The global Business Continuity Management (BCM) landscape is changing; from supply chain management to disaster response to the effects and impacts of the Covid-19 global pandemic. We talk to internationally recognized BCM industry leader and expert, Patrick (Pat) Corcoran from IBM. Continue reading
I recently read an article where individuals were asked what the role of the Business Continuity Management (BCM) should be when a new business function will be introduced. There were comments from ensuring Change Management is introduced to the BCM professional needs to perform a Risk Assessment (RA), Business Impact Analysis (BIA) to developing continuity plans and implementation and rollback plans. Now, all that is good BUT, I found it odd that not a single respondent gave the most obvious answer – and it has nothing to do with the BCM professional.
If the organization has determined to introduce – or develop – a new business process (and related technology functionality), the responsibility to ensure all of the things I noted above are completed belongs to the Project Management Office (PMO) and the assigned Project Manager (PM). It’s not the responsibility of the BCM professional to ensure all that is completed.
Now, I’ve always said that BCM professionals need to have a project management experience, or at least have some basic knowledge of project management (as outlined by the Project Management Institute – PMI) but they don’t suddenly become the driver of the bus for all projects.
BCM gets involved at the time the PM – and the schedule – says it’s logical to get involved and execute the appropriate project deliverables, which when completed accordingly, help mitigate risks and/or update the appropriate risk plans, contingency plans (it may be a new plan if the new process creates new departments etc) and technology recovery plans.
With allot of PM experience behind me, I know that every single PMO office I’ve ever worked for – as a PM, Control Officer or Program Officer – there are some basic deliverables that are performed through project management. That includes completing some sort of Risk Profile and Business Impact Assessment, which the BCM professional may be brought in to assist with completion and in most cases, it’s not their responsibility to determine how this is managed. The PM will take the appropriate completed documents and provide to the project stakeholders for approval or additional input/amendments. Then, it may be provided to the BCM professional to action accordingly (e.g. update contingency plans, technology plans etc.). The BCM professional isn’t the one that makes the final determinations during project flight; that’s the responsibility of the PM.
The BCM professional has to make sure that when that inflight project becomes Business As Usual (BAU), all the appropriate activities are completed and ready to accept the new function (project deliverable).
That means that the implementation plans (business and technology) and rollback plans are developed by the appropriate project team workstream lead but is not developed by BCM. There are already people within a PMO office responsible for those activities.
On another note, the Crisis Management Team (CMT) may not even ben involved during project implementations, even when there’s an issue with implementation and roll back occurs. If it doesn’t impact operations then it’s the project’s Command Team that takes control, though some of those individuals on the CMT may be part of the project team based on their daily roles and responsibilities.
Implementation communications are usually managed by the Business Operations team whose job it is to manage communications with clients and customers (the name of the department may change from company to company). Still, they aren’t done or managed by BCM, they are done by the Project Team.
The PM is responsible to make sure that all of these activities are completed properly and to the standards required by the organization’s PMO and documents the handoff to the business owner, which would include ensuring that BCM/BCP/DR has been involved and are ready to accept the new process (if they haven’t been already).
I found it odd that not one responded to the question in the article mentioned Project Management, which is a discipline on its own with various skill sets. Good PMOs and good PM’s will bring in the BCM group when it’s acceptable to do so to ensure that the moment the new process (and related technical functionality) goes live, it’s in a good position to respond to a disaster situation. This might even include a dry ‘test’ or ‘DR simulation’ prior to going live or very shortly after going live. I’ve been in organizations that say a full DR of a new function/technical configuration, must be tested within 60 days of going live – or sooner.
The BCM role isn’t the same as a Project Manager’s role, but the BCM professional must understand Project Management to ensure a smooth transition from idea to implementation to a ‘live’ state.
© StoneRoad 2020
A.Alex Fullick has over 21 years’ experience working in Business Continuity and is the author of numerous books, including “Watch Your Step”, “BIA: Building the Foundation for a Strong Business Continuity Program.”and “Testing Disaster Recovery and Business Continuity Plans
All around me I see people focused on Covid-019 and as it’s such a major aspect, incident and focus in today’s world, that’s not surprising. The amount of impact a tiny virus cell has had on the world is incredible. Who ever said the small things don’t matter, obviously didn’t know anything about diseases and pandemics.
The rush seems to be on to update plans? Seriously? Where was the updating over the last few years? Have BCM/DR practitioners forgotten that updating and maintaining plans and programs is a key aspect of the entire industry? It’s not a one-time thing, which seems to be the practices right now Anyone that comes out and says they are updating their plan now that the Covid-19 pandemic is here was not updating their plan prior to the outbreak. I don’t get it! Why weren’t we doing it? Did we become complacent and just not think that maintenance was necessary; that a one-time plan development was good enough?! Or that once we had a plan and did some sort of test/exercise, which probably entailed more planning than the actual development of the plan itself – was good enough. Sorry, that’s just not going to cut it.
