I recently spoke at the DRJ Fall Conference in San Diego on the Art of Essentialism and its application in the BCM arena. The Art of Essentialism was coined by Greg McKeown and is focused on “Less means More, More Means Mediocore”. As part of my presentation, I covered what it takes to operate a BCM program based on the Art of Essentialism and its concept of the disciplined pursuit of less.
I believe that the problem in many of the BCM programs we are called to support in a consultative role is not the program itself but the management of the program by the BCM Office Leader. In many cases, the program is in chaos with no strategic direction or management.
So what are the characteristics of an Art of Essentialism BCM Office Leader:
- Uses Metrics to Track BCM Program Performance – Adopt a BCM standard or use a tool like BCMMETRICS.com to assess your level of compliance. Identify your successes and areas of opportunity. Focus to high importance, low compliance areas to get the highest Return on Investment (ROI) for resiliency.
- Manages by High Value Activities (HVA) – Identify what HVA’s give us the highest ROI for resiliency.
- Positions Right People in the Right Seats – Do you have a personnel depth chart for you and your team members? You should know where talents lie and how you should assign to your HVA’s. More people is not the right answer, the right people is the right answer.
- Develops Strategic Roadmap – Based on our critical needs, a roadmap for 12 to 24 months is developed focused on HVA’s to bring highest ROI.
- Heavily Invests BCM Personnel Time on HVAs - Based on personnel depth, personnel are assigned to the HVA’s based on their expertise.
- Believes in Investing Front End Time with Customers – Time is invested in building the infrastructure needed to have a strong program.
- Works like an Intrapreneur – Treats the BCM program as his/her own company with strategic goals and objectives to meet and a focus on resiliency ROI.
The focused disciplined pursuit of less will yield a BCM program that has a high level of resiliency for the most critical business activities and systems/applications of the organization.
Posted in Article, BCM Governance Risk Compliance, BCM Metrics, Best Practices, Business Continuity Planning, Business Recovery Planning, Crisis Management, Disaster Recovery Planning, MHA Consulting, Presentation, Uncategorized
As BCM professionals we have all gone through audits of our programs at one time or another and dealt with the questions, the need for a better understanding of BCM, and the cautious concern waiting for the final report, etc.
At MHA, we are the BCM Office for a good number of our clients. We manage each program using industry best practices and standards as our measuring stick to ensure the program provides the highest level of resiliency and meets/ exceeds compliance requirements. We know which of our managed programs are in line with best practices and which ones need more time and work. Internal and external audits are a part of our daily consulting efforts.
We are finding that a good number of the audits we have recently dealt with have become increasingly inconsistent in their application, findings and outcomes. Common conditions found during recent audits:
- Audit Teams Don’t Read What You Send Them
- Lack Intimate Understanding of BCM Industry Standards and Guidelines
- Don’t Grasp Difference between Standards and Guidelines
- Generate Findings that Often Have Little to Do with Raising Resiliency
- Regularly Lose Data/Information Sent to Them
- Require Busy Work Generating New Reports or Gathering Useless Data
- “Them versus Us” Mentality Leading to Conflict
- Infighting Amongst the Audit Team Members
It’s important to state that we are not saying all audits have proceeded in this manner but a good share has progressed in this manner. What is most interesting to us is we work at programs in critical industries that should have findings but receive none and other programs that are highly sophisticated and mature receiving findings that make no sense.
So, how do we make Audits bearable and consistent as possible?
- Due your own diligence before the audit using a BCM GRC tool like BCMMETRICSTM (www.bcmmetrics.com) so you know where you stand (level of compliance and successes/opportunities) before the audit. Run reports to identify where you are in compliance and where you have big gaps. Share your due diligence.
- Educate auditors in the BCM process and how it’s applied at your organization before the audit starts by having a short presentation (15-20 min) to go over the program. Make sure you are well prepared and use terminology from the standars you are being audited against. Refer back to the data and information you sent them.
- Compile requested data and information in a logical and highly organized manner. The documents should tell a positive story of your program from end to end.
- Don’t attempt to produce documents you know you don’t have at the last minute. It’s not worth the embarrassment.
- Ensure your BCM Office and internal audit have a clear understanding of the program to be able to speak to it as needed during an audit.
What do you do when you disagree with an audit finding?
We have been taught to not push back on audits in fear the repercussions could be greater if we voiced our opinion. I believe that if you have solid evidence a finding was not merited, push back by all means. We have cases of management not pushing back for fear of repercussions and then being saddled with needless work that does not raise resiliency of the program.
In closing, we believe working with auditors is a great investment in time that can lead to increased management focus and support when a partnership approach is used throughout the audit engagement.
Industry best practices recommend that the BCM Office align its organizations Business Impact Analysis (BIA) derived Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) with Information Technology Disaster Recovery (DR) capabilities on a regular basis. So, here is what are we finding in the industry:
- Management does not understand the alignment process and does not recognize its value.
- The business and IT have different RTOs and RPOs matrices so the alignment process can be somewhat difficult to accomplish.
- IT does not provide Recovery Time Actuals (RTAs) or Recovery Point Actuals (RPAs) for the critical systems and applications.
- BIAs are conducted and RTOs / RPOs defined by the business but IT still sets its own timeframes for recovery based on what it can do versus what is needed.
- The business will reset the RTOs and RPOs to what they can achieve versus what the business BIA derived demands are to continue operations. They don’t understand that these are objectives and are different than actuals.
- In limited instances, IT can exceed the RTOs and RPOs but does not communicate it to the business. They don’t want to be held to it.
In a perfect world, you should have an alignment meeting at a regularly planned interval (e.g., annually) to identify successes and gaps in business expectations and IT delivery capabilities. A simple table should be constructed to show alignment and gaps:
||RTO = 12 Hours
||RTA = 24 Hours
||RPO = 4 Hours
||RPA = 12 Hours
||RTO = 48 Hours
||RTA = 24 Hours
||RPO = 24 Hours
||RPA = 24 Hours
||RTO = 5 Days
||RTA = 5 Days
||RPO = 4 Hours
||RPA = 12 Hours
The BIA is conducted for a number of reasons and ensuring alignment across the organization is one of them. So, get out there and get your systems aligned.