Over the twenty years or so that I have been professionally engaged in the field of business continuity, I have noticed that most organizations fall into one of two categories when it comes to how they go about scheduling their BIAs.
One group schedules their BIAs following the same principles that most people use in making appointments to get their teeth cleaned: They schedule them months in advance, going by a rational timetable, which has been endorsed for sound reasons by well-informed people, and which is not in conflict with any other important obligations they might have.
This is, as you might know from experience, an efficient, low-drama method of making plans to efficiently take care of a chore which is not necessarily enjoyable, but which is clearly important to the long-term health of your organization.
The other group schedules their BIAs by using a much more haphazard, “catch-as-catch-can” method—a method similar, you might say, to that of a family scheduling their evacuation from their house once they discover that the garage has caught fire and the whole house is about to go up in flames.
I’ll give you three guesses regarding which approach to scheduling BIAs we see more often out in the field.
If you guessed Method B, you are correct. Most organizations, unfortunately, take a reactive, lurching, “whenever” attitude toward scheduling their BIAs.
However, it is my strong recommendation that you try to move your organization toward an approach closer to Method A: Plan ahead, set up a recurring schedule, make doing BIAs part of your company’s routine.
I’ll spell it out in a bit more detail.
The best approach for scheduling your BIAs is to follow these four steps:
- Analyze the details of your situation. Are you in a highly regulated field, such as finance, where many institutions are obliged to comply with strict regulatory standards such as FFIEC? Is your organization highly dynamic, frequently seeing acquisitions or similar changes? Are you in a fairly conservative sector, seeing comparatively little change from year to year? Analyze the unique factors which might have a bearing on how often you need to look at and update your business continuity plans.
- Decide how frequently you need to conduct BIAs. Organizations in highly regulated fields might need to conduct BIAs once every 1-2 years. Organizations in less regulated fields and those which tend to see little change from year to year are probably fine with conducting BIAs every 2-3 years. (A good example of the latter type is a utility in the Midwest which I’ve worked with for around 10 years. They don’t see a lot of change from year to year, and we do their BIAs every 3 years, which I think is fine for that type of organization.) Think about this, come up with a proposal, circulate it to your stakeholders to build consensus and obtain buy-in.
- Choose the best time of year for conducting your BIAs. Certain times of year might be better or worse for doing BIAs, depending on the cycle of the business. For example, it might make sense for a university to conduct BIAs in the summer when the students are away. As with Step 2, you’ll want to approach this decision collaboratively. Gather and incorporate your stakeholders’ feedback and obtain their agreement regarding what would be the best time of year.
- Settle into this schedule and timetable and follow it consistently over time. Whatever your organization decides, in terms of frequency and time of year, when you adopt that schedule, let people know what it is and stick with it over the long haul, unless compelling reasons arise that necessitate a change.
The goal is to make the conducting of BIAs, and the schedule on which you conduct them, part of the culture of your organization.
This approach brings with it numerous benefits.
- It makes it easier for you to prepare, send out, and receive back the completed pre-work. (For more on the kind of pre-work you should do for a BIA, see last week’s post, “The Secret to a Successful BIA Interview.”)
- It makes it easier for you to secure the resources and face-time you need to conduct the BIA.
- It ensures that if you are asked during an audit by a regulator when your next BIA is scheduled, you will have an answer.
- It will improve the attitudes of everyone involved by training them to see doing their BIA pre-work and interviews as a routine part of life at your organization.
It’s amazing how much more cooperative people are when you are not trying to shoehorn your way into their calendars on short notice but are instead following a familiar, recognized schedule.
To sum it up, doing BIA pre-work and interviews—just like going to the dentist—will never be most people’s definition of a good time. But if you can get your organization onto a rational, regular schedule for performing its BIAs, and follow this for an extended period of time, the process will become easier for everyone involved and the health of your organization’s business continuity plans will be that much better.