.png)
.png)
Prepare For the Worst with the Best in the Business
Experience capable, consistent, and easy-to-use business continuity management software.
This post will lay out what I think of as the critical path of business continuity management: the nine areas that a BC program must have under control in order to make an organization resilient and recoverable. This business continuity management guide is meant to give struggling businesses a path to resilience. These nine areas represent a mini BCM guide.
These are the things it’s most important to wrap your head around if you’re just getting started.
If you can successfully come to grips with these nine areas, you’ll be on your way to protecting your organization and its shareholders against every type of disaster, whether it’s a pandemic, a cyberattack, a weather-related event, an incident of workplace violence, or any other type of event.
Think of this post as your BCM newcomer cheat sheet.
1. Governance and Oversight
You need a small, efficient, and effective team to guide the program. The ideal is a group of three to five senior level people who can eliminate roadblocks, get money, and make decisions. The group should meet regularly, attacking problems, especially around governance, risk and compliance, and finding solutions.
What you don’t want: A bloated group full of people who never resolve anything and can’t make decisions or move your program forward.
2. Metrics
Metrics make things objective, allowing for comparison, improvement and guiding investments. In BCM, you need a method to evaluate how aligned you are with your chosen BC standard (whether it’s NFPA 1600, ISO 22301, or whatever).
You also need a way of measuring the amount of risk remaining in your system once you have some kind of plan in place.
What you don’t want: To waste time and resources collecting metrics that don’t mean anything, such as how many BIAs you’ve conducted.
3. Budget
You need a sufficient budget for your BC program to execute the critical items in your program. This doesn’t have to be a fortune. What matters is not how much money you have but what you do with it. Smart, lean programs make their BC dollars go far by working on the right areas, each and every year.
What you don’t want: A poorly managed program that spends a king’s ransom paying a lot of people to do very little.
4. Business Impact Analysis (BIA)
The BIA is a (usually) department-level study that identifies which business processes would hurt the company the most to lose for various periods of time.
It evaluates them based on a combination of mission criticality and time sensitivity. A BIA helps you identify which processes you most need to protect. It provides a rational basis on which to allocate your BCM resources. Your business impact analyses should be based on your primary mission as an organization. Doing BIAs right requires tough, disciplined thinking.
What you don’t want: To make the mistake of trying to boil that ocean. Some people try to do too many BIAs and decide too many processes are mission critical. Another common mistake: Treating BIAs as gospel rather than as a guide and point in time reference.
5. Threat and Risk Assessment (TRA)
The TRA is similar to the BIA, only its focus is on identifying the nasty things out there that constitute threats to the organization. It’s a way of identifying what negative events might happen. It evaluates those events based on how likely they are to occur and how damaging they would be. Good TRAs are relevant, thoughtful, and undertaken with a serious attitude. Good business continuity teams then act on those threat and risk assessments by implementing measures to mitigate the most likely and impactful risks.
What you don’t want: Half-hearted TRAs that lack depth and data. Or TRAs that go nowhere or sit on a bookshelf.
6. Recovery Plans
A recovery plan should be intelligent, executable, and built by the right subject matter experts. The plans should be checklist-heavy, focusing on the real steps to be taken and assuming a certain baseline of knowledge among the users. They should tell a story, leading from the event to the response to the return of normal operations. They should also use a template that works for the organization and adhere to industry standards.
What you don’t want: Recovery plans that are stuffed full of policy statements and other extraneous information. You also don’t want recovery plans that are too high level to do any good or too lost in the weeds to be executable.
7. Recovery Strategies
Your recovery strategy should be based solidly on your BIAs and properly budgeted and implemented. As an example, a business continuity strategy for a critical call center might be, we’ll have 50 percent of the people working in the call center and 50 percent working from home; that will make our systems fully redundant.
What you don’t want: For people to decide on a recovery strategy and then not budget for it or implement it. Recovery plans are no good without a well thought out or implemented strategy. This is one of the biggest gaps we see in organizations’ BCM programs.
8. Recovery Exercises
To make sure your strategies work, you need to conduct regular, realistic recovery exercises to put them to the test.
There is a range of different kinds of drills in BCM, from tabletop exercises (talking through a scenario) to full-scale, multi-day, highly realistic drills. The best programs use all the different types in a coordinated way. Realistic, increasingly complex recovery exercises conducted over time are the only way of validating that your plans and strategies will work.
What you don’t want: To conduct no exercises at all or rely solely on tabletop exercises.
9. Continuous Improvement
Business continuity management is a challenge, because you can always do something better across the three subparts of BCM:
- protecting business processes,
- protecting IT,
- doing crisis management)
Plus, your organization and the world are in a state of constant flux. That’s why I include continuous improvement in my list of areas making up the critical path of BCM.
Good programs make a commitment toward continually getting better, by constantly scanning to identify their weak points and fixing them based on some rational assessment of their importance.
What you don’t want: To believe that your program is as good as it can be and maintain the status quo.
Having a Clear Business Continuity Management Guide
In my judgment the critical business continuity plan comes down to nine areas: governance and oversight, metrics, budget, BIAs, TRAs, plans, strategies, exercises, and continuous improvement.
If your company can create a full business continuity management guide to manage those areas successfully, you’ll be on your way to ensuring your organization will be resilient and recoverable in the face of any type of incident that might arise.
Turn Your BCM Strategy into Action with BCMMetrics
To make your business continuity management program easier, more known, centralized, and actionable, you should use software.
BCMMetrics was built by the MHA Consulting team, first to manage business continuity projects, and then launching it to provide businesses with their BC software.
BCMMetrics provides you with incredible BC solutions, including:
- Risk-based auditing,
- Compliance self-assessment,
- Process BIA data,
- Minimize your company’s vulnerabilities,
- Build recovery plan and exercise templates,
- Edit your BCM plans,
- Strengthen the security of all your facilities and processes.
Our pricing is also module-based to ensure that you are only paying for what you need. Do a virtual tour to discover how the software works.
Further Reading
For more information on getting started in business continuity and other hot topics in BC and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