Why did we become so complacent and not maintain our plans? Some have kept them up to date, as you see blogs and posts on social media sites stating they they’re following their plans and protocols but they seem to be either less than or equal to, the number of those that didn’t maintain their plans. If they weren’t maintaining their pandemic plans (aka People Availability Plans), I’m curious to know just what plans or parts of the BCM program were being updated. Call trees? Crisis Management Team (CMT) contact information? The IT Technology Recovery Plan (ITTRP) / IT Disaster Recovery Plan (ITDRP). What has been maintained?
There’s a gap with support too, because obviously executives don’t know what they’re doing for the most part and many are stating they were hit with the Covid-19 pandemic disaster by surprise. BULLCRAP!! We saw things coming weeks ago, as the virus began to spread from China to Japan and South Korea and then to other areas. We got the head’s up it was coming but sat by believing it ‘wouldn’t touch us’. Well, they were wrong.
Now the rush seems to be on to ‘mitigate’ and impact but the impact is already here, so they are actually responding to Covid-19. A few week’s ago organizations may have been able to get away with saying they were performing mitigation activities but they can’t now; they’re responding.
Perhaps it’s a way of telling themselves that they aren’t in any way responsible for what’s happening, so they can blame someone else down the road for not being prepared. Saying they are implementing mitigation plans isn’t really true at all; they just don’t want to admit they fell behind. Hence the rush to get a response in place; any response to help with where they are and how they’ve been impacted.
Well, if you haven’t seen or heard anything related to the Covid-19 disease, you’ve either been living in a cave or on the moon. It’s everywhere. It’s touching every aspect of our lives. It’s changing every aspect of our life and it’s going to change the world going forward. I know that might sound a bit ominous but 1 event can change the world. Continue reading
When we think of crises or disasters, we seem to immediately go to the big ticket situations; fires, hurricane’s, floods and pandemics. We tend not to think of the smaller mundane crises Continue reading
Happy New Year to one and all! 2020 is shaping up to be quite the year for me and I hope it is for you too.
I first have to apologize for not having been more diligent in writing and promoting my show on the VoiceAmerica Radio Network (‘Preparing for the Unexpected’), as I’ve just been so busy. But I decided I should get back to writing and posting here, even if it’s something short. So without further adieu, my first blog of 2020.
Lately, I’ve noticed that some of the talk about BCM / DR programs and their maintenance don’t seem to align. There is so much talk about ensuring programs are developed and that plans are in place and then validated through exercising/testing but then that only gets followed up with the comment; ‘These should be maintained’. And that’s it. I’ve noticed it in articles, blogs and when speaking to people. It’s as though there is something wrong with talking about how to maintain a program or there’s a lack of experience with developing the maintenance processes.
I’m not sure why the talk on this subject something trails off into other topics or why it tends to often be quickly references and then the topic moves in another direction. Are we not familiar with how this is supposed to be accomplished? Let’s face it, there is so much discussion about building programs and exercising plans and processes that maintaining it after the fact seems to fade away.
There might a couple of reasons for why the topic tends to fade away and only come back into the conversation after a disaster/crisis/operational interruption occurs.
- Quite often, contractors and consultants are hired to build programs – especially the RA, BIA, BCP development, tests etc., and when those are complete, they leave because the engagement is completed.
- When the high-priced consultants and contractors are gone, Executives begin to loose interest because the regular requests for support and status updates slow down or stop all together.
- When the contractors/consultants leave, the program is handed off to someone who doesn’t have the full breadth and knowledge of the program and are only assigned to it for 50% of their time. So it doesn’t get the focus it needs. So they don’t end up providing the updates required for Executives (#2 above) , which causes Exec’s to loose interest and it drops off their radar.
There’s lots of focus on the creation and validation of BCM/DR/Resilience programs but I think some more attention, research and methods to keep programs updated and maintained, needs to be done.
© StoneRoad 2020
A.Alex Fullick has over 21 years’ experience working in Business Continuity and is the author of numerous books, including “Watch Your Step”, “BIA: Building the Foundation for a Strong Business Continuity Program” and “Testing Disaster Recovery and Business Continuity Plans
Join us Nov 7/19 as we talk to internationally known resiliency expert Prof. Yossi Sheffi and his book The Power of Resilience.
The StoneRoad Team
Join us on October 31/19, as we talk with author and internationally recognized Business Continuity Management expert Dr. Michael C Redmond. It’s sure to be an eye-opener and we also talk about her thoughts on the Adaptive BCP movement.
The StoneRoad Team
Join us on 2019-08-29 as we talk with Project Management and BCM/DR expert, Ralph Kliem about how we can turn our failing resiliency/BCM programs around.
The StoneRoad Team
Join us August 8/19, as we talk to Workplace Violence expert and author, Dr. Marc Siegel about how we can prepare and prevent workplace violence.