Mark Armour and David Lindstedt recently proposed Continuity 2.0, a manifesto detailing how current approaches to business continuity planning might evolve. In this article Mark looks at how Continuity 2.0 might be applied in practice.
The following example is by no means definitive. Remember that the Continuity 2.0 principles are not about order of execution. The three steps suggested here provide just one example of how the principles could be applied in a fairly concise execution. So, without further ado: a practical approach to Continuity 2.0 in three easy steps.
Step one: Exercise
Tabletop it. Execute your recovery strategy. Evacuate your building. Recover your technology. It doesn’t matter exactly what you do; what matters is determining what is in place right now. Today. This is not about testing against a pre-defined recovery time. It is about determining what your recovery capability realistically looks like and areas where it can be improved. This is also an opportunity to apply the Continuity 2.0 principles:
Document only for mnemonics. I’ve noticed a tendency among some practitioners to lead their participants during exercises. Some provide buckets of materials for reference then correct individuals if they go off script. Don’t be that person. Work within the existing environment to see what comes naturally. If there is documentation but it is not referred to, do not expect it to be used during an event. Consider other options.
Learn the business. Nothing brings the priorities of an organization into stark contrast like a disaster. Even a high-level exercise scenario will get people thinking about what matters most and how best to apply available resources in order to recover most effectively. Take note of the resources that are discussed most frequently or cause the most concern. Observe how individuals work with one another and the ability of teams to work together in stressful situations.
Prepare for effects, not causes. When exercising, just like in a real event, the focus will be on restoring resources and functionality. The scenario event is secondary. The impact may be to workspace that supports multiple businesses in which case priorities will naturally emerge. You may choose to take out a technology system or external service that supports multiple critical services, in which case the priority of those functions is moot, since systems and services are predominantly process agnostic.
Measure and benchmark. There are really two concepts at play here:
- Benchmarking is about the traditional measurements but not using the traditional approach. Instead of front-loading your intended recovery time, go into the exercise with no expectation other than to determine what the realistic time to recover actually is. Just as important, it should be determined what functionality or capacity would be like in the recovered environment. More often than not, recovery means doing without some features, resources or full capabilities. Once you’ve determined both, you’ve established a benchmark.
- Measurement is about how effective your response and recovery will likely be in a real event. Recovery – and how it can be measured – comes down to 1) processes / procedures, 2) resources, and 3) capabilities.
This means using the exercise to identify:
- Whether tools and materials are sufficient to support your response and recovery efforts.
- If you have adequate resources to perform response and recovery activities and restore impacted functions.
- How capable participating team members are in executing their responsibilities.
There is one additional key to effective measurement: It should not be in the hands of the practitioner alone. All participants should evaluate the response and recovery process and provide their own input to the final measurement. The more input, the more accurate the final figure. After all, who better to determine what is needed and how effective the execution went than your participants?
Step two: Analyze
You are exercising to improve, after all. This isn’t about where things went wrong. At the end of the day people are going to respond based on their natural inclinations. You may not like it and it may not be most effective but it is reality. Start there.
Processes and procedures. Do people have the instructions they need to respond and recovery effectively? Just as importantly, are the materials, data and resources they need adequate? Tools like process maps, fishbone diagrams or value-stream maps are also great for those that are familiar with them. For those that are not, keep it basic. Work with participating team members to identify improvement opportunities or brainstorm solutions. Remember that this is not about getting people to follow documented procedures. It is about seeing how people naturally respond and react and identifying ways to make them more effective.
Resource measurements should be straightforward (though this is not a guarantee) since we are mostly talking about physical things. You either have it or you don’t. Of those items that you are missing, determine what is either necessary, important or merely helpful.
Capabilities can be somewhat subjective which make participant input all the more essential. To the observer (including the business continuity practitioner) teams may sometimes appear combative, but that may just be how that particular group of people function best. Get agreement from participating team members about their capabilities. Solutions vary and may be as simple as providing greater training. But skills, experience and personality types can all contribute to making teams either effective or downright dysfunctional.
You now have a laundry list of improvement opportunities. It is time to move on to…
Step three: Solutions
When stepping through this process for the first time it is best to start slowly. Take steps that are relatively minor and easy to implement. Some will be no brainers or require little in terms of effort and cost. Implement these immediately. You are now on your way to Delivering Continuous Value!
Bigger changes that require more significant time, effort or capital investment provide opportunities to obtain incremental direction from leadership. Larger scale changes will very likely need to be reviewed with executive management for input and approval. Lead off such conversations by sharing the improvements already implemented. This isn’t about getting support for the program. It is about sharing results and taking action for future steps. This is closer to how executive management operates. By starting with your accomplishments you build immediate credibility and set the stage for diving into the meatier work to be done.
Be certain to share:
- The support among participants for proposed change(s),
- The intended benefit in terms of capacity or recovery times, and
- Any associated costs.
There is no need to bite off more than one can chew. If there is a plethora of improvements that can be made, provide management with just a portion. To build relationships and credibility it sometimes makes sense to have smaller conversations more frequently rather than conducting one large presentation where the entire inventory of changes is reviewed. Start with the easiest, the most impactful or the items you are most confident in. The successes that follow will make subsequent conversations easier and future approvals more likely.
Remember to engage at many levels within the organization! For changes to be effective you WANT executive support but you NEED the backing of your ground troops. This involves your subject matter experts, line-level managers, supervisors and team leads. Anybody who will have a role to play in response and recovery activities. People will grudgingly do what management asks of them even if they do not agree with it. In a recovery situation, however, people will not immediately recall that edict from the first quarter and fall back on what they know and what they accept. Make sure you have support down to the individual contributor level.
Congratulations! You’ve made it back to Step one: Exercise. But now you have a benchmark against which to measure improvements. Is the recovery time lower or has effectiveness or capacity increased? Perhaps both? The results now provide the measurements that can be reported back to leadership. Results are tangible and the dialog becomes much more action-oriented.
Re-evaluate your measurements for improvements as well. This will demonstrate that for X time and $$ spent, confidence in the organization’s response and/or recovery capabilities improved by X%. These go far in demonstrating reliability and improving confidence in the organization’s ability to respond and recover. Some improvements may not have the intended benefit which is why we make small, incremental changes and re-evaluate frequently. But now you have qualitative data and not merely a list of steps executed.
That’s it! I’ve intentionally kept this example high-level. I’ve also tried to avoid specifics that could discourage the flexibility necessary for Continuity 2.0 to be most effective. I’ll provide additional approaches in the near future so please do not consider this the only or best method to executing the principles. I just had to start somewhere.
Mark Armour is a director of Global Business Continuity. Future Continuity 2.0 developments can be tracked at http://www.continuity20.org/