“You’re such a know it all!” At some point we’ve all heard that expression taunting us. Usually it’s a joke of course and response to something we’d said in jest. It’s kind of funny because it’s impossible for anyone to actually ‘know it all.’ Could you imagine if some did? Hmmm…
So how come when we are building a BCP’s and other program components, we sometimes end up being assigned a single
person to represent an entire department of division? Do they really know it all? Impossible I say.
However, they may know allot about a specific area and maybe a Subject Matter Expert (SME). Or they might be the manager of an area, which can add an entirely new perspective on things but would they be able to know the nuances of a process like the end user? Probably not.
Here’s a short list of people within the organization you might want to interview when developing your Business Impact Analysis (BIA) and ultimately the various strategies and contingencies you’ll be building. Each will be able to provide a unique focus and perspective that one (or more) of the others can’t.
- Executives: Yes, it shouldn’t be that obvious. You’ve got to speak with them because they are going to let you know what their expectations are; you’re marching orders if you will. If you don’t speak with them you might end up at a place along the development path where you find you’ve been focusing in on the wrong areas simply because the focus for executives – or rather their objectives – were focused somewhere else. You have to align what you’re doing with what they want. Of course, you can poke and prod to help provide guidance to them but ultimately, it’s their show and their decision but you won’t know that unless you speak to them and find out. Leave executives out of your program development at your peril.
- Business Management: Well, you can’t build a Business Continuity Plan (BCP) without talking to the business; that would be silly. Business management can provide details on the higher level workings of the department of division that others may not know (those that report to them). There could be dependencies on a management level that don’t exist on the user level. They may even offer some insight as to what they believe is already in place for a BCP plan, which usually turns out to be an assumption; an assumption like ‘IT knows what we need.’ And you know what that’ll do… So approach all areas that are non-IT based departments such as Finance, Client Services, Facilities, Human Resources, Communications etc. It takes all these areas to operate the corporation so you can’t leave them out of the ‘disaster’ discussion.
- IT Management: This is just like meeting with the Business managers but instead it’s with IT departments only. They will have their own set of assumptions and (possibly) plans in place to deal with disasters. What is often forgotten though is what contingencies need to be in place to address such things as people disasters. I don’t know of any IT person who is impervious to a flu or some other ailment. I’ve met many IT mangers over the years that state they know what to do and that their people know what to do, when a disaster strikes. They are able to work on the situation from an IT perspective but they almost never state they have a plan in place to deal with the fact that their own people might (and probably are) impacted by the same disaster the rest of the corporation is dealing with. Meeting with them will help you discover what kinds of information they need from the BU managers – or executives – so they can develop the right IT restoration and recovery strategy. And make sure you reach all areas of IT, not just networking but security (if they are part of the IT group), Server Administration, Operations etc.
- End Users: You’d be surprised how often the lowly end user gets forgotten about. It makes no sense because these are the individuals most impacted by change, crisis and disasters. (OK, maybe not mostly affected but if they deal with clients/customers, they have an impact the rest of the corporation won’t have.) If you speak to them, you might find out about allot of contingencies and manual processes (and workarounds) that exist that management may not know about because they are the ones who are actually doing the jobs that the contingencies are being developed for. The can offer some insight about suppliers, customers and the corporation itself – the real workings – that others can’t, or won’t provide. This is the level in which you’ll find the detailed dependencies that can’t be provided by others.
- SMEs: These people are SME’s because they know a function, service or processes and how it works like no one else. They may not know the entire business but they do know allot about how various components work and how they fit together. Like the end user, they’ll be able to identify key internal and external dependencies (input and outputs) that exist within a department or division. It’s doubtful they would be a SME for every single process in the corporation but they will know exactly how a specific one is to operate; and know it by the book too, not just at a high level. I’ve know some SME’s that know a process or procedure so well they can quote the sections and sub-sections of a documented process and know exactly what it says – and how it (the process) is to be conducted. SME’s can offer allot of insight into the functions and services offered by a corporation (internal and external).
- Vendors/Suppliers/3rd Parties: Sometimes this can be a bit touchy, as companies might not want you to speak with their vendors etc. They don’t want companies to know that you’re developing a program because they may have already told them that your corporation had a program. That would mean when you show up to speak to them they find out you didn’t have a program/plan in place and they were lied too; might make for some ‘touchy’ moments. Nevertheless, it’s important you do speak to them or have the person who own the business relationship speak to them. Why? If they have a disaster, you need to know what they have in place and what actions you are to take in response to it. How are they going to communicate to you and do you have to withhold deliveries or orders for a certain amount of time while they restore systems? You need to know because you’ll have to speak to your won customer and clients as to why something isn’t arriving from you supplier; ‘I don’t know’ won’t cut it. You have to know what plans to build in case a supplier is having disaster and what their expectation of your organization is.
It’s impossible to meet every person in the corporation unless you’ve been there for years and have literally been with the company from day one; but that is so rare. You do have to meet a wide range of individuals in a wide range of roles to get the right picture of how the operation works and all that occurs within it. If you leave anyone out (the role that is) or any department out, you risk missing some key components that might have a substantial impact on the corporation’s ability to respond to a disaster.
Of course, who you meet might be predetermined by management but if you still need information then go forth and seek it. In the end, if you don’t have the right information available to you – regardless of who was assigned to help you – the strategies and processes developed for the BCM program won’t meet the needs of the organization.
“Heads in the Sand: What Stops
Corporations From Seeing Business Continuity as a Social Responsibility”
and “Made Again Volume 1 –
Practical Advice for Business Continuity Programs” by StoneRoad founder,
A.Alex Fullick, MBCI,
CBCP, CBRA, ITILv3