the business they're in the middle of. Then they need to understand the dependencies of the business processes on the infrastructure that they're running." This business-impact analysis is generally followed by a technology profile and is a staple of many enterprise business continuity teams. "That begins to pull in risks to the business," Henry says, "and what aspects need to be prioritized, including people."
Getting started in modeling a business generally involves extensive interviews, typically in a workshop setting, with senior executives and representatives of the business units. Where you start depends on whether you have gone through part of this process before. "Most companies we see doing this today are in the mature or world-class category," says Damian Walch, national practice executive of business resilience consulting at IBM Global Services. He adds that the financial services and energy sectors tend to be the ones that come to them for this purpose. "They've gone through at least one business-impact analysis before and know which processes are critical." What they sometimes don't have a handle on, according to Walch, is the dependences among various business functions and between the business functions and IT.
"You start with the lines of business the company defines as where their core products and core revenue are coming from," SunGard's Grogan says. "Then you dive under the covers. What are your salespeople doing to generate the sales cycle? What are your accounting people doing to get the bills out? What are your distribution or production people doing to create the product and get it shipped?" Some of these pieces may be internal and some external. "Many companies outsource their shipping and distribution to UPS or FedEx, but that process is key to their customer satisfaction."
Who should be involved? "Usually it's not the line-of-business executive, it's more like someone at the manager or director level," IBM's Walch says. "Someone who inherently understands the process and can help you walk through claims processing, drilling, or exploration."
But Unisys' Dillman disagrees. "We like to start with the executives because ultimately it comes down to what goals you're trying to achieve in a degrading situation and how much you're willing to spend."
Mapping interdependencies among processes, departments, employees, and external players is the overarching goal of the business continuity planning process. This is where diagramming software, such as Microsoft Visio, can help. SunGard has a software product called Paragon that provides tools to guide companies along the entire business continuity planning process, and it includes diagramming software that can map interdependencies. "People may not understand initially a dependency between customer service and product development or how much order entry does or doesn't depend on finance," says Jacques Murphy, SunGard's Paragon product manager.