Does my company need business continuity software?

Should your organization build its own business continuity tools from existing resources, or invest in an outside software package?

We have all seen the question of whether or not our organization needs business continuity software come up many times over the last several years, and it is a question worth seriously considering.

However, it might first be helpful to ask, what exactly is business continuity software? It can be many things actually. Some packages are very integrated and provide solutions for a multitude of business continuity objectives, while others are very subject-matter or industry specific. Likewise, some programs are easier to use than others, while several collect information that might be excessive for an emergency, but advantageous during audits.

[Get CSO's Ultimate Guide to Business Continuity and Disaster Recovery - 11pp PDF (free CSO Insider registration required)]

Over the years, I have found that I continuously develop strategies to address the following needs.

1. Business Continuity - to prioritize and document "work-around" plans to rely on until the business is returned to normal.

2. Disaster (IT) Recovery - to prioritize and document IT recovery plans.

3. Crisis Management - to document crisis response requirements.

4. Leadership Succession - to ensure proper leadership is always available.

5. Incident Command - to track issues during both exercises and actual incidents.

6. Business Impact Analysis - to support risk and business impact analysis activities.

7. Communication/Notification/Escalation - to document contact requirements for all internal and external stakeholders, with the ability to automatically notify and escalate as needed.

When it comes to the use of business continuity software, there are really two distinct thoughts. On the one hand, you have your distractors, claiming there is no need or advantage to using pre-packaged software when your skilled employees can easily build what you need with software you already own. On the other hand, you have individuals that strongly believe that a well-developed software package makes creating and maintaining plans much more efficient, leaving your employees time to solve other more important business problems.

Well, in my opinion, they are both right. I have worked for a few national and global companies where the best way to support their Business Continuity Program (BCP) was to use a software package. However, my experienced advice is to be prudent in what you chose, because the effort it takes to input data into some of these packages may far outweigh their benefits.

Case in point: I was hired as a Business Continuity Manager for a national healthcare organization and was provided with a software package that I was to implement nationally. The time investment this particular software required was tremendous. In fact, the investment was so great that we scrapped it two years into its development. A significant waste of time, money, and energy for all involved, with my reputation on the line (though I was not even part of its selection).

What did our company do? Well, we really had few alternatives. Everyone using the software tool--myself included--despised it, and we had no additional money in the budget to purchase another tool. We were thus forced to make the best of our office suite (i.e., word processor, spreadsheets, flowcharts, etc.) to develop our business continuity (BC) and disaster recovery (DR) plans.

At first, this seemed like a great idea. Many of the departments already had some or all of their plans developed using word processor or spreadsheet programs, and those that did not aligned quickly with the program. Then, at about six months into the development process, we initiated a plan maintenance review. While initially it was easy to build plans in a word processor or spreadsheet, it became apparent very quickly that plan maintenance would be challenging. We were now close to seven months into the process and in reality no farther along than we were using the software tool.

The crossroads

Since healthcare is a regulated industry, it was imperative for us to have BC plans and DR plans, also known as IT recovery plans, in place. Should I continue developing our plans using our office suite, knowing its limitations, or look at another BCP software package? My business leaders and I had a brief discussion about my dilemma; their response went something along the lines of:

"As long as we have something that works, it really shouldn't matter what we use. In fact, we've already purchased the best software package available--why would we spend more money just for a similar outcome?"

I have to admit, if I were in their position, I would have given the exact same answer.

[Get business continuity and security alerts via CSO's Daily Dashboard]

However, as a Business Continuity Manager, it was my job to make our BC/DR program work. I already knew I couldn't go back to what we had; the users and I simply could not work with the software, and relying on our office suite, though easy to use and without cost, just was not meeting the needs of our multi-state, multi-facility environment.

As mentioned above, there are really two avenues to consider when creating BC/DR plans. You can use a pre-packaged software product or rely upon your company's standard office suite. Each has its advantages and disadvantages.

Office suite: The main advantage of using your company's office suite is that everyone is already familiar with the software, so training is generally not an issue --and it is budget-friendly, with no additional cost associated.

The main disadvantages are that this solution is unable to generate reports (e.g., Plan A is XX% complete), your plans may not look uniform, and maintenance can be a serious challenge. In my opinion, plan maintenance is the office suite's Achilles' heel. In the case of the healthcare organization I was working for, a single name change had the potential to affect thirty-plus plans - a very inefficient process when updating manually.

Packaged software: The main advantages to a well-designed software package are that it guides your planners through the process; creates plans with a similar look and feel; and streamlines plan maintenance. Many software packages also include the ability to generate reports, and may support other tasks with Incident Command and Notification functions, to name a few.

The main disadvantages are the cost and the potential for the software to be somewhat limiting or inflexible for a company's particular needs.

As a national healthcare organization with a very complex environment, we clearly needed a software product. We spent approximately six months investigating new BC/DR software packages and quickly learned that some of the less established companies provided some of the best software available. We leveraged an independent research firm's product briefs, the vendor's own product information, and recommendations from my peers to quickly narrow our list. We then gathered a small task group comprising of myself and a few other users who tested the products and graded each one in the following four categories:

  • Implementation,
  • Functionality,
  • Performance, and
  • Support.

The benefit of using this process was that the winner quickly bubbled to the top and the users already had product "buy-in." It was early in the budget cycle, so I developed and presented an ROI comparison matrix comparing the BC/DR program with and without the selected software tool.

The tool was the clear winner and my leaders added it into the following year's budget.

Moving ahead a few years: I now work for a small consulting firm where many of our clients, both established and new, are facing these same decisions as they embark on their own BC/DR programs. As I start guiding my clients through their program development, I have come to realize that each solution has a place in our industry. If you are a large organization with a very complex environment, a well-organized software package will most likely provide great benefit over trying to do everything with your office suite. Many large companies have to deal with multi-state and/or global facilities. A good software package can help organize this environment and even provide a snapshot of the entire company's current recovery state.

[Also read 5 ways to build your BC/DR business case]

On the other hand, if your company is small or medium in size or has a less complex environment (i.e., only a few departments or facilities), the use of pre-packaged software may not be as beneficial. In fact, the time, effort, and even the outputs--impressive as they may be--probably are not really necessary. Still, if your company is part of a regulated industry, the ability to print reports and provide clean, well-organized plans might make a package worth the investment.

Bottom line: If you were looking for a clear-cut way to determine if BC/DR software is best for your company, I am afraid it is just not that easy. As a business leader, your role is to guide your Business Continuity Manager to accurately vet your company's requirements. Only then can you determine the best possible solution. If you do not have a Business Continuity Manager on staff, it may be wise to enlist the counsel of a third-party, vendor-neutral organization or individual to help identify the best solution for your company.

As business leaders, you are tasked to ensure the viability of your company even through unexpected events. The success or failure of your BC/DR program is critical to that viability.

Stieven Weidner is a Senior Manager at navigate, a business-management consulting firm.

Join the CSO newsletter!

Error: Please check your email address.

More about ecorpiGATE

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stieven Weidner

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place