Back in the late 1980s, there was no business continuity (BC); there was only disaster recovery—the recovery of IT systems in the event of an emergency. That’s about the time I started working at a large bank, first in computer systems and programming, then in information security, and finally in disaster recovery. It wasn’t until the early 1990s that people started to actually care about recovering their businesses as well as their computer systems—because without people to run those systems, the rest just didn’t matter.
Since then from the unprecedented 9/11 attacks to global cybercrime to massive natural disasters, the field has advanced dramatically. You have probably already discovered that business continuity management is part science and part art and are developing your own methods for getting things done. And certainly, there’s no single business continuity management system that works for everyone. But whenever someone asks me for business continuity advice, I always focus on a few core tenets that I think do apply across the board.
Business Continuity Management: My Best Advice
Know your individual strengths and weaknesses.
Learn who you are as a person. What are you good at? Not good at? I’ve found that business continuity management comes easier if you’re a stickler for details, have good social skills, and enjoy public speaking. I consider myself an outgoing person and count things like relationship-building and public speaking among my strengths, all of which come in handy every day on the job.
If you work alone, assessing your strengths and weaknesses becomes even more important; you can’t be good at everything. Come up with a personal improvement plan to help bridge any gaps, like getting additional training. Or, ask for help. I’ve had people hire me to help with their program because they recognize their shortcomings—they know they won’t excel at facilitating BIA interviews or giving presentations to management—but they don’t want that to get in the way of a strong business continuity program. The same goes for working with team members. Be honest and know how you fit in. When everyone’s playing to their strengths, the program will benefit.
Be proactive about getting management support.
No business continuity program will succeed without management support, but getting it usually requires some finesse. My experience has taught me the following:
- Look the part. Present a credible picture. Dress 25% better than everyone else.
- Talk the part. Be knowledgeable; be helpful. (Giving the executive team insightful data about the program that relates to current business decisions is a good way to be helpful.) Over time, you’ll develop a reputation as someone who knows what they’re talking about.
- Find a champion. Find that one person who will help guide and direct your program, eliminate roadblocks, and get you resources. Champions tend to be people who have either experienced a disruption before (either at your company or somewhere else) or run a critical part of the company and want to protect it.
- Build relationships with the executive team. Start by drawing in people who have the same interests as you; I always seek out anyone who plays golf or runs marathons. You can also look at LinkedIn profiles for other interesting information you can work with.
- Communicate with the executive team on a regular basis. I’ve been using this tactic ever since I worked at the bank, when my former boss directed me to write something for the executive committee once a month. It helped keep me and the BC program top-of-mind for them—and I was always surprised how often someone would recall something I wrote!
- Believe you belong. Some business continuity managers don’t feel as if they belong in the senior management group; that’s a crippling attitude right from the start. You are, in fact, a valuable part of the executive team—and if you don’t believe it at first, then fake it until you do. (I learned that from my dad!)
Consistency delivers a strong message and fosters accountability every day on the job, so be consistent in the methodology you use and the ways in which you provide services to your stakeholders. Use templates for your business impact analyses, recovery plans, and threat and risk assessments. Be consistent in the way you approach and perform these services. Deliver the results the same way every time. Whatever methods you choose to commit to, make sure they match the needs and the spirit of your company.
Learn to measure and manage your program.
At MHA, we recently hosted a Twitter chat on business continuity standards and were surprised to discover that most BC managers don’t measure their program at all. Here’s the reality: If you can’t measure it, you can’t manage it. So, if you’re serious about the work you do, learn how to do this and do it regularly. Business continuity best practices dictate that you do a regular “pulse check” using the following two metrics:
- How well the program is aligned with the standards.
- The program’s level of residual risk.
The results will give you everything you need to know to be able to talk about your program more knowledgeably; they’re also the best guideposts you’ll ever get on how to improve.
Create a road map for your program.
Too many corporations are spending too much money on BC programs blindly. Without understanding your program’s strengths and weaknesses, you have no way of knowing where to focus your efforts. The best BC practitioners use what they learn from measuring the state of their program to create a road map for the next 18-24 months.
Focus your time and effort appropriately.
Don’t waste energy or resources on protecting parts of your business that aren’t critical or that are already well-fortified. (If you’re measuring your program and creating a road map, you’ll get this one right naturally.) Identify the areas of your company that have high levels of risk and high exposure, and focus on fixing those areas; forget about areas of low criticality. If you can do that, you can rest assured you’re protecting what’s most critical to your company, giving it the best chance for survival in the event of a disruption.
Spend the majority of your time developing strategies and practicing them.
As a golfer, I’ve always been told to spend most of my time practicing the things that will give me the highest return—like getting the ball in the hole (putting), for one. My advice for business continuity management is the same. The things that will give you the highest return in BC are strong recovery strategies and high-level practice exercises, so spend 60% of your time in these areas. There isn’t a continuity program in existence that will succeed with the wrong recovery strategies in place, even if everything else has been done to perfection. And even solid recovery strategies will fall short without regular and rigorous practice exercises designed to find flaws, make course corrections, and keep everyone involved at the top of their game.
Will your business recovery plans work when you need them? Here’s everything you need to know about how to create and implement a business recovery plan successfully.
Maximize your return on investment.
People, resources, time, and money—all of these may have been heavily invested in your program. Make sure you maximize that investment (and tell management you’ve done it!) by achieving two things:
- A high level of compliance with standards.
- The lowest possible residual risk.
Both indicate a high rate of return and high potential for recoverability. In my experience, too many managers shy away from evaluating these important aspects simply because they’re afraid to face the results. While your program may not be up to par now, a current state assessment is a first step in the right direction.
Tools For A Top-Notch Business Continuity Management Program
If you’re searching for the right tools to help you develop a strong business continuity program, BCMMetrics™ can help. Designed for self-assessment and easy accessibility online, our suite of business continuity tools was created to help you identify and assess critical processes, compliance, and risk in your business continuity management program.
- BIA On-Demand (BIAOD) walks you through a full evaluation of your business processes and automatically calculates the level of criticality of each unit you’ve chosen to assess.
- Compliance Confidence (C2) makes it simple to determine your program’s level of compliance, providing a “FICO-like” score as well as notes on areas of success and opportunities for improvement.
- Residual Risk (R2) scores the level of risk in your program, taking into account the mitigating controls that are key to reducing risk.
All of our tools also make it simple to store and organize results and include a variety of management reporting features for sharing.
If you’re new to business continuity management, there’s no better—or easier—way to get started building a world-class continuity program. Interested in seeing the BCMMetrics™ business continuity tools in action? Schedule a free demo today.