Many organizations think that effective business continuity planning is synonymous with great plan documentation.
Yes, plan documentation is extremely important. BUT… many organizations fail to recognize that effective business continuity plans – and truly prepared and resilient organizations – are the result of a larger business continuity planning lifecycle that begins with requirements setting and ends with practice (and of course, the process recycles on a continuous basis).
Bottom line – plans are just one key ingredient in the development of an effective business continuity program.
Understanding Your Organization
Before an organization can document plans or determine strategies, it’s important to understand and evaluate the organization. This means having an understanding of the core products or services offered to customers (and their use of the products and services), as well as an understanding of internal and external stakeholder requirements.
Why is this the first step? Understanding priorities and stakeholder requirements provides a clear direction and an appropriate scope for the planning efforts to ensure business continuity planning processes and strategies meet stakeholder expectations.
After developing a complete picture of what business continuity planning should mean for your organization, the next step is to set up the governance structure to drive the planning process and long-term continual improvements efforts.
Like identifying the scope, implementing a governance structure allows for clarity in planning expectations and ensures business continuity planning activities are executed in alignment with the organization’s goals and strategic direction. In addition, by documenting a Policy and Standard Operating Procedures, and chartering a steering committee made up of senior leadership, the organization enables the planning process to perform in an efficient, repeatable manner.
After establishing an understanding of the organization’s business continuity priorities and a governance structure to ensure a repeatable planning process, the next step in the business continuity lifecycle is to determine business continuity requirements through a business impact analysis (BIA) and risk assessment. The goal of the business impact analysis is to identify the activities and resources (technology, equipment, suppliers, facilities, etc.) that support the development and delivery of key products and services, and the estimated impact of downtime should any of the resources become unavailable. The outcome of the BIA is discovering business continuity requirements, including downtime tolerance, resource needs, and recovery performance criteria.
In addition to a BIA, it’s also important to perform a risk assessment to understand the likelihood of and impact associated with a business disruption caused by a loss of critical resources. This risk assessment enables the identification and analysis of business risks that may affect the organization’s ability to deliver core products and services, with a focus on identifying controls and strategies to decrease the likelihood or limit the impact of a disruption affecting products and services.
Once the organization has determined its business continuity requirements (including risk mitigation opportunities), it can then identify, evaluate, and implement risk mitigation, response, and recovery strategies to reduce the likelihood of disruption, or, if a disruption does occur, ensure an efficient and effective response and recovery effort that limits impact and aligns within stakeholder expectations.
Once again, to develop effective plans, the organization must first understand business continuity requirements and select appropriate strategies.
As you can see, there are critical steps that need to be completed before you dive into developing and documenting business continuity plans. These steps not only identify the resources and strategies that the plans should address, but also ensure that any created plans allow for the recovery of business activities or resources within stakeholder expectations.
After identifying, evaluating, and implementing risk mitigation, response and recovery strategies, the organization can begin documenting plans that describe how the organization will recover and operate in a contingent mode until returning to normal. Documented plans ensure repeatability and support decision making during a disruptive event. Best practices suggest documenting plans that address resource-loss scenarios (rather than specific threats or events), including procedures that address the loss of a facility, loss of people, loss of technology, or loss of suppliers/vendors. By documenting plans based on resource loss, management can rest-assured that response and recovery participants know what to do, no matter what “threat” actually causes the disruption.
Awareness, Training, and Exercising
The temptation organizations often face is to stop the preparedness effort after documenting plans. However, plans are only as effective as the people who use them. Because of this, it’s important to develop and implement a training and awareness program that introduces business continuity process and strategies to all of the appropriate people throughout the organization so they can properly prepare and develop response and recovery competencies.
In addition, performing business continuity exercises provides hands-on, experiential training and ensures response and recovery participants are aware of the business continuity plans and strategies and comfortable with their assigned roles and responsibilities. By performing exercises, response and recovery participants will begin to develop “muscle memory” with their plans allowing for smoother response and recovery execution during a real disruption when the stakes are high.
Bottom-line, exercises not only provide valuable training to those responsible for response and recovery, but also are essential to validate business continuity strategies in light of requirements and highlight any areas for improvement to ensure the organization can recover within recovery objectives.
Finally, one of the most important parts of creating business continuity plans is making sure the organization doesn’t “set it and forget it”. As an organization changes, so do the risks and business requirements.
Key components of a management system, designed to drive continual improvement, include program-level management reviews. Management reviews help ensure that strategies, plans, and the planning processes continue to meet stakeholder expectations and address all necessary risks and obligations. As these management reviews identify corrective actions needed to close gaps, it is also critical to assign owners to these actions and track completion. Without tracking or assigning owners to the corrective actions identified, management reviews will not provide value or enable program growth.
Further, it’s important to track program performance through the development of metrics. Metrics measure success based on priorities, requirements, and performance, and help highlight opportunities for improvement.
Effective business continuity planning is much, much more than just creating plans. As discussed throughout this article, it’s extremely important to perform each stage of the business continuity lifecycle – often leveraging management system processes and tools – to ensure plans support the response to a disruptive event and recovery of the organization’s critical products and services within business and stakeholder expectations.
About the Author
TJ Heginbotham is a consultant at Avalution Consulting, providing Business Continuity Management and IT Disaster Recovery solutions for organizations across a variety of industries. He can be reached at firstname.lastname@example.org