Reducing Operational Risk through Business Continuity Management

Hi all, I’m Tom Easthope, Sr. Program Manager on the Enterprise Business Continuity team at Microsoft. This blog entry is a companion to the video featuring my colleagues Phil Sodoma and Traci Bishop. In their video they talked about the several aspects of our business continuity program at Microsoft.

The goal of any Business Continuity program should be to create and maintain operational resiliency. As Phil and Traci mentioned, our program at Microsoft is holistic – meaning that it looks at process resiliency across a broad range of dependencies both internal (workforce, other teams) and external (vendors, supply chain).

clip_image001

One key to our program’s success is having strong commitment and support across the business. Program credibility is enhanced with high level direction from our Board, funding commitments from our business leaders and best-in-class subject matter experts. Our program is further strengthened with tight integration and common goals with our internal audit and enterprise risk teams.

Traci and Phil also talked about the importance of standards. First, standards create a common taxonomy that works across the company which is essential if your organization is global and in multiple lines of business. We also find business continuity standards, such as the federal PS Prep (Private Sector Preparation) voluntary standards could, potentially, become a requirement for vendors selling to the US government. Organizations can theoretically save compliance costs by aligning to these forthcoming standards sooner than later.

One other aspect of our program is an emphasis on vendor resiliency. Outsourcing has become an increasingly popular strategy for companies to reduce costs and focus on core business functions. While these strategies can deliver on their promise, they also introduce new business continuity risks. Companies should not mistake the transfer of risk to an outsourcing vendor with operational risk reduction. A proactive procurement system that includes business continuity risks coupled with systematic vendor assessment and joint exercise commitments can help mitigate much of this unseen risk.

Lastly, a tough economic environment puts new pressure on the tools issue. Centralizing data captured through implementation of a BCM program provides an opportunity to create new information assets. Companies have a choice of investing in a specialized tool that can manage workflows and can create structure for organizations or they can create their own control environment internally without having to pay licensing, training or customization fees.

At Microsoft, we use our own tools to gather data, create workflow and enhance communications. We find that most folks appreciate the ease of use in a familiar interface such as the Microsoft Office Suite as well as the fact that these tools don’t require additional licensing fees.

-Tom Easthope
Senior Program Manager, Enterprise Business Continuity
Microsoft Information Security