Why the Cloud should transform your Business Continuity Management has been saved
Why the Cloud should transform your Business Continuity Management
Part 2: Leveraging cloud benefits in a responsible way
Cloud computing has reached a level of maturity and usefulness that many company executives never imagined. But the cloud also brings new risks. These need to be managed properly if an organisation wants to unlock the cloud’s full potential. In this blog series, we help you to stay in control—responsibly—while enjoying the benefits of the cloud.
Written by Dave Klingens and Danny Tinga
IT-related Business Continuity Management (BCM) use to be fairly straightforward. Organisations had an internal network, and when that network went down, there were always IT colleagues around to fix the problem. Now that many organisations have their infrastructure, platforms and software in the cloud, BCM needs a different approach.
A CIO of a Dutch company illustrated this perfectly when he told one of us that, 20 years ago, his company tested its response plans by simply unplugging a cable and seeing what would happen. "Just thinking about doing that now makes me feel sick," he said. "I honestly don’t know what would happen.”
We understand his worries, and moving to the cloud doesn’t necessarily alleviate them. As a cloud customer, you lose understanding and control. A cloud provider might not live up to its promises. It might go bankrupt. Its servers might go down. A force majeure event may occur.
Due to such incidents, you might lose access to your data or applications. That’s why your new hyperconnected status calls for a radical overhaul of your BCM.
Outsourcing IT services doesn’t mean that you also outsource the risks involved. A responsible cloud-proof BCM starts with not underestimating cloud risks and regularly conducting simulation exercises as to possible cloud-related scenarios. For our 2018 global survey Stronger, Fitter, Better, we questioned more than 500 senior crisis management, business continuity and risk executives about crisis management. 90 and 87 percent said they were confident they could effectively respond to, respectively, a system failure or cyberattack, whereas just 50 and 53 percent actually conducted simulation exercises for those scenarios.
At the negotiating table
If you take cloud risks seriously, you should also make sure that responsible BCM is involved in your organisation’s cloud strategy. You need to talk with the business leaders about your risk appetite in an early phase, and you need to have a seat at the negotiating table with the cloud service provider (CSP). This means shifting your focus from developing (IT) workarounds and redundancy measures to making agreements with CSPs to ensure continuity of their services, even during or following a force majeure situation.
Due to hyperconnectivity, there are many ways your cloud services can be affected. You should make a concrete and detailed business impact analyses to understand your cloud dependencies and the impact of unavailability for your business. You should also prepare for realistic scenarios and set up a corresponding response plan involving your CSP. Who are the people responsible? Do all stakeholders know the risks and their roles in case of an emergency? Does it make sense to have backup at another CSP? An exit strategy should also be part of your BCM. How fast can you switch to another CSP?
You can source out everything you want, but the risk for disruption will always remain yours. So if your organisation wants to leverage cloud benefits in a responsible way, your BCM needs to be rewritten.
Deloitte has helped many organisations understand the impact of cloud computing on business continuity management. Do you need help rewriting your BCM? Please reach out to Dave Klingens, Danny Tinga or Jurgen Schot via the contact details below.