The coronavirus outbreak has prompted many people to begin thinking about business continuity management for the first time, creating a strong demand for basic information about BCM.
In response, today’s post will lay out what I think of as the critical path of business continuity management: the nine areas that a BC program must have under control in order to make an organization resilient and recoverable. This business continuity management guide is meant to give struggling businesses a path to resilience. These nine areas represent a mini BCM guide.
Much has been written about the most important aspects of business continuity management (BCM). I have written three ebooks myself (10 Keys to a Peak-Performing BCM Program, Your BIA Action Guide: A Handbook for BCM Professionals, and Crisis Management: A Handbook for BCM Professionals; all are available at no charge).
In today’s post, I want to provide the opposite of a book: namely a short and sweet summation of the main areas you need to have under control if you want to make sure your organization can show resilience in the face of any type of disruption.
These are the things it’s most important to wrap your head around if you’re just getting started.
If you can successfully come to grips with these nine areas, you’ll be on your way to protecting your organization and its shareholders against every type of disaster, whether it’s a pandemic, a cyberattack, a weather-related event, an incident of workplace violence, or any other type of event.
Think of this post as your BCM newcomer cheat sheet.
Below are the nine areas that make up the critical path. with links to posts on the BCMMETRICS and MHA Consulting websites where the area is discussed in greater detail.)
You need a small, efficient, and effective team to guide the program. The ideal is a group of three to five senior level people who can eliminate roadblocks, get money, and make decisions. The group should meet regularly, attacking problems and finding solutions.
What you don’t want: A bloated group full of people who never resolve anything and can’t make decisions or move your program forward.
Metrics make things objective, allowing for comparison and guiding investments. In BCM, you need a method to evaluate how aligned you are with your chosen BC standard (whether it’s NFPA 1600, ISO 22301, or whatever). You also need a way of measuring the amount of risk remaining in your system once you have some kind of plan in place.
What you don’t want: To waste time and resources collecting metrics that don’t mean anything, such as how many BIAs you’ve conducted. (For more on BIAs, see below.)
You need a sufficient budget to execute the critical items in your program. This doesn’t have to be a fortune. What matters is not how much money you have but what you do with it. Smart, lean programs make their BC dollars go far by working on the right areas, each and every year.
What you don’t want: A poorly managed program that spends a king’s ransom paying a lot of people to do very little.
The BIA is a (usually) department-level study that identifies which business processes would it hurt the company the most to lose for various periods of time. It evaluates them based on a combination of mission criticality and time sensitivity. The BIA helps you identify which processes you most need to protect. It provides a rational basis on which to allocate your BCM resources. Your BIAs should be based on your primary mission as an organization. Doing BIAs right requires tough, disciplined thinking.
What you don’t want: To make the mistake of trying to boil that ocean. Some people try to do too many BIAs and decide too many processes are mission critical. Another common mistake: Treating BIAs as gospel rather than as a guide and point in time reference.
The TRA is similar to the BIA, only its focus is on identifying the nasty things out there that constitute threats to the organization. It’s a way of identifying what negative events might happen. It evaluates those events based on how likely they are to occur and how damaging they would be. Good TRAs are relevant, thoughtful, and undertaken with a serious attitude. Good BCM teams then act on those TRAs by implementing measures to mitigate the most likely and impactful risks.
What you don’t want: Half-hearted TRAs that lack depth and data. Or TRAs that go nowhere or sit on a bookshelf.
These should be intelligent, executable, and built by the right subject matter experts. They should be checklist-heavy, focusing on the real steps to be taken and assuming a certain baseline of knowledge among the users. They should tell a story, leading from the event to the response to the return of normal operations. They should use a template that works for the organization and adhere to industry standards.
What you don’t want: Recovery plans that are stuffed full of policy statements and other extraneous information. Also, recovery plans that are too high level to do any good or too lost in the weeds to be executable.
These should be based solidly on your BIAs and properly budgeted and implemented. As an example, a recovery strategy for a critical call center might be, we’ll have 50 percent of the people working in the call center and 50 percent working from home; that will make our systems fully redundant.
What you don’t want: For people to decide on a recovery strategy and then not budget for it or implement it. Recovery plans are no good without a well thought out or implemented strategy. This is one of the biggest gaps we see in organizations’ BCM programs.
This is the second biggest gap we see. To make sure your strategies work, you need to conduct regular, realistic exercises to put them to the test. There is a range of different kinds of exercises in BCM, from tabletop exercises (talking through a scenario) to full-scale, multi-day, highly realistic drills. The best programs use all the different types in a coordinated way. Realistic, increasingly complex recovery exercises conducted over time are the only way of validating that your plans and strategies will work.
What you don’t want: To conduct no exercises at all or rely solely on tabletop exercises.
Being properly prepared across the three main subparts of BCM (protecting business processes, protecting IT, doing crisis management) is so challenging, there’s always something you can do better. Plus, your organization and the world are in a state of constant flux. That’s why I include continuous improvement in my list of areas making up the critical path of BCM. Good programs make a commitment toward continually getting better, by constantly scanning to identify their weak points and fixing them based on some rational assessment of their importance.
What you don’t want: To believe that your program is as good as it can be and maintain the status quo.
WALKING THE CRITICAL PATH
The current crisis with COVID-19 has led many people to begin researching what they can do to implement a BCM program at their organization or strengthen their existing one. In my judgment the critical path comes down to nine areas: governance and oversight, metrics, budget, BIAs, TRAs, plans, strategies, exercises, and continuous improvement. If your company can walk through those areas successfully, you’ll be on your way to ensuring your organization will be resilient and recoverable in the face of any type of incident that might arise.
For more information on getting started in business continuity and other hot topics in BC and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:
- Start Here: The Business Continuity Management Guide for Beginners
- As Easy as 1-2-3: How to Launch a Business Continuity Program
- 1 Program, 6 Plans: The Half Dozen Plans Every BCM Program Should Have
- Do the Right Thing: Start a BCM Program
- Beginner’s Guide to Recovery Exercises
- Ready or Not, Here It Comes: 5 Steps to Protecting Your Company Against Coronavirus