The subject has been laughed at for a long time, if not ignored. After all, earthquakes and tsunamis are rare in our latitudes and the last pandemic before Corona has not reached us. Many service providers were also mistaken that emergency management is only relevant for operational services. Since the beginning of the current pandemic, it has been shown that the regulatory requirements are not only of a theoretical nature, but that emergency planning is essential across all sectors and also affects pure development companies and consultants. These too could only continue their projects if there was a working plan for an emergency.
Service providers in the finance and insurance industry have also been cursing for years about the requirements of the supervisory authorities for emergency management and business continuity management (BCM).
In addition to the legal regulations, companies and institutions also require a lot from institutions and authorities when it comes to IT emergency planning and management. Here are some things to consider:
Minimum requirements for risk management (MaRisk)
Banking regulatory requirements for IT (BAIT)
Insurance law requirements for IT (VAIT)
They require concepts for emergency management that not only exist on paper, but are also tested and coordinated between the institute and the service provider. However, it is not just regulated industries such as the finance and insurance sectors that are affected.
Legal requirements for IT emergency planning apply to all companies. Critical activities and processes can be, for example:
As part of the necessary risk management, the establishment and maintenance of IT emergency planning is a permanent task of the management of a company. IT security will also become increasingly important, because the security of the IT systems used in a company cannot be separated from their availability even in the event of an emergency.
The conception, implementation and updating of emergency management and business continuity management in general as well as IT emergency management in particular are associated with significant financial and time expenditure. But those who save on it save in the wrong place, as the past three months have shown with a pandemic. The companies were lucky in that they were able to continue working quickly from their home office, and their systems and processes were set up for an unexpected change in work processes. Those who were well prepared were able to continue their projects and all of their business operations largely smoothly.
Reading tip: Home office demands cybersecurity
A Business continuity management (BCM) is, depending on the type of company, a central duty of the management. The BCM describes all concepts, plans and measures for maintaining business continuity that ensure the continuation of a company’s business activity in crisis conditions or at least unpredictably difficult conditions (similar to risk management). BCM therefore includes all measures that a company is supposed to bring through a crisis situation.
Part of the BCM is that Emergency management. The aim of emergency management is to contain the damaging effects of an event in good time in order to avoid disruptions to operational business, including economic ruin. The objective is therefore to continue the business activity with the help of defined procedures. Examples of such procedures are: business continuation or resumption plans, as well as the protection of people and property as well as assets.
The content of emergency planning is in particular the presentation of all risky processes, such as maximum tolerable downtimes and their weighting. In the IT area, the focus is on ensuring information security and IT emergency planning.
The following aspects must be taken into account when designing, establishing and maintaining a sound emergency management system:
The company’s management is responsible for operational emergency management.
All members of the executive board must agree to the emergency planning.
All those responsible in the company must know the emergency plans.
The availability of the emergency plans must also be ensured in an emergency.
Contingency plans must be drawn up for those areas and processes in which the occurrence of an unforeseen disruption can jeopardize the continuation of business.
Outsourced areas and processes must also be taken into account in emergency management.
The adequacy and effectiveness of the emergency plans must be ensured. In order to test the effectiveness, test runs and exercises must be carried out regularly in accordance with the risks of the respective area or process. Emergency plans only on paper are of no use.
The emergency scenarios on which the emergency plans are based must take into account the risk profile determined in each case.
Contingency planning and dealing with an emergency must be appropriately integrated into the structures and processes of the organizational structure and processes.
Tasks, responsibilities, information obligations and escalation processes in emergency management must be clearly and comprehensibly defined and documented.
Effective emergency management is intended to increase the resilience of a company’s processes in order to ensure that business can continue to be carried out by means of defined procedures in possible crisis situations.
Corresponding requirements for emergency management are also to be agreed in contracts – above all – but not only outsourcing contracts. When designing, not only the relationship between the contractual partners, but also the relationship with subcontractors and their inclusion in the emergency management should be clarified. This is especially true when the services of the subcontractor are of crucial importance, for example with providers of cloud infrastructures.
The business units involved on both sides of the contract are responsible for the creation of business-related emergency plans, whereby they should be supported by a central body. It is important here that the employees responsible in an emergency, also from external service providers, or the corresponding institutions are known to all those involved. For this purpose, the BSI provides for the establishment of an alarm plan that describes who notifies whom in the event of an emergency.
The criteria for assessing whether an emergency exists are a component of a contractual regulation for emergency management. The organizational procedure between the participants is then regulated. The reporting and notification obligations are to be contractually regulated. With the help of a pre-coordinated emergency management, exactly what neither companies nor service providers have in a critical situation should be saved, namely time to solve the problem.
Any viable contingency planning should therefore include the essential activities on which the contractual services are based. In addition, the effecti
veness and appropriateness of emergency planning must be checked regularly. On the one hand, such tests should be based on the frequency of the hazard situation, on the other hand, the tests can relate to individual sub-areas of the services to be performed. The BSI recommends an annual review.
Reading tip: Disaster recovery – this is how your IT gets back on its feet
Especially those in the course of IT outsourcing– and Business process outsourcing projects The growing dependence of companies on third-party IT systems and third-party services will promote the implementation and dissemination of standards for emergency management, because the cost pressure on the part of service providers requires the cost-effective implementation of such IT emergency plans in “standardized” quality. However, compliance with such standards can only ever be an indication of dutiful behavior, the responsibility of company management will remain. (bw)