Meet The Experts

The Next Wave in Business Continuity Management

By Rob Giffin

Do you have a business continuity program that includes a BIA, up-to-date plan documentation, annual exercises and maybe even a few training events?

If you answered yes, your organization is among the majority. Most likely, your auditors and regulators are satisfied with the progress your team has made. However, you may be wondering if you’re doing all you can to ensure the program will be effective when needed, while maximizing a finite risk management budget. The Avalution team met recently and discussed emerging best practices transforming the business continuity (BC) and disaster recovery (DR) industry. The results below are the primary emerging trends we see companies adopting as they mature their BC capability.

1. Consider BC When Designing Facilities (and Before Reorganizations)

As business continuity professionals, we appreciate that business change can lead to significant BC and DR strategy change. We’ve all learned – in the eleventh hour – of a newly constructed facility housing a critical element of the business, a consolidation of facilities into a single campus environment or a reorganization introducing unimagined efficiency (and unimagined single points of failure).

Some organizations have highly structured business and IT change management processes. A growing number of these companies include business continuity professionals as members of change committees. What value does this offer? The business continuity professional:

Often points out the availability implications of business strategy options (which are often overlooked in favor of cost savings);
May assist in quantifying or describing risk; and
Identifies risk mitigation strategy options.

2. Cooperate and Collaborate with Critical Supply Chain Partners

It’s one thing to identify critical suppliers and then send them surveys regarding their business continuity programs. It’s a huge leap in maturity to consult with your suppliers’ business continuity teams to share best practices, recovery objectives, strategy information, expectations and mutual aid options. That’s what a few select organizations are doing – and this is driven by the extreme criticality of their relationships with these third-parties. Recurring meetings (some face-to-face) are leading to decreased availability risk and far-greater levels of business continuity program maturity – for both organizations.

3. Think About Business Continuity When Acquiring Companies

Some organizations are good at acquiring other companies, others aren’t. Those that are good have defined, repeatable processes to evaluate key elements of the target business in order to assess value, stability and longevity. Some acquiring business managers review and identify target company risk management practices (to include business continuity management program characteristics), key organizational risks and single points of failure. Due to the resource investment required to mitigate availability risk, the value of a defined, proactive business continuity program is not lost in the minds of the acquiring company. A big part of the business continuity program review is the strength and experience of the internal business continuity team.

4. Coordinate Your Risk Management Programs

Where do the boundaries of emergency response begin and end? For example, is there overlap between risk management’s insurance efforts, facilities management and business continuity? What about business continuity and enterprise risk management?

All organizations have a finite risk management budget, and executives are demanding closer coordination amongst risk management disciplines in order to conserve resources and increase effectiveness.

5. Performing Internal QA

It’s true that real world events are the best measure of readiness, followed by exercises and simulations. However, a number of organizations have developed a continuous process to assist with their measurement of program readiness by forming Quality Assurance teams. These experienced business continuity professionals develop measurement standards, interact with planners and plan owners, review processes and documentation and participate in exercises. Most importantly, they develop quantitative measures designed to gauge business continuity readiness, and communicate results to executive management.

Quality Assurance can be a cumbersome, time-consuming process, therefore leveraging planning tools and relying on data management strategies are keys to success. The automated gathering of business continuity program information is important to allow Quality Assurance personnel to focus on their most important task – coaching planners to improve their plans and strategies.

6. Integrate Continuity Planning Into Change Management

Change is constant. Reacting to change – as opposed to being proactive with change – can result in business continuity strategies that are more expensive than necessary because recoverability is designed and implemented after the fact. Additionally, there will be recoverability gaps with a reactive approach to change since new processes and technologies are introduced into the business while viable recovery strategies catch up weeks later.

Work with your organization’s Project Management Office (PMO) and other change managers to play an advisory role in meeting the organization’s business continuity standards before projects “go live”. There is a time investment for the business continuity team, but this investment is much less when compared to working on plans and strategies after the project is operational.

7. Shrinking Budgets - Shrinking Recovery Objectives

Shrinking budgets and shrinking recovery objectives are not mutually exclusive; they are happening to many organizations simultaneously. Below are ideas that address one or both of these challenges simultaneously.

