A prevailing myth about business continuity planning is that you can develop a plan for one company and then easily replicate it for another via a simple “search and replace.” If only it was that simple.
While there are common elements in all business continuity plans, there are many organization-specific factors and nuances which must be considered to ensure a business continuity program is successful at implementation and over time. Below are key considerations for both business continuity planners and the organizations they serve.
Know your industry
Business continuity programs should reflect both the industry norms and the organization’s culture. For example, working with banks or financial institutions, there are the Federal Financial Institutions Examination Council (FFIEC) in the U.S. and the Financial Conduct Authority (FCA) in the U.K., both of which provide mandatory guidelines. Clear regulatory requirements make it easier to secure organizational support for a business continuity program because it is required. Being well-versed in industry regulations can help the continuity planner ensure the program is designed for compliance.
Know your organization’s culture
Culture is often overlooked, but it is one of the most critical keys to a business continuity program’s long-term success, especially in industries which do not have defined regulatory requirements. You cannot take a square-peg FFIEC business continuity program and overlay it into a round-hole organization such as a tech company and expect it to fit. Business continuity planners must look at the company’s strategic programs over time to determine how the company’s culture contributed to the program’s success or failure. It is important to look at a cross-section of programs and initiatives rather than merely looking at business continuity programs to get a complete picture.
A business continuity program that aligns with the company’s culture and shared vision of success will also have a much better chance of getting traction in the first year. This is particularly important for companies that have never had a formal program.
Do not boil the ocean
When introducing business continuity to an organization, it is wise to walk before you run. The first business continuity plan will not likely be “the” plan. Business continuity is a living endeavor that will evolve and mature as a partnership between the resiliency team and the broader organization.
Build in program maturity
Business continuity program planners should create a maturity model for the business continuity program and associated plans that defines goals and outlines program evolution and plan resiliency. Successful companies have a 3-, 5-, or 10-year business plan to define their long-term business goals. Build the business continuity program in the same fashion. Describe how to mature the program from year one to year three through year five and beyond.
Maturity plans will vary depending on the size and type of organization. For example, some organizations have mature enterprise risk management (ERM) programs which identify how the organization views and measures their strategic risk. Leveraging measurable strategic risk factors and aligning them to the development of a business impact analysis (BIA) will mature the program significantly. Organizations that are just developing and maturing their ERM programs will see an evolution in risk methodologies which can impact the BIA and risk factors, leading to measurable understanding of the most strategic areas of the organization over a 3-, 5-, and 10-year period.
Embrace business continuity as a strategic initiative
Many companies develop business continuity plans to “check the box” in response to a negative audit. Organizations that see business continuity programs as a necessary evil to avoid exposure tend to rush through the process. This mindset does not lend itself to a successful business continuity program implementation. Organizations that provide access to executive leadership, socialize business continuity, and gain support for their business continuity program throughout the organization set themselves up for success.
Business continuity is not a one-and-done activity. Building a coherent and strategic business continuity program is much more than a matter of search and replace. It is important to understand the industry, regulatory requirements, and more importantly the culture of the organization, to ensure a successful program implementation which will sustain itself for years to come.