Reading Time: 4 minutes
Readers note: Please check our recently published high-level Business Continuity Planning guide.
In the “An Introduction to Business Continuity Planning” article, we outlined the main components of the Business Continuity Management (BCM) Program and introduced the basics of Business Continuity Planning (BCP).
We defined some key BCM Program terms and implementation phases, development approaches and program alignment requirements with the industry-leading standards. We also outlined several key challenges with the BCM Program implementation and a few strategies which will help your organization overcome those challenges.
But in reality, we are aware that the article alone will not be enough to assist small and medium-sized organizations with the BCM Program implementation. Many of the organizations of this size (e.g. non-profits, law or accounting firms, insurance firms/brokers, professional service firms, architecture firms, etc.) have unique challenges not generally understood by larger Business Continuity Advisory firms.
Small and Medium-Sized organizations are challenged all the time
Many of the BCM program implementation challenges at small and medium-sized organizations can be summarized using the four categories below:
1. Management Support
We know that running a small or medium business is not without challenges. The business' senior leadership team (SLT) is continuously pressured by quarterly revenue numbers, new products or services, vast competition and future growth concerns.
There is not much time to deal with “non-essential” business problems. As such, the implementation of a BCM Program is typically not high on the priority list, and the management continually fails to recognize that the organization is not adequately equipped to weather the next big emergency or crisis.
2. A false sense of security
Many of the small and medium-sized organizations are outsourcing some or all of the internal Information Technology infrastructure and applications to third-party organizations (e.g. Managed Services Providers – MSPs, cloud service providers, etc.).
As outlined in the “Business Continuity is not a data backup” article, this creates a false sense of security, where senior management expects those third-party IT organizations will develop a comprehensive Business Continuity Plan or IT Disaster Recovery Plan.
These plans must address BCM Program requirements, including Emergency Management Procedures (e.g. what to do if the building is on fire or not there at all), the identification and prioritization of critical business functions and their dependency on IT applications, crisis management procedures or mapping out business supply management risks.
3. The baseline (the documentation)
Many of the organizations of this size have not developed critical BCM Programs implementation input requirements such as a list of business functions and processes across all business lines or fully documented IT applications (internal and hosted by third-party organizations).
The implementation of the BCM Program might require the involvement of consultants in function/process or process documentation, which could be outside of the typical BCM program implementation process activities.
4. Resources and implementation approach
One of the leading challenges at small and medium-sized organizations is a lack of budget to implement a comprehensive BCM Program and knowledgeable internal resources to spearhead its implementation.
Most of the time, the program implementation pace will be slower than at some more established organizations, and that should be OK. The process heavy BCM Program implementation approach might scare the organization’s senior management or a few excellent resources who were brave enough to venture out of their safety zone and learn something new.
In the end, they end up owning produced BCM deliverables once the BCM consultant or a firm leaves the business premises. Without sacrificing quality, the BCM implementation must be scaled to an organization, and it’s culture, the pace of execution and style of operations. It must work for the client, and not just for a process-driven BCM Consulting firm.
BCM Program vs Project?
One crucial thing to remember is that the BCM Program should never end (program vs project discussion). The maintenance of the BCM Program components must be completed at least once or twice a year, aiming to capture all changes within the organization such as new business lines, new or removed functions or processes, resource changes, IT applications, vendors, etc.
The BCM Program documentation, once updated (e.g. Business Continuity Plan, IT Disaster Recovery Plan, Crisis Management Plan, etc.), should be tested and exercised at least annually to capture gaps and areas of improvement. It is a continual process that will require commitment across the organization.
BCM Program Maintenance is a key
As outlined above, many organizations (of all sizes) will face challenges with the BCM Program maintenance requirements, and resource availability to complete these tasks.
If the implementation approach is too process heavy, it will be abandoned and forgotten very quickly.
When is done right, and the organization has fun doing it along the way, it will have long-lasting effects on its culture and business operations.
The final result will be an increased organizational ability to weather major disasters, increased levels of emergency preparedness and greatly improved organizational resiliency.
StratoGrid Advisory is a Business Continuity Management (BCM) Advisory firm in the Ottawa/Gatineau region that can provide you with the experience and knowledge needed to successfully implement a BCM Program in your organization.