Business Continuity Planning (BCP) should be one of the top priorities for organization leaders. BCP is one of the components of the Business Continuity Management (BCM) Program which should, in theory, be implemented in organizations of all sizes.
Organizations have to develop response plans to deal with events related to natural disasters such as hurricanes, earthquakes or freezing rain, as well as any technological disruptions such as loss of data centers, data or privacy breaches and IT security-related incidents.
The truth is that many organizations are not properly prepared. The implementation of a BCM Program could be a rather complex and lengthy process, which largely depends on the organization’s size. It requires collaboration across the entire organization and participation of all business units and departments. It requires time investment from stakeholders (including executive management time), staff training and continuous maintenance and testing. It requires a budget and long-term commitment (hence why it is a Program). As such, it should not be taken lightly.
What some organizations fail to realize is what the Business Continuity is not. Business Continuity is not a data backup (as outlined in this article). There is a common misconception at many small and mid-size organizations about what the business continuity planning process entails. Many of them struggle once they realize the potential investment of stakeholder time, money and ongoing requirements to maintain such a vital and important program. As a result, some of the biggest BCM Program implementation challenges are lack of executive support and lack of organizational engagement.
The industry governance
Currently, there are a few organizations which govern the overall Business Continuity industry. The Disaster Recovery Institute International (DRII) and the Business Continuity Institute (BCI) are the two major ones responsible for defining and developing business continuity practices as well as certifying professionals. DRII is more prevalent in North America, while BCI is more dominant in other parts of the world. In addition, there are other standards such as International Organization for Standardization - ISO 22301:2012 Societal Security – Business Continuity Management Systems or National Institute of Standards and Technology - NIST 800-34 amongst few other ones.
In Canada, the public sector is governed by the Treasury Board Security Management directive, which outlines BCM practices in federal government agencies and departments. Additionally, the provinces and territories have their own regulations which govern some parts of the Business Continuity as well (e.g. emergency management). Certain industries (e.g Financial) have their own rules, which could differ from the above-mentioned standards.
What exactly is Business Continuity Management?
As outlined in the ISO 22031:2012 standard, BCM is defined as a “holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.”.
This statement is quite a mouthful, but it boils down to the identification of organizational threats, managing their impacts and building response strategies to protect key resources.
The BCM program contains three distinctive implementation phases and its activities are outlined in the table below.
There are many different activities and practices required to implement a successful and effective BCM program in your organization. The important point a business needs to understand is that the program implementation and its maturity will require some time and effort across the organization.
How to implement a BCM Program in your organization? Where do you start?
Traditionally, organizations start with the development of BCM Program policy and execution of a risk assessment and a business impact analysis (BIA). These are the key program components which will drive the rest of the BCM Program implementation.
These activities, if executed effectively across the organization, will map the following information:
- Organizational risks, threats and their impacts;
- Business functions and process criticality;
- Key function/process resources and dependencies;
- Applications and software required to support business processes;
- Recovery Time Objectives (RPO) and Recovery Point Objectives (RPO);
- Vital records required to restore critical functions/processes (electronic and paper records); and
- Vendor dependencies and alternate workplace requirements.
The information collected above is analyzed and will be used to determine business function and process criticality, develop business continuity recovery strategies (such as alternate workplace requirements, redundant data centers, splitting the functional teams across work sites, etc.) and business continuity plans.
While implementing a BCM Program, and as a side benefit, an organization will learn a bit about their business as well. Many organizations uncover business areas and processes which will require improvements to ensure long-term effectiveness of their business operations.
BCM practitioners see a few organizational problems while implementing BCM Programs. At the high-level, they can be categorized into two buckets:
- Business challenges
- Lack of documented organizational charts and business functions/processes maps
- The business procures many cloud-based services (Software as a Service – SaaS), but rarely understand the vendor Service Level Agreements (SLA’s), or service resiliency or data residency/recovery capabilities
- Lack of documented Standard Operating Procedures (SOP’s) to execute business functions and processes
- IT Organization challenges
- Applications and software used across the organization are not documented
- Shadow IT, a situation when applications are installed without business and IT knowledge, which can cause organizational data leaks and data fragmentation
- IT Disaster recovery planning, and sometimes the IT organization as a whole, is disconnected from the rest of the business continuity planning activities
The list above are just a few of the examples, but they summarize the challenges which most organizations have to address in order to successfully implement the BCM Program.
BCM Program Development Phase
Once the business requirements are defined and documented, the next phase addresses the development of Incident, Crisis and Emergency Management plans, as well as Crisis Communication Plans. Their purpose is to outline how organization resources will respond when business disruptive events occur.
Another activity within this phase is the development of the IT Disaster Recovery Plan, which will leverage the BIA and Risk Assessment information and map systems and resources, data backups requirements, as well as IT systems recovery procedures. This task can be particularly challenging when organizations outsource their IT operations to third-party vendors.
It is all about program maintenance
Yay, the previous two phases are finally completed. Your organization went over countless hours of mapping out business requirements and developing plans and procedures. Now it is the time to celebrate, put the binders in cabinets, and forget about them. Next challenge, please…
Joking aside, this is exactly what happens in most organizations once they complete their business continuity plans. Plans are not distributed to the staff. The organization resources are never trained how to implement these plans. They are not tested or exercised. Nobody knows where they are stored. The executives are too busy to even look at them.
The plans’ training, testing and maintenance are key for successful critical function recovery during business disruptive events. Your organization resources need to know what to do, who to call, where to go, how to communicate and how to perform other critical tasks which will ensure that your business recovers in the planned timeframe.
This can only be achieved through the implementation of a comprehensive awareness, testing and training program, which will ensure that your staff knows how to execute those plans.
Some of the challenges for maintaining your BCM program are as follows:
- Staff turnover, promotions and lateral moves
- Addition and removal of business functions and processes
- Application and technology changes
- Vendor changes
The changes outlined above will have to be documented on a regular basis (as defined in the BCM policy), and your staff will need to be continuously trained to maintain the overall effectiveness of your plans.
Yes, it could be complicated to implement, but the BCM Program is vital for your business success
As outlined, BCM Program implementation is a process. It is designed to be delivered in phases, so an organization can implement it and mature over time. There will be some challenges along the way, but they will be addressed with executive and stakeholder support.
The larger organizations tend to have dedicated staff to implement and maintain their BCM Programs over time. There are quite a few consultants who can provide the temporary capacity to implement certain program components when required (e.g. business impact analysis).
But the BCM Program implementation could be a challenge for small and mid-sized organizations with limited resources. Smaller organizations are typically understaffed, and adding another role to somebody already stressed with their workload will not lead to the desired outcomes.
On the other hand, consultants are typically a great tool for program implementation, but they might not be available for long-term for maintenance and training activities. To address this challenge, some BCM advisory and consulting firms offer a service to capture and manage all program changes (such as our's BCMaaS). This could be a cost-effective approach once the advisors and consultants complete the planning and implementation process, and move on to the next client.
The important thing to remember is what a wise man once said, “An untested plan is only a strategy”. You should continually plan for disruption responses and test your plans accordingly.
The consultants in this space usually stress that BCM Program implementation is required only for organizations which care about its people, clients and overall long-term viability of its operations. Is your organization one of those?
This article was originally posted on the CMC Canada website, and it was somewhat modified for this platform.
StratoGrid Advisory is a Business Continuity Management BCM Program Advisory and IT Advisory firm in Ottawa that can provide you with the experience and knowledge needed to successfully implement BCM Program in your organization.