Book Review: “Business Continuity Planning Methodology” by Dr. Akhtar Syed & Afsar Sayed
I will start this book review by breaking the rules. That is, I will first tell you the book is fantastic, one of the best I’ve read on any professional subject and that if you are a CBCP and do not own it, you should get it ASAP. Now, for the review.
I have many BCP books in my library, but few come close to “Business Continuity Planning Methodology” in maintaining harmony with the DRII framework, as well as best practices from ISO, CobiT and NFPA. It is also the only one that actually takes you step by step through the major domains every Business Continuity professional needs to know. The book is 300 pages, so it is concise and to the point. The authors are hands-on experts in the field who do not waste time on academic examples to drive their points. The book is divided into eight chapters listed below:
- Risk Management
- Business Impact Analysis
- Business Continuity Strategy Development
- Business Continuity Plan Development
- Business Continuity Plan Testing
- Business Continuity Plan Maintenance
- BCP Process: Reports and Documents Summary
The sections on Risk Management and Business Impact Analysis should be mandatory reading for everyone in the Risk, Security, Audit and Governance fields. In my experience, today the folks holding the CBCP certification have the best Risk Management training of all the non-financial professionals involved with Risk Management. The granularity and scope of a typical BCP Risk Assessment is far superior to most of what I’ve seen coming out of the IT Security and regulatory compliance spaces. In addition, the BCP type multi- dimensional Risk Assessment is also superior to those generated by most Auditors, who tend to stop at the financial threshold test generated from the year end financial report. I have long felt that just these two chapters are well worth the price of the entire book.
Business Continuity is a serious subject that is still misunderstood at many organizations. In addition, BCP was left out of the Sarbanes-Oxley act, which has given many a CIO, CFO and CEO the excuse that “it is not required” therefore few resources get allocated to having dedicated BCP professionals on board and/or having serious continuity plans. Outside of the southern states (highly affected by hurricane Katrina) we do not see much serious Business Continuity work at major organizations. I always considered this attitude irresponsible. The idea that disasters, crisis and business disruptions are things that affect “others” and it is not worth preparing for seems contrary to logic. Convincing these “C” types about the value of BCP is a tough job, but if you need to do it and you need to develop a clear and concise argument about what needs to be done, what resources will be needed and how long the efforts may take, the “Business Continuity Planning Methodology” may be one of the best references to have at hand.
As Enterprise Risk Management (ERM) gears up as a result of recent market debacles, we will see a greater need to break the silos that now keep IT Security Risk Assessments, Business Continuity Risk Assessments, Financial Risk Assessments, Operational Risk Assessments, Market Risk Assessments and Regulatory Risk Assessments apart. True ERM calls for a unified view of risks across all departments, regions, functions, resources and markets. Threats and information about threats need to be managed in a unified manner. The BCP approach to Risk Assessment takes this approach.
If you are or plan to be involved in an ERM initiative and you lack Risk Assessment experience, your best bet is to learn the Business Continuity approach to Risk Assessment and Business Impact Analysis. When you understand these, the other types of Risk Assessments will be easy to tackle. The Business Continuity Planning Methodology book is a tool that will get you started in understanding this process. Of course, it is a great reference for all the other topics it covers as well.
Business Continuity Planning Methodology can be purchased from the Today’s Audit Journal book store, by clicking the link below: