As an industry professional, you're eligible to receive a printed copy of the journal.

Fill out your address below.






Skip
Please reset your password to access the new DRJ.com
Reset my password
Welcome aboard, !
You're all set. We've send you an email confirmation to
just to confirm you're you.
You can now enjoy total access to the DRJ website while logged in.
New User Registration
*Required field

Already have an account? Log in

Welcome to DRJ

Already registered user? Please login here

Existing Users Log In
   
Forgot password? Click here to reset
New User? Click here to Subscribe for free

Create new account
(it's completely free). Subscribe

Business Continuity

In Business Continuity, One Size Planning Does Not Fit All

Tracey (Wilder) Mayer | November 17, 2020

A prevailing myth about business continuity planning is that you can develop a plan for one company and then easily replicate it for another via a simple “search and replace.” If only it was that simple.

While there are common elements in all business continuity plans, there are many organization-specific factors and nuances which must be considered to ensure a business continuity program is successful at implementation and over time. Below are key considerations for both business continuity planners and the organizations they serve.

Know your industry

Business continuity programs should reflect both the industry norms and the organization’s culture. For example, working with banks or financial institutions, there are the Federal Financial Institutions Examination Council (FFIEC) in the U.S. and the Financial Conduct Authority (FCA) in the U.K., both of which provide mandatory guidelines. Clear regulatory requirements make it easier to secure organizational support for a business continuity program because it is required. Being well-versed in industry regulations can help the continuity planner ensure the program is designed for compliance.

Know your organization’s culture

Culture is often overlooked, but it is one of the most critical keys to a business continuity program’s long-term success, especially in industries which do not have defined regulatory requirements. You cannot take a square-peg FFIEC business continuity program and overlay it into a round-hole organization such as a tech company and expect it to fit. Business continuity planners must look at the company’s strategic programs over time to determine how the company’s culture contributed to the program’s success or failure. It is important to look at a cross-section of programs and initiatives rather than merely looking at business continuity programs to get a complete picture.

A business continuity program that aligns with the company’s culture and shared vision of success will also have a much better chance of getting traction in the first year. This is particularly important for companies that have never had a formal program.

Do not boil the ocean

When introducing business continuity to an organization, it is wise to walk before you run. The first business continuity plan will not likely be “the” plan. Business continuity is a living endeavor that will evolve and mature as a partnership between the resiliency team and the broader organization.

Build in program maturity

Business continuity program planners should create a maturity model for the business continuity program and associated plans that defines goals and outlines program evolution and plan resiliency. Successful companies have a 3-, 5-, or 10-year business plan to define their long-term business goals. Build the business continuity program in the same fashion. Describe how to mature the program from year one to year three through year five and beyond.

Maturity plans will vary depending on the size and type of organization. For example, some organizations have mature enterprise risk management (ERM) programs which identify how the organization views and measures their strategic risk. Leveraging measurable strategic risk factors and aligning them to the development of a business impact analysis (BIA) will mature the program significantly. Organizations that are just developing and maturing their ERM programs will see an evolution in risk methodologies which can impact the BIA and risk factors, leading to measurable understanding of the most strategic areas of the organization over a 3-, 5-, and 10-year period.

Embrace business continuity as a strategic initiative

Many companies develop business continuity plans to “check the box” in response to a negative audit. Organizations that see business continuity programs as a necessary evil to avoid exposure tend to rush through the process. This mindset does not lend itself to a successful business continuity program implementation. Organizations that provide access to executive leadership, socialize business continuity, and gain support for their business continuity program throughout the organization set themselves up for success.

Business continuity is not a one-and-done activity. Building a coherent and strategic business continuity program is much more than a matter of search and replace. It is important to understand the industry, regulatory requirements, and more importantly the culture of the organization, to ensure a successful program implementation which will sustain itself for years to come.

 

 

 

 

February 3, 2021 – Using Mass Notification to Accomplish Your 2021 Business Continuity Goals

WATCH NOW

February 17, 2021 – Is your BIA effective? Or are you using it ineffectively? How 2020 Changed My View on “Traditional” Business Continuity

WATCH NOW

ABOUT THE AUTHOR

Tracey (Wilder) Mayer

Tracey (Wilder) Mayer, CBCV, CPCP, is the associate managing director for Witt O’Brien’s, one of the leading emergency management and disaster response consultancies in the US. A business continuity and crisis leader with more than 20 years of industry experience, Mayer began her career at GE Capital in Canada where her understanding of DR/IT backup strategies and interest in business led to a career transition to business continuity and crisis management.  Over the years, Mayer has supported clients through 9/11, the 2005 Hurricane Season, Hurricane Sandy, as well various other human-error events. Mayer led the implementation of workplace violence training for GE Capital, conducted BIAs, and wrote and maintained plans for organizations to meet FFIEC and NFPA certification requirements. At Witt O’Brien’s, Mayer has been instrumental in establishing policy and procedures related to evaluating external and internal suppliers and their ability to support their clients in the event of an incident. Mayer holds a bachelor’s degree with honors and two certifications in business continuity.

Increasing Energy + Engagement To Drive Program Effectiveness
We have helped to build, manage, and improve hundreds of business continuity programs across just about every industry and organization...
READ MORE
Ask the Executive: An Interview with Melanie Lucht of Carnegie Mellon University
Melanie Lucht, MBCP, MBCI, CIC, CCM is the associate vice president and chief risk officer at Carnegie Mellon University. She...
READ MORE
Puppy Love: Have Your Executives Fallen Hard for Business Continuity?

