Many organizations struggle with establishing a sound business continuity strategy, a foundational aspect of a strong BC program. Follow these seven steps to implement a BC strategy that can help you swiftly recover your business processes in the event of an outage.
Related on MHA Consulting: BCM Basics: Modern IT/DR Strategies
The Benefits of a Sound Business Continuity Strategy
A solid BC strategy is a fundamental component of a functional BC program. Such a strategy provides critical guidance in developing the recovery plans that are the tactical core of your program.
A good BC strategy can help you swiftly recover your critical business processes in the event of a disruption, identify gaps that need to be remediated, and determine what training is necessary.
Below are the seven steps to take to develop a BC strategy for your organization.
Step 1: Gain the Support of Senior Management
Without management support and engagement, it is difficult for a BC program to provide value and succeed in its goals. The BC team usually reports to enterprise risk. Wherever BC sits in the org chart, the senior manager responsible should form a steering committee to assist with obtaining funding and resolving issues that might crop up between departments.
One way to help the BC effort garner the support and understanding of senior management is for the team to provide regular status updates and reports on the value the program adds to the organization. The BC steering committee should inform the various business departments of the support and engagement they are expected to extend to the BC team.
Step 2: Engage a Competent BC Consultant
This step is not strictly necessary but is strongly encouraged. A competent BC consultant can provide invaluable guidance as you set about devising your BC strategy. Many consultants would be glad to talk to you about your situation for an hour or so free of charge.
If you decide to proceed on your own, such a conversation can help you get started and avoid common pitfalls. If you decide to engage a consultant, you can usually choose the level of assistance that suits you, from the occasional conversation all the way up to having the consultant oversee tbe development and documentation of your entire strategy. We at MHA are happy to participate in these types of conversations and activities.
Step 3: Determine the Members of Your BCM Team
To develop a BC strategy you need to assemble a business continuity management (BCM) team. As a start, your team should be made up of the following:
- Sponsor. The senior manager with overall responsibility and accountability for the business continuity program.
- Business Continuity Manager. The individual with direct responsibility for the business continuity program.
- Team Member(s). The backups to the business continuity manager. This could be a titled position or an assigned position.
- Administrative Assistant. The individual responsible for supporting the BCM team. This is often an administrative assistant working in the BC office, if one exists, or one of the individuals on the administrative assistant team.
Ideally, the team members will be highly knowledgeable about the organization’s departments and business processes. The BC manager can provide direction related to BC concepts and expertise. For team members, expertise in BC is less important than having the ability to interact with members of the various business departments and understanding the departments’ needs.
Additionally, representatives from the business units and IT must be involved to help develop recovery strategies for business and technology functions. From a functional perspective, the non-BC staff members will perform the work of recovery preparation. The BCM team is there to provide guidance and support.
Step 4: Identify a Basic Strategy or Plan
If your company currently has no BC plan of any kind, it might make sense for you to quickly develop a high-level, basic recovery strategy and plan, so that at least you have something in place if a disruption occurs. With effort, this can usually be accomplished in less than 30 days.
You may not be able to immediately implement the strategy you devise, but having an idea of what to do is much better than trying to come up with something during an event. This basic strategy will provide a starting point for the development of more formal and complete recovery strategies and plans.
A good way to get started in developing a basic strategy and plan is to perform a tabletop recovery exercise with your critical departments. This will enable you to identify your biggest current gaps, putting you in a position to develop and document your basic plan and strategy.
Step 5: Perform a BIA
The business impact analysis tells you