Effective, real-world business continuity management tips
- Published: Thursday, 28 January 2021 08:42
Andy Osborne shares some business continuity advice from the 101 tips included in his new book 'Practical Business Continuity Management 2'. The tips aim to provide useful thoughts for improving all levels of business continuity management systems…
Business continuity mismanagement
There are lots of things you can do to improve your chances of developing a robust and fit-for-purpose business continuity capability. Listed below are seven ways to make sure it’s a spectacular failure!
- Leap straight into the plan-writing phase without any thought for analysis, strategy or the specific solutions that will underpin the plan
- Take a pre-written business continuity plan template and simply insert your organisation’s name. Don’t bother to customise it any more than that – no one will notice
- Do it in isolation. After all, there’s no need to trouble anyone else when they’re all so busy with far more important things than thinking about the survival of the business. In particular, don’t bother to get any executive support for the business continuity programme
- Think of as many different scenarios as you possibly can and write a separate plan for each. Ideally the resulting document will be about three feet thick!
- Implement an IT recovery plan without talking to the business about what they actually need
- Don’t bother to exercise or test. Everything’s bound to just work perfectly without any problems or glitches
- Don’t provide any training, awareness or education for those who have roles within the plan. After all, they’ll just know instinctively what to do and how to do it when the time comes.
The above list will seem utterly ridiculous to the more enlightened reader, but they are all things that have been tried by real people in real organisations with predictable results. For goodness’ sake please don’t join them.
A business continuity capability vs a business continuity plan
Many organisations focus on producing ‘the plan’ as the main aim of their business continuity programme. But, sadly, the plan itself won’t save the business in the event of a major disruptive incident.
What will save the business is key people making key decisions and taking key actions – the business continuity plan merely supports that process. It’s important, but a business continuity capability is far more important.
Developing a business continuity capability requires a number of things, including:
- An effective strategy that meets the needs of the business, plus realistic and workable solutions to deliver that strategy.
- Proving the strategy, solutions and plans, by exercising, testing and rehearsal, and by challenging and validating assumptions. This includes proving the incident management, communication, technical recovery and business recovery capability
- Awareness, education and training. Key players need to know their roles and responsibilities and may well need some education and training to help them be effective in their roles.
A business continuity capability doesn’t come about through merely writing a plan then putting it on a shelf to gather dust – there’s a teeny bit more to it than that.
So which would you rather have? And more to the point, which do you actually have?
The devil's in the detail
While there’s more than one way to conduct a business impact analysis, a fairly typical approach is to identify the organisation’s key activities and to assess the impacts of disruption to each of them over a series of predetermined time periods. Different types of impact, both financial impacts (such as lost revenue, impact on share price, fines or other penalties, additional costs, etc.) and non-financial impacts (such as health and safety/welfare issues, reputational impacts, regulatory issues, etc.) are usually considered.
The process often goes something like this:
- Starting with the first activity on the list, assess the various applicable financial impacts of disruption to the activity for each of the predetermined time periods. This typically covers a time span ranging from a few minutes or hours to a few weeks, so there are likely to be half a dozen or more time periods.
- Repeat activity number one, this time assessing the applicable non-financial impacts of disruption to the activity.
- Repeat the process for every activity on the list.
- Derive the recovery time objective for each activity from the (probably rather large) table of assessed impacts. This is usually done by determining the point at which the impacts hit a predetermined ‘intolerable’ level and setting the recovery time objective at a point before the intolerable level is reached.
The main reason for using the above approach is that we’ve always done it that way – or, at least, quite a lot of people in the business continuity ‘industry’ have done it that way for quite a long time. That and the fact that this approach has found its way into standards such as ISO 22301 – largely because the main contributors to those standards are those who have done it this way for quite a long time. And, on the subject of a long time, as you can probably imagine (or remember, if you’ve ever been through the process), this approach can take a serious amount of time.
The main purpose of a business impact analysis is to confirm the recovery time objectives for the activities that support the provision of an organisation’s key products and services, and to provide some justification in terms of the impacts that would be felt if those activities were disrupted. But does that really mean we have to go into so much detail when considering those impacts?
A more pragmatic and less time-consuming approach, particularly if you don’t aspire to certification to a specific standard, is to come at it from a slightly different angle, starting with an assessment of an activity’s recovery time objective and then considering the impacts if that recovery time objective isn’t met, rather than the other way around. The end result is usually spookily similar – provided, of course, that the right people are involved.
This less detailed approach won’t suit everyone, and you may well have good reasons for using what is, after all, a tried and tested process. But ‘because we’ve always done it that way’ isn’t necessarily a good reason for continuing to do it that way, when another way might be perfectly adequate for your needs.
Andy Osborne is Consultancy Director (business continuity, risk & crisis management) at Acumen. His new book, 'Practical Business Continuity Management 2', is now available from Amazon as a print or Kindle version.