Business Continuity Standards: Not an Insignificant InvestmentBy Ericka Chickowski | Posted 2008-09-25 Email Print
This case study on Repligen, a pharmaceutical company, takes a close look at the benefits and costs of applying business continuity and disaster recovery standards through a certified program. One expert in the field argues that companies should go slow with this process and examine all costs associated with it before deciding on a competing standard. Cerifications are a business, but real cost benefits can come in the form of customer loyalty and more efficient auditing, as well as streamlining business continuity processes.
Not an Insignificant Investment
Repligen chose to go with BS2599 because not only did that piece of paper at the end of the tunnel gave them the means to reassuring customers, but it also gave them the direction and tools to implement those solid fundamentals that Berman emphasizes—an overarching strategy that includes all of the usual disaster recovery homework such as business impact analysis, gap analysis, and proper testing and maintenance of plans.
“What the standard requires you to do is to put in place a living, breathing business continuity management system that incorporates a number of tools to assess the risks that might impact your business,” Whitehouse says. “There's a strong aspect of focusing on identification of risks, prioritizing the risk impact and severity on your business and then working to try to put things in place to mitigate those risks you’ve identified.”
The certification process made Repligen put in more robust recovery mechanisms, open a new secondary facility and generally increase redundancy of operations, and ramp up additional stock of their supplies to see customers through a transition between sites in the event that the primary site goes out of service. And the process is ongoing, even after certification.
“The system really is very focused on continuous improvement as you mitigate the highest risks that maybe on your list early on, new risks have come to the top of the list,” she explains, “so you are continually refreshing the system and continually improving in the area of risk mitigation.”
Most importantly, the system they’ve developed through the BS25999 framework makes it possible to fly on autopilot when business leaders are likely to need direction most, during disasters.
“Makes it easy just to react to emergency rather than coming up with things on the fly,” she says. “There's so much thought that goes into everything and preparation that goes into everything so that if something happens you don't have be reacting on the spot you've already got a lot of tools in place to help you make good decisions at the time.”
Creating the BCM system was “not an insignificant investment,” Whitehouse says. These processes cost money to not only be put into place, but also to maintain. And yet, she says that it didn’t require them to spend every last dollar they could have possibly spent on disaster recovery. That’s the beauty of BS25999, DiMaria believes.
“It takes a very common sense approach as well in that you have to analyze through risk assessment and business impact analysis what risk you have, what these risks mean to your organization if they happen, what's the possible impact and then ascertain what level of mitigation has to be there,” he says. “Clearly you could overspend in mitigating a risk that would cost you a lot less if you just let it happen and rely on an insurance policy or something like that."