I had an interesting week last week: Along with two other MHA consultants, I spent two and a half days performing a current state assessment of the business continuity situation at a large complex of hospitals on the West Coast.
We conducted 15 to 16 interviews with the key people at a wide range of departments to get a handle on where their BC program stands on everything from program administration to IT Disaster Recovery to fire and life safety.
It was an interesting challenge. In doing an assessment like that, your goal is to arrive quickly at an accurate understanding of the program’s strengths and weaknesses in the different areas. You have to work collaboratively with experts in many departments, gathering material that you will eventually structure into a report which includes, critically, a list of the steps the organization can take to help them improve their BC program and better carry out their core mission. This list is known as the roadmap.
As I said, the client we worked with last week was a hospital, but the current state assessment is a critical tool for every type of organization and BCM program.
It’s a systematic method of understanding where are you are so you can see what you have to do to end up where you would like to be.
Typically in a current state assessment of a business continuity program, we look at the following areas:
- Program Administration
- Crisis Management
- Business Recovery
- IT Disaster Recovery
- Supply Chain Risk Management
- Fire and Life Safety
- Third Party Management
In today’s post, I‘m going to set forth the times when an organization can most benefit from performing a current state assessment and share some suggestions on how to conduct one successfully.
When Should You Conduct a Current State Assessment?
The times when organizations benefit most from conducting a current state assessment are when they are getting ready for something, when they wish to learn from something that recently happened, and when they want to evaluate the progress of an initiative which has been underway for some time.
Below are some examples of times when organizations would especially benefit from conducting a state assessment:
- To prepare for an audit or customer review.
- After they’ve been audited, whether internally or externally.
- When they’re just in the beginning stages of doing business continuity and would like a roadmap showing what they should do to advance their program.
- If they’ve had a program running for a period of time and want to know how things are going.
- Generally speaking, organizations with new BCM programs should do a current state assessment at least twice a year. Organizations with mature programs should conduct one at least once a year.
How Do You Conduct a Current State Assessment?
There’s more than one way to skin a cat, and I imagine there is more than one way to conduct a current state assessment. This is how we do it at MHA:
- Assemble a team of knowledgeable people to conduct the assessment. Conducting a current state assessment takes expertise. The person quizzing the IT department needs to know IT. The person asking about crisis management needs to know about crisis management. If you don’t have the expertise in-house, consider bringing in an outside consultant.
- Determine the right business units to meet with and evaluate.
- Determine the right people to talk to. Usually, you’ll want the department head and one or two subject matter experts.
- Send out a diplomatic introductory communication through your sponsor. Indicate the kind of information you’ll be seeking and the types of questions you’ll be asking. (For tips on handling this aspect of the job, see our recent post “The Secret to a Successful BIA Interview: Get Their Information Ahead of Time.”)
- Ask to be provided key documents in advance. But don’t be upset if you don’t receive them. Often people will provide them to you after you meet, and they get a chance to see what you’re all about.
- Do a level set. This is so important. Let the people understand that this isn’t about criticizing or assessing them. It’s about learning the current set-up so you can all work together to improve things. If the people feel like they’re on the hot seat, they’ll clam up.
- Set up your interviews. Find a place that’s convenient for them. Most meetings should be an hour to ninety minutes. Complex topics such as IT might take two hours.
- Determine what standard(s) you’re going to use. For more information on standards, see this recent post. If not a standard, then maybe you’ll be using an audit checklist or a best practices list. However, you really need some kind of yardstick in order for the assessment to be grounded and objective.
- The meetings should be open, conversational, and collegial. Have an agenda. Be efficient and purposeful. Respect the people’s time and expertise.
- Take good notes. You’re going to have that drinking-from-a-firehose experience, in terms of the amount of new information you’re going to receive. At the end of it all, you’ll need to separate the signal from the noise. These meetings are your one and done opportunity to get what you need. Pay attention and write things down.
- Remember what you’re looking for. You’re seeking to understand the strengths of the organization’s business continuity program as well as opportunities for improvement (things they currently aren’t doing as well as they might). You also want to identify any significant risks that need to be addressed immediately.
- Write your report and create your roadmap. This is where the rubber meets the road. Start with a 2-3 page executive summary highlighting your findings. This is the who, what, when, where. and why. State your approach and methodology, then summarize the program’s successes, gaps, and risks. Then plunge into the body of the report. Outline each BC program area from the list above (program administration, crisis management, etc.) detailing what you found. Charts, tables, and diagrams can help communicate your information efficiently. Then comes the roadmap, which is the crux of the whole exercise. Here you set forth what path you think they should take to strengthen their business continuity program over time. There should be a time frame: a year, 18 months, two years. This depends on how fast the organization wants to go. Include a list of tasks and deliverables, and deadlines for accomplishing them. Lastly, create the appendices, which contain supplemental information, such as who you talked to.
- Don’t let the perfect be the enemy of the good. I give this as my final tip because I see it happen it so often. There are areas where you do have to be 100 percent right and areas where 75 percent is probably good enough. This is something to discuss with the sponsor of the assessment. To make these judgments, ask yourself, What is the core mission of the organization? At the hospital complex, their core mission was achieving the best patient outcomes possible. All of our work flowed from that central mission.
What was it Bugs Bunny used to ask in the old cartoons? “What’s up, doc?” A current state assessment can tell you the answer.
It’s a systematic way of helping you understand where your BCM program is doing well and where it can be improved—and of obtaining a step-by-step plan for making it better.