Most organizations don’t want to imagine what would happen if a disaster struck their operation, but what if a disaster did strike. How would your organization respond? The best way to know how to respond is to develop, implement and maintain a Business Continuity Management (BCM) program. A BCM program provides a framework for building organizational resiliency with effective responses and safeguards that protect its reputation, stakeholders, employees, and facilities.
BCM is not just about remedying technology shortfalls, as many organizations believe. It’s also about securing, protecting, communicating and preparing corporations from disastrous impacts upon its workforce, facilities and its technologies – To minimize the impact on operations. BCM touches every aspect of an organization from the mailroom, the field and the call centre to the manufacturing floor and right up to the boardroom.
To make your program effective, consider some of the following suggestions when planning:
1. Start With the Worst – Begin the planning with the worst-case situation your organization can imagine. For many, this example is the tragic events of September 11, 2001. Work backwards from there and you’ll start to fill in many of the dangers that can harm your corporation. You’ll also be able to start challenging the worst case situation and begin to get more inventive with potential impacts – and develop the plan accordingly.
2. 3 Pillars of a Business Continuity Plan (BCP) – Every BCP plan must address three things; Workforce Availability, Facility Availability and Technology Availability. If each plan has these three core components, an organization can respond to any disaster situation and expand their capabilities by adding varying situations and scenarios through validation exercises.
3. Dedicated Resource – Assign a person with the appropriate training and authority to get things done, if not, the program will quickly fall to the wayside in favour of other initiatives. This may include getting outside help to get the process kick-started (i.e. consultants, contactors etc).
4. BCM Program vs. BCM Project – The BCM program must live on and continually meet the needs of an organization, as it grows and changes; so to must the BCM program. A project has an end date but a program must live and breathe and contain more than just a single aspect of BCM. Therefore, when the Business Impact Analysis (BIA) is completed, that’s just one ‘project’ of the overall BCM program; you’ve got lots more to get through and develop.
5. Exercising/Testing – Plans mean nothing if they haven’t been validated. Every organization must exercise its plans to make sure they’ll work during a disaster. It’s better to find gaps in your plans through exercising and under controlled circumstances rather than when the real thing happens.
6. Executive Support – If no one is there to champion the BCM program, it won’t last too long. In fact, there’s a good chance it will run out of steam and end up on the backburner of boardroom discussions. Having executive support shows the rest of the organization that BCM is taken seriously.
7. Awareness & Training – It can take a long time to develop continuity plans and create processes and procedures but if no one knows how to use them, where they’re kept or under what circumstances they’re required, they won’t be of any value or use. Remember, awareness and training are not the same things and every level of the organization must received its fair share of both if the program (and all the developed plans and processes) are to be useful and successful.
8. Focus on People – This should be a no brainer; BCM is about people. It’s people that build the plans, use the plans, review and exercise the plans. It’s people that will be impacted by not having plans in place; clients, vendors, employees and communities. If you state that technology availability is the most important part, you’ve basically told those individuals – who you need to help build plans – that they aren’t important. Keep in mind; people first.
9. Business Impact Analysis (BIA) – Every company must understand what it does and how it does it. A BIA is the process of analysing business functions and the effect that a disruption might have upon them. Knowing this will help corporations develop appropriate Business Continuity Plans (BCP) and other contingency strategies. Ensure you get agreement on the findings, don’t just state what they are and move forward. The findings from a BIA are what the attendees believe is important and it could turn out that what they feel is important to the company is not what executives believe is important. Make sure executives are in agreement with the findings before you start developing restoration and recovery plans – you could be way off the mark.
10. Program Maintenance and Monitoring – If program components aren’t maintained and updated the Business Continuity strategies developed – and the related documentation – will reflect the corporation as it once was, not as it current is.
11. Bonus: Using Software Only – Software can be very beneficial for maintaining and gathering information but beware, it doesn’t take into account the nuances of people or scenarios specifics. It may tell you that you need 10 desktops in 24 hours but the situation itself may call for something completely different based on what has occurred. Don’t fall into the trap that DR/BC software will answer all your questions and save you; it’s a tool to help you.
Having a BCM program in place is a part of an organizations Corporate Social Responsibility (CSR) but there are other benefits to implementing a program. First, your organization will have the security in knowing a robust plan is in place to deal with disasters, providing safety and security for all employees. Second, a proper BCM program will provide a competitive advantage. Those organizations will strong programs win out over organizations that don’t have BCM plans in place because there is knowledge that your organization will have developed a way to provide a product or service even during a disaster.
It’s not easy building a BCM program; it can be tough to develop, implement and maintain but it will only take a single crisis or disaster to prove its worth. A single crisis or disaster can be one too many. Are you prepared?
© StoneRoad (2013)
**NOW AVAILABLE**
Books by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, available at http://www.stone-road.com, http://www.amazon.com, http://www.volumesdirect.com
BCM document templates available in the ‘shop’ section at http://www.stone-road.com.