Once, long ago, I was on a date with an attractive young woman and so enamored with her that I began to plan out when we could see each other again … while still on the date. That day we planned several more dates, and within months, we were married.

Has anyone ever felt this way about your business continuity program? Have your executives felt the pitter-patter in their chest whenever your program is mentioned? Have they casually ever walked by your office hoping to bump into you? Or planned the next meeting with you within a few days after your last one?

No? Me either.

It’s You, Not Them

It’s almost repetitive. The first year they loved you (or tolerated you) and then slowly, they started to pull away. Soon, you don’t even talk anymore. Ok, I’m being dramatic. But has this happened to you before? Maybe it really isn’t them. Maybe it is … us?

There are currently many articles out there which have been critical of the traditional BIA to BC plan model. Articles such as David Lindstedt’s “BCP is Broken” (https://www.linkedin.com/pulse/bcp-broken-3-reasons-paths-david-lindstedt/) outline some key reasons why this approach should be revised. 

Highlights suggest for the most part that BC hasn’t evolved much over the years and that we’re not able to prove our worth very easily. Rather than being the object of an executive’s affections, we haven’t engaged them in the program and created brand value.

I think there might be a way to change the way organizational leaders look at BC. But first, let’s examine the traditional “BIA to plan” cycle so we can figure out where things can go wrong.

Same Thing Different Day

Immediately upon getting the keys to my new business continuity program, I set upon the traditional path of developing a program. Plan. Do. Check. Act.

In the traditional sense, this means you identify the organization’s critical processes and dependencies, then create the proposed recovery strategies you’d most likely implement if that process fails. And then you test to see if there are any gaps.

Of course everyone’s program and culture are going to be slightly different. But tell me if the following steps sound familiar: 

  • Interview key leaders to determine their priorities. Do it whenever they will meet with you, which will be at 1 a.m. on a Saturday.
  • Create a BC steering committee filled with people that show up only after you beg them or after you wait by their car each evening after work.
  • Create a program policy and general risk assessment in a vacuum. Constantly remind people we have a policy.
  • Convince your executive a BC software tool will be helpful. Go through a rigorous process to find just the right one.
  • Implement selected BC tool and become the only primary user. Prepare to hold laptops up to users’ faces and tell them what to type when they finally log in.
  • Make every work unit in the entire company complete a business impact analysis (BIA). Explain what BIA means 4,000 times. Review this information for weeks and then try to get anyone who will listen to look at it with you. (Spoiler alert: No one really will.)
  • Create recovery strategies for each of the 10 risk scenarios you’ve identified ... by yourself.
  • Reset everyone’s password to the BC software tool 37 times a piece.
  • Write plans and checklists and arrange exercises to test the people who haven’t read the plan or checklists.
  • Realize it’s been a year and think about why you’re doing this work and where it all went wrong.
  • Repeat.
Where Did It All Go Wrong?

At the end of this traditional model you end up with a few very positive things. You will have process mapping data. You will have recovery time objectives (RTO). You will also begin to create BC plans for a specific scenario. And you possibly can make the case, that there is some understanding of BC practices amongst a large segment of your organization. But you also end up being about six to 12 months down the road.

And unless your business has a super emergency after this point, and every single plan is activated all together, it will be very difficult to convince people that this is all worth it.

I think there are three main factors why this cycle can be a bust and unsustainable.

Too time consuming.

This process can easily consume a year of your time, especially if you’re a one- or two-person operation. By the time you set up everything, conduct a BIA, develop recovery strategies, and get a physical printed plan to show off, it can be close to a year. What are you going to do if you have a business disruption in the first two months after you start? And how long can you expect anyone to wait before you can demonstrate that you made the business more resilient?

No undeniable value

It’s already very difficult to demonstrate value around a support function like business continuity. So, if you’re spending all your time sucking up money (time and tools for BC) and you haven’t made anyone really aware of the benefits of BC, you will end up with the classic question: “What does BC do again?” The truly “all-in” organization should be able to speak to one or two reasons why you’re there. And in my experience, plans aren’t the thing that makes people love your program. 

Lack of clear wins

Just because you have a documented plan, how does that translate into reduced risk? The traditional BIA may help you understand key information like critical processes and your RTO. And maybe during the effort, you find some areas of concern. But did you fix them during the cycle? This model doesn’t tend to yield very specific results or give you the ability to eliminate a single point of failure right away. You will need to dive deeper to accomplish that.

In my next article, I’m going to explain how thinking about a BC program in the same way you approach a new romantic relationship can bring completely different results. By making changes at the front end of the BC cycle, when you first meet and begin establishing your relationship, you can really change the way you generate interest and set yourself up for a relationship no one could resist. 

"MathewShane Mathew, vice president of professional services at Virtual Corporation, oversees the consulting and software implementation. Prior to joining Virtual Corporation, Mathew served in various leadership roles within business continuity and emergency management in both healthcare and governmental organizations. Mathew has led the creation and implementation of business resiliency and risk identification programs for several organizations, including governmental, medical centers, and a multi-site, national pharmaceutical division of a global healthcare organization.

 

READ MORE
2020 Vision: Refocusing Your Program for the New Year
It’s almost the end of 2019. I’ll pause to let that sink in if you haven’t looked at the calendar...
READ MORE