Create program activity awareness: Business continuity management is often misunderstood by executive managers. Viewed as a technology, a project or even worse, a plan on a shelf, business continuity managers need to focus on obtaining buy-in for their team’s annual objectives. They should seek approval for a policy document, outlining the organization’s business continuity lifecycle, and detailing key activities, and the roles and responsibilities necessary to effectively execute these activities. With tight budgets, the business may have to assume a number of key business continuity related tasks, which should be clearly communicated and understood by all responsible groups.
Communicate the value: Decreasing budgets are often a symptom of poor internal communications and “internal sales”. The answer to a shrinking budget should focus on communicating the level of protection afforded by the continuity group. A common metric for showing an increase in protection levels is a comparison of overall annualized loss expectancy (ALE) figures.

ALE is easy to calculate for your organization by using the following formula:

Single loss expectancy (the amount of money that would be lost for a single failure) multiplied by the annualized rate of occurrence (i.e., once every 25 years equals a 1/25 ARO).

This level of analysis will quantify continuity planning’s contribution to risk reduction in a way executive management can support.

Utilize risk management to prioritize functions: Partnering with other risk management entities to prioritize business functions will help validate lower recovery objectives. In addition, a quantitative risk factor scoring common to all risk management groups will result in an efficient and less subjective list of priorities.

Conclusions

Continuity programs continue to mature, but expectations are rising as well. The past ten years have seen rapid change, from technology-centric disaster recovery programs to today’s enterprise-wide business continuity management efforts. More change should be expected. Can you say your program is characterized as:

Structured?
Efficient?
Flexible?
Visible?
Collaborative?
Creative?

If so, it’s highly likely your executive management team will find great value, comfort and confidence in your ability to deliver continuity and availability now and into the future.

Taken one step further, let’s revisit the original list of key business continuity program elements and add some key characteristics found in organizations that are considered mature, efficient and effective.

Key Elements of a Business Continuity Program	Taken One Step Further – “Mature” Business Continuity Execution
A Business Continuity Policy	A business continuity policy statement is signed by an executive sponsor. Business and technology managers are held accountable for compliance through periodic internal audit reviews and annual performance objectives.
An Up-to-Date BIA	A review process is in place and information updates occur annually. Recovery time objectives (RTOs) are defined, as is the capacity of the business function at the RTO.
A Comprehensive Risk Assessment	Linked to ERM initiatives, the risk assessment assists in framing the selection of recovery strategies, and helps identify business and technology practices that could lead to an increased risk of downtime.
Defined Alternate Locations	Each business function and IT asset with a RTO has an assigned recovery location. Additionally, the organization has “deconflicted” these recovery location selections to ensure multiple business functions from the same location aren’t relying on the same alternate facility.
A Crisis Management Team	Executive managers are named to lead the response effort. They maintain a copy of the crisis management plan and participate in training and testing.
A Crisis Communications Plan	Internal and third-party methods of communication are addressed and redundant capabilities are identified. Management is trained in media handling and pre-written, situation-specific scripts are accessible.
Business Recovery Plans	Business recovery strategies are documented and alternate operating facilities are noted. Business managers are involved in the development and maintenance of planning documentation, and they understand their roles and responsibilities during a crisis.
IT Disaster Recovery Plans	IT disaster recovery procedures are documented using enough detail that a general technologist could execute the plan. Recovery objectives are based on an enterprise-wide BIA, unrealistic recovery strategy assumptions are minimized and business and technology dependencies are noted.
Some Resilient Business Functions and Technologies	Recovery implies downtime. Some business functions and technologies can afford downtime. Consider influencing the inherent design of business and technology processes so they remain resilient – but only when completely warranted.
Tested Plans	Testing is the best way to measure readiness. Avoid artificialities and test key elements of the business continuity process, to include crisis management, crisis communications, business recovery and IT disaster recovery. Don’t create a pass/fail environment, but instead, establish a learning environment. Use scenario-based testing influenced by the results of the risk assessment.
Business Continuity “Aware” Employees	An annual training and awareness plan is documented and approved. The business continuity team receives adequate training, but so do response and recovery team members and employees in general. Awareness programs are available “on-demand” for employees. As applicable, awareness spans across multiple risk management disciplines and may address evacuations, emergency response and physical security practices. Awareness is measured and reported.
Certified Business Continuity Planners	Certainly not required, but certification adds credibility to internally-generated recommendations.
Satisfied Auditors and Regulators	Business continuity quality assurance practices are used to self-assess practices. Internal audit is an active participant in the planning process – as an advisor.

About the Expert

Rob Giffin is a Managing Consultant with Avalution Consulting LLC (www.avalution.com). Rob has five years of business continuity (BC) experience, and he specializes in the development and implementation of BC solutions worldwide. For more information, contact the author via email at robert.giffin@avalution.com or by phone at (800) 941-0381.