While it’s possible to outsource portions of BCP, it probably isn’t practical to consider transferring total responsibility to an outside company because BCP can only work when a company’s internal staff is directly involved. Understanding what to keep in house and what to outsource is key to establishing a complete, effective program.
Outsourcing is defined as sending out (work, for example) to an outside provider or manufacturer in order to cut costs. Outsourcing BCP, then, would be defined as transferring BCP work outside of the company to an organization or individual instead of having internal staff do the work.
Companies may choose to outsource BCP for many reasons. They may not have the expertise in house to do the job, it may save them money in certain areas, they may not want to add to staff, and they may have a mandate imposed by a regulation or other outside driver forcing them to get a program in place quickly.
Outsourced BCP does not fit into the turnkey model, in which an outside company builds a complete and operational program. An outside company can help build a program, but there are too many aspects of BCP that require the client company’s direct involvement. For example, an outside company can build recovery plans for crisis management, business departments, and even the technology infrastructure, but in a disaster event, they can’t come in to make the necessary priority decisions about what, when, and how to recover.
There are, however, some areas that can be effectively outsourced and later integrated into the overall business continuity program. Below are some areas that can be considered for outsourcing.
Program Setup and Management
Program planning, selling the initial program to executives and employees, initial funding, and strategies for developing and implementing the program can all be enhanced through outsourcing. Planners responsible for overseeing development and implementation of the program can still make the required decisions but will have the contracted help available to guide them through the process. Such experts can serve as the “external” BCP department, consulting on the hundreds of decisions to be made in setting up and operating the program. In many ways, this is similar to a relationship with a long-term consultant, someone who could serve as the BCP Director.
Risk and Business Impact Analysis
There are many vendors in the marketplace that can help companies understand the threats facing them, and the probabilities of those threats. For instance, facilities experts can be brought in to analyze offices, plants, equipment, systems, etc. and point out vulnerabilities that need to be addressed.
Most vendors specializing in BCP can perform a business impact analysis, interviewing staff and executives to identify and prioritize the client company’s critical processes. They can provide reports showing which departments are most critical, how quickly they become critical following an event, and even defining recovery time objectives, dollar, and customer losses resulting from a BCP event. This is often a good area to seek outside assistance.
Strategies
As with risk and impact analysis, the development of previously defined strategies can be a good area to consider outsourcing. In fact, the company used for risk and impact analysis is probably the company that should help define and approve BCP strategies.
Plans and Plan Development
There are several different types of BCP plans within a program, such as emergency response, crisis management, business department recovery, technology and infrastructure, and others. While external resources are available to help build these plans, it is difficult to have someone outside the company actually write the plans without very heavy staff involvement. The contracted party can come in and interview staff and gather information, and even do the actual data entry, but identifying tasks and vendors, setting up teams, etc., are issues better handled by internal staff. If the internal staff and program manager are not involved in building the plan, then it’s not their plan; they won’t know what’s in it or the decisions behind it, and they won’t know what to do if something goes wrong during the plan’s execution.
This is especially true with crisis management. Effective crisis management requires a defined team of specific role players who understand how the company works and have the authority from executives to make decisions about how to address a critical situation. While the vendor resource called in to help with the program can counsel the team in a disaster situation, it’s up to the team to own the problem.
On the other hand, an outside company probably can be more directly involved in developing technology recovery. While the technical environment may vary somewhat from company to company, the processes, teams, and tasks to recover technology are usually more clearly defined. In some cases, an outside company can provide specific plan structures that, with some modification, can be made to work for the client company. They will need to understand the priorities documented in the risk and business impact findings to help them sequence recovery actions. Some companies specializing in BCP technology recovery can even contract to assume processing operations of critical applications and services like Web sites, e-mail, and other time-sensitive processes immediately upon recognition of failures within the operating environment.
In summary, while BCP technology recovery, including plan development, can be outsourced, companies probably can’t completely outsource development of business-specific plans like, crisis management, emergency response, and other plans unique to them.
Recovery and Program Operation
Hundreds of companies have been outsourcing recovery and program operation for decades. Most planners involved with BCP have used the services of a hot site vendor, or have depended on a company to supply PCs and servers on demand, either for a test or exercise, or as a result of an event. Most of these third party providers offer excellent technology and DR consulting and are ready to help clients meet their DR and BCP recovery needs, whether for recovery of call centers or general business offices, web and hosting services, or complete recovery of the data center.
Some of the more sophisticated recovery resource companies are even prepared to absorb all of a client’s critical applications and technology processing automatically, should the primary operation fail. Working closely with the client’s technical staff, they will learn about the applications, how technology operations are run, and will be prepared to accept full operational responsibility should a failure occur.
Almost anything is available from a third party at the time of a disaster. There are companies that can provide furniture, heavy equipment (like trucks, fork lifts, even manual systems for distribution or light manufacturing), PCs, servers, internal networking systems, and in some cases even real estate and logistical support. Often, all that’s needed are prearranged contracts, or a monthly fee for more traditional hot site or technology equipment.
Program Validation and Verification
External auditors can audit business continuity programs, examining all aspects, resources, plans, teams, and even depth of training and comprehension of BCP within the organization. A third party can also be used to develop test strategies, define test objectives, help to select test participants, help organize the logistics of the test, manage test activities, conduct a post mortem, and report back how well the test went. This can be done in any area of the program, from a crisis management exercise, to a technology recovery test, to business recovery, to a complete end-to-end test involving all areas of the BCP program. However, internal staff will be needed to take part in all tests to ensure they know what to do in an emergency.
Conclusion
While it’s possible to outsource portions of BCP, it probably isn’t practical to consider transferring total responsibility to an outside company because BCP can only work when a company’s internal staff is directly involved. While an outside vendor can help write a crisis management plan, they’re neither prepared nor authorized to make priority or execution decisions in the middle of a disaster. And while the vendor can help build plans and strategies to recover critical departments and critical processes within those departments, they won’t be in a position to make the processing decisions a department head would understand and be authorized to make. Understanding what to keep in house and what to outsource is key to establishing a complete, effective program.
Leave A Comment
You must be logged in to post a comment.