In today’s blog, I’ll share our business continuity management guide so that it might help you wrap your mind around starting a BCM program.
So you’ve been tasked with getting a business continuity management (BCM) program up and running for your organization. Congratulations, it’s an exciting field and an important responsibility.
This information might also be helpful to folks who have a program up and running and wonder what they might be missing.
THE FIVE PARTS OF OUR BUSINESS CONTINUITY MANAGEMENT GUIDE
Specifically, I’m going to lay out the five main areas that make up a BCM program and say a little bit about what needs to be done in each one. The five areas of our business continuity management guide are:
- Oversight and Governance
- Functional Requirements
- Recovery Strategy
- Plan Testing and Maintenance
- Continuous Improvement
This framework originated several years ago with the Disaster Recovery Institute International (DRI), but I think it’s still right on the money—except for one omission which I’ll explain at the bottom.
I think of this description of BCM program components and responsibilities as an oldie but goodie.
What specifically must be done in each area? Answers below.
OVERSIGHT AND GOVERNANCE
This is all about who’s in charge. A sound program starts with smart, committed leadership. Here are the main tasks in this area:
- Develop a sound management oversight group to oversee the program and its plan of action.
- Determine the budgeting process and how it will be administered on a regular basis.
- Create reporting mechanisms to show progress, successes, and action items on a regular basis.
- Document and approve policies and standards for implementation of the program.
This is where the rubber meets the road. The main functional requirements of a BCM program are:
- Identify what is critical to your organization using a Business Impact Analysis (BIA) study.
- Determine how soon after a disruption your business processes must be recovered, how much data loss is acceptable, and the associated technology to support the processes.
- Using a Threat and Risk Assessment (TRA), determine relevant threats (man-made, natural, technological) to your organization and the level of mitigation you have in place today. Document findings and recommendations for improvement.
The organization needs a strategy to recovery after a disruption. For the purposes of our BCM guide, here’s what’s required:
- Based on the findings of your BIA and TRA, identify the recovery strategies (e.g., internal, external, hybrid) you will need to recover your critical staff, business processes, and computer technology in a timely manner. Can we do this internally using another company location, use a third-party recovery provider, and/or use internal sites along with an external provider?
- Document options and costs and present them for review and approval by the Oversight group.
- Budget and implement the solutions.
- Create a corporate-level crisis management team to strategically lead the organization in a disruption.
- Train recovery planners and teams in the development and use of recovery plans for business processes and computer technology.
- Document and develop recovery plans and teams for your critical business processes and computer technology identified in your BIA.
- Hold a mock disaster exercise for the crisis management team and walkthroughs of your recovery plans.
PLAN TESTING AND MAINTENANCE
Remember that old dentures ad “Fixodent and forget it”? BCM is not like that. You have to test, maintain, and keep things up to date. Specifically, you should:
- Hold recovery exercises at your alternate locations for your business processes and computer technology.
- Update the recovery plans on a regularly scheduled basis.
- Update your alternate site configurations based on the changes in your business processes and technology.
No BCM guide would be complete without discussing ongoing improvement.
BCM is a lot like athletic ability. If you’re not getting better, you’re getting worse. Strive to always get better, and adapt to the inevitable changes at your organization.
- Look for continued ways to improve the BCM program and measure its capability.
- Document a roadmap for continuous improvement.
I mentioned in the beginning that the DRI framework omits one thing. Actually, it’s not really an omission; it’s more a reflection of a change that’s taken place in the last few years.
The last few years have seen a boom in organizations’ use of third-party suppliers. The DRI framework doesn’t emphasize this point. But because of our increasing reliance on outside vendors, it’s become important for BCM professionals to identify who the critical suppliers are at their organization and to vet those suppliers’ continuity plans.
For more information on doing this, see my recent post Never Break the Chain: Assessing and Managing Supply Chain Risk.
A VITAL RESPONSIBILITY
If you are new to business continuity management, welcome to the field. Be prepared to be taken for granted and considered a nuisance, but also to carry the vital responsibility of making sure that your organization can continue doing business after disruptions, outages, and emergencies, which are inevitable.
Ultimately your job is to protect your organization and its stakeholders and customers; it doesn’t get much more important than that.
I hope the above discussion helps you get your head around your new role. For additional tips and insight, see the links below.
For more information on this and other hot topics in business continuity management, check out these recent posts from BCMMETRICS and MHA Consulting:
- A Pocket Guide to Business Continuity Management Now
- The 9 Hallmarks of Quality BCM Service
- 7 Habits of a Good Business Continuity Manager
- Do the Right Thing: Start a BCM Program
- Sweating the Big Stuff: 5 Things that Really Matter in BCM
- Become a Master of Disaster: Educate Yourself With These Key BC Resources