Based on our experience in the Business Continuity (BC) Industry, Terra Firma has devised 10 Business Continuity Management (BCM) Commandments to help your organisation follow BCM best-practices.
1. Use Resource-Loss Planning to Develop Plans
Today’s BCM philosophy is based on the All Hazards approach to BC planning, which protects you from any threat to the operational capability of the organisation. Unfortunately, many organisations are still relying on legacy continuity plans and capabilities based on scenario planning. This creates risk for the organisation because plans are only developed for specific scenarios, leaving the organisation exposed to threats outside those considered. In the broader scheme of things, All Hazards recognises that you cannot plan for an infinite number of scenarios. However, you can plan for the replacement of a finite number of critical resources, and in doing so, will restore business operations regardless of the cause of the loss of those resources.
When an incident occurs, the damage assessment identifies the location(s) affected and resource(s) lost, relevant recovery plans are accessed and then put into action.
2. Make BCM a Serious Part of Your Normal Ongoing Business Processes
Some organisations implement BCM solely to tick-the-box. They are driven by the next impending audit and aim to do just enough to get out of the spotlight. This approach has inherent exposures and typically results in very basic, high-level plans requiring the “brains trust” to be available on the day of the disaster and coherent enough to work it out on-the-fly.
BCM should be part of BAU with responsibilities embedded in the organisation to ensure that BCM is always up-to-date with minimal effort. If BCM is an isolated activity performed intermittently by a specialised group, the people at the coal-face will not know what is expected of them when disaster strikes. Clearly, defined BCM responsibilities distributed throughout the organisation ensure that disaster response will be timely and efficient. Recovery Team members will know how they are expected to respond and in what time-frame.
3. Use a Hardware-Vendor-Independent BCM Approach
The business must undertake an Operational Business Impact Analysis to identify the minimum resource requirements to be recovered over time for each business activity. Deriving the recovery time objective for a resource (a server) from the business activities that rely on that resource ensures that continuity and recovery strategies are business-driven and cannot be swayed by hardware vendors with their own agenda.
A BCM methodology will ensure the business follows a proven path to analyse its requirements, which can then be fulfilled by the vendor with the most cost-effective solution.
4. Make Sure BCM is Business-Driven, Not IT-Driven
Some organisations have BC programs driven by the IT Department (ITD). This results in BC Plans based on either what ITD believes are the business requirements or existing IT recovery capabilities, neither of which represents what the business actually needs to get back up and running at the right time. It is essential that BCM is owned and driven by the business. BCM covers all resources, IT is simply one of many resources. The business must ultimately decide how it is to recover from a disaster, which may or may not include IT.
ITD can certainly help develop recovery strategies and procedures, but should not be defining target quantities and timeframes, as they will be based on what ITD believes are achievable recovery targets within their budget, not what is actually required to recover the business. It is essential that the business defines the BC and ITDR requirements. This is sometimes the greatest challenge for ITD. If the business does not specify and sign-off their requirements, ITD will forever be running to the business cap-in-hand justifying their position and budget.
Business engagement places ITD in the appropriate position of a service provider, presenting costed strategies for the business to justify and allocate expenditure or re-evaluate their requirements.
5. Recognise BCM Value Beyond Risk Management
Reinforce to management that BCM should be embraced as an essential tool to understand how the business operates and its critical paths. BCM can provide valuable information which can be used for many initiatives creating value for the business, including resource rationalisation, process refinement, business process re-engineering, organisational restructuring and strategic planning.
6. Adopt a Methodology-Centric ‘Coaching’ Approach
Some organisations engage consulting firms that undertake BCM as if it was a complex, ‘black-box’ activity. Victims of this approach are left with a report, a plan and an invoice. This process results in a significant lack of business buy-in, no understanding of the process, no new skills, unjustifiable recommendations and a job for life for the consultants – after all, they are the only ones who understand the BC process and plan.
Ideally, the business needs to be coached through the process so they can believe in the results, understand the implications of their decision, and, most importantly, adapt their capability as the business changes, long after the consultant disappears.
Developing an effective BC capability demands tried and true methods to leverage the knowledge within the organisation. This includes contextualising BC concepts and terminology to suit the culture and personality of the organisation. A strong, consistent methodology supported by reusable tools and mentoring of key staff will ensure the long-term success of BCM.
7. Standards are Guidelines Only
Current BCM Standards can be useful for understanding what needs to be considered, but not designed, to offer practical guidance on how to undertake BCM. Standards are just not prescriptive enough for use. They fulfil a useful role in providing frameworks and high-level guidance, but do not give process-driven definitive information or techniques.
A BCM Methodology which includes detailed processes and practical guidance at all stages is required for real-world implementation.
8. Use a BCM Software Management Tool
BC information is complicated, spreadsheets or MS-Word tables simply cannot handle the dynamics, complexity, concurrent access and interdependencies required to manage BC information effectively. Spreadsheets are far from ideal for performing real analysis on the relationships and quantities of resources required to be restored over time and are tightly tied to the author of the spreadsheet. If the author leaves the organisation, someone else needs to learn and support the spreadsheet.
Paper-based management systems can be labour-intensive and difficult to keep up-to-date and synchronised with the latest business requirements. This creates a risk that your BC capability simply becomes shelfware. To alleviate these risks, organisations should adopt a commercial software package that is underpinned by international standards and practitioner guidelines and is supported by the vendor via training packages and a help desk. All BC materials must be accessible and easily updated, always reflecting the needs, technology and structure of the organisation. Using purpose-built BCM software solves many of these challenges.
9. Keep Your BC Plans Concise and Divided into Meaningful Sets
Plans must be pragmatic, practical and concise. No one has the time to read through reams of paper when you are trying to recover business operations. They must be easy to use and contain the minimum to recover the affected part of the business at the time with speed and accuracy. From our experience, a single, static plan cannot achieve this. You must be able to produce plans for only the area affected by the disruption, for example, only the 7th floor has been flooded, not the rest of the building. Plans must be separately available for emergency response, logistics, functions and resources, for the affected area of the business only, anywhere, any time.
10. BCM Plans Must Be Accessible Anytime, Anywhere and Not Just Over the Internet
There is no point having BCM Plans if you can’t get to them when you need them. Your BCM System must be automatically backed up daily, and your data restorable locally and remotely. It is essential that you can load data onto your laptop and take it with you into the field to oversee recovery directly. Internet solutions are great, but make sure your solution also has a local recovery option that can operate when the network is inaccessible. We know from experience that the network is highly likely to be affected by an outage. If you don’t have a local option, you have a recovery system that fails the most basic of tests.