Should You Do BCM Yourself? It Depends…

Does it make sense for organizations, as a cost-control measure, to do business continuity management (BCM) entirely on their own rather than engaging an outside consultant? For some companies, this is a reasonable thing to do, for others, it amounts to being pennywise and pound foolish.

Celebrating the Do-It-Yourself Mentality

I have a lot of respect for do-it-yourselfers. People who like to tackle big projects on their own tend to be bold, self-reliant, and proactive, qualities I admire.

In my own career as a do-it-yourselfer, I have noticed a definite change over time. When I was younger, I insisted on doing everything myself when it came to home maintenance and similar tasks. I had my successes, but on many occasions I bit off more than I could chew, costing myself time and money (not to mention frustration and embarrassment). Over the years, I came to understand what projects I could successfully take care of on my own, and which were worth my bringing in expert help from the outside.

Who Should and Who Shouldn’t Do BCM on Their Own

In my view, there are two kinds of situations where it might make sense for a company to do BCM on its own:

• When the company is relatively small (say under a hundred employees) and/or has relatively few business units (say 10 or fewer).
• When the company (whatever its size and complexity) has a mature BCM program that was set up with the guidance of a professional, to the point where all they are doing now is ongoing maintenance and continuous improvement.

For all other companies and situations, the company will really be better off, in my opinion, if it invests in outside help.

This is especially true in the case of medium and large organizations that are just getting started with their BCM programs.

The Importance of a Sound Foundation

The reason it’s important for mid-sized and large companies setting up new programs to get expert help is simple. The activities that you do at the beginning of setting up a BCM program, such as conducting Business Impact Analyses to identify your critical business processes, are the foundation of everything that follows, including your plans, strategies, and future IT investments.

If you get the foundation wrong, then everything that is built on it will also be wrong.

It’s the same as with a house: if the foundation of your BCM program is lopsided, made of weak materials, and improperly rooted in the ground, the structure you build on top of it is likely to crack, shift, and fail to provide adequate shelter, especially if and when bad weather comes.

Common Mistakes Made By Nonprofessionals

What are some of the common mistakes nonprofessionals make when they try setting up a BCM program for a large or complex organization on their own? Here are some I have seen:

• Obtaining and basing the program on inaccurate information. (Knowing how to obtain quality, relevant BCM information and validate the information takes skill.)
• Leaving out key business units.
• Not understanding what business processes are critical to keep the company operational.
• Not understanding which business processes are most time-sensitive.
• Not understanding which processes should be recovered in what order to minimize the impact of an outage on the company.
• Not understanding critical dependencies among the various business processes.
• Not building the right recovery plans.
• Not creating the right recovery strategies.
• Not protecting the right computer systems needed to keep critical business processes operational.

The High Cost of Foundational Mistakes

What are the ways these mistakes can hurt the company down the line? Here are a few:

• If there’s an outage, key processes or computer systems might be restored too late or not at all, delaying the company’s return to normal operations and preventing it from carrying out its mission, whether that’s making widgets, serving customers, or taking care of patients.
• If the company’s BCM program is audited, it might fail the audit.
• The company might waste money paying for protection it doesn’t need. BCM isn’t about being able to recover everything immediately, it’s about protecting the right things within the right timeframe. The goal with BCM protection is to hit the sweet spot, having neither too much nor too little. (Goldilocks would have been a great BCM consultant.)
• If there’s an event, the organization might simply be unable to recover some or all of its data, computer systems, or business processes.

The Cost of Hiring a BCM Consultant

The reason most organizations give for wanting to handle BCM completely in-house is to save money. Many organizations see BCM as overhead (though in many respects it provides significant return on investment). Some organizations balk at the perceived high cost of BCM consulting services. As a businessperson myself, I understand these concerns.

There is a good reason the services of experienced and highly skilled business continuity consultants can be expensive when looked at on an hourly basis. Speaking for myself and our consultants, we did not read a few articles on the internet then hang out a shingle. I was in charge of business continuity for the Southwest region at Bank of America, have been in business on my own over twenty years, am credentialed as a CBCP, created a leading suite of BCM software products, and have consulted with companies across all industries of all sizes, including many Fortune 500 companies (here’s a list of some of our clients). The consultants who work for me have similar experience. Such experience lets us grasp a client’s situation quickly and accurately; it promotes sound results and efficient operation. Engaging a person with such expertise to come work for your company, you could say, is penny-foolish but poundwise.

A few other points about the expense of hiring a BCM consultant:

• At MHA, we are happy to work with clients either a little or a lot, depending on their situation and preferences. Want someone to handle everything about setting up your BC program from soup to nuts? We do that all the time. Want to buy a bucket of 40 hours so you have someone you can call up when you have a question? Let’s set it up; we’re glad to help.
• In business continuity, getting a program started can be pricey. Keeping one going usually isn’t. The big expenses come in the first 18 to 24 months. After that, your costs will likely be modest to negligible—and your company will remain protected indefinitely, as long as you maintain and update your program in response to changing conditions.
• Lastly, BCM consultants—at least the ones at my firm—are not hoarders of their knowledge. They’re teachers. They believe in transferring their knowledge to the people they’re working for. The whole idea of BCM consulting as MHA practices it is, we help you get your program started, but your own people are the ones who run it—and who execute the recovery plans if and when you have an outage. We don’t just give you a fish; we teach you to fish.

BCM Consulting and COVID-19

The last thing I want to say about BCM consulting at this point in time is, many organizations are interested in getting an after-action report that looks at how they did in responding to the COVID-19 pandemic, and which provides prioritized suggestions on making improvements for the future. We’re currently doing such engagements with a couple of clients. We would be glad to talk with you about performing such a review for your organization.

The Value of Expertise

Conducting business continuity management entirely in-house can seem like an excellent way to save. This may be the case for smaller organizations and companies that have reached the phase of maintaining a mature program. For other organizations, going it alone brings with it a considerable risk of making many different kinds of mistakes, some costly. It’s especially important to get the foundation right. There is value in expertise. Experienced BCM consultants bring valuable insight and experience to the challenging and high-stakes activity of protecting companies from disaster. During the current pandemic, many organizations might find it valuable to bring in a consultant to help them assess how they did in managing the earlier phases of the pandemic—and in obtaining guidance for the future.