Would you find it useful to read a cheat sheet setting out some of the main themes in business continuity management now?
Well, here is my quick take on the main issues in our field right now—with my observations being informed by nineteen years leading a BC consulting firm that has worked with industry-leading organizations across a wide range of fields.
Why am I writing a guide to business continuity management now? Because as I’m sitting on this airliner at this moment, there is a Category 4 hurricane bearing down on Hawaii, much of California is on fire, Puerto Rico is still struggling to get back on its feet after Hurricane Harvey, and my own city of Phoenix was just hit by unusually heavy flooding following a monsoon storm. It seems like a good time to get back to basics!
NOBODY DOES IT BETTER
Organizations across the nation vary widely in how ready they are for unplanned disruptions due to natural, man-made, or technological events.
Events have proven that all private and public entities need robust continuity plans to enable them to continue operations following a catastrophic event.
Unfortunately, far too many organizations are not prepared. Different sectors typically show different degrees of readiness.
Which field tends to have the most robust and proven continuity programs? The financial industry. Financial institutions are required to have sound BC programs under regulations that recognize how important their smooth functioning is to society.
Which sectors are next best? Consumer and supply-chain based organizations. These types of companies also work hard to have sound continuity capabilities.
Which types of organizations are lagging behind? Unfortunately, city governments tend to be underprepared in terms of having sound continuity programs and strategies to maintain key services and operations for their constituents.
And then finally—and perhaps shockingly—there is the health care system, which has one of the poorest maturity levels when it comes to ensuring the resiliency of critical IT systems and patient data. The organizations that are supposed to keep us well are among those most vulnerable to disruptions.
HOW TO BE GOOD AT BC
Most organizations that are lagging behind in their BC programs say the reason for this is they lack the necessary budget.
However, our experience shows that having a lot of money to spend on business continuity is neither a necessary nor a sufficient condition for achieving a good program.
Here are the key criteria for building a quality BC program:
- Management Support. The company’s leadership needs to offer strong, consistent, business-driven support for the BC program. This is the key criteria for having a successful program.
- Management Direction. Management needs to provide the BC team with the right direction at the right time. This direction needs to be consistent with short- and long-term needs of the organization.
- Steady Progress. Building a good program depends more on a steady, patient commitment over time than on brief flashes of heroic effort. This is one area where turtles definitely tend to win out over hares. The ideal path is to make consistent progress that leads to a higher level of sophistication and maturity over time.
- Sufficient Budget. Last and quite possibly least comes having ample funds to work with. Yes, you must have sufficient financial resources to implement a program. But we have seen organizations with large BCM budgets that cannot recover their business and others with small budgets whose BC programs are “best in class.”
NOTES FROM THE FIELD
In helping organizations of all types prepare for and cope with disasters over the past 19 years, here are some of the key things we’ve noticed:
- Many if not most organizations lack viable recovery plans and strategies to recover the business and its technology in a timely manner to meet customer and stakeholder needs.
- Management tends to be poorly prepared to serve as the crisis management team (CMT). The top leadership of most organizations is not well-positioned to lead the company back to normal business operations after a crisis. In most cases, management lacks sufficient training and have not participated in the exercises that would enable them to perform this role.
- Technology without electrical power is useless.
- Many companies declare to their key customers that they have continuity plans and strategies for key processes and systems even when this is not the case. When an emergency comes, they have to make up their response as they go along.
- When it rains, it pours. It frequently happens that, as a company is recovering from a crisis, other events occur which have nothing to do with the initial disruption, but which nonetheless impede the recovery.
- Many if not most companies lack systems and processes, whether manual or automated, to notify employees, contractors, and other key stakeholders about the event and keep them informed about the recovery effort.
- Many employees are ill-prepared to deal with a disaster at home. If employees and their families aren’t safe, those employees will not be showing up at work.
- Most employers lack guidelines on how to deal with paying employees during an extended outage. Few organizations have determined how long they will continue paying employees in the event the business is disrupted for a prolonged period.
- Most organizations have not addressed the fragility of the supply chain for food, fuel, and other critical commodities, and the impact of their absence on their employees and the company.
- Most companies are not educated on the need to move critical business and technology operations out of the region to minimize the impact of a regional event.
- Even the best-prepared companies tend to struggle when it comes to recovering their business and technology operations.
THE GOOD NEWS
The good news is, even as we find over and over again that organizations are not prepared, we also encounter story after story of smart, dedicated, and courageous employees going above and beyond the call of duty during emergencies of all kinds in order to meet the needs of their clients, colleagues, and companies.
There is so much talent and ability out there in our workforce and especially on our BCM teams. All we need to do is guide and channel it a little better!
TAKEAWAYS
- In my opinion, continuity planning should be mandated for all organizations, not just those in highly regulated industries such as finance.
- The healthcare industry definitely needs to get its act together when it comes to business continuity planning.
- The recovery plans and strategies for critical industries must be thoroughly vetted and validated.
- If you rely on a critical vendor or supplier to keep your company running, you need to validate that their BCM program can deliver as stated.
- We all must be better prepared to deal with an event at home and to take care of our families for an extended period of time without help from outside agencies. The time to get better prepared is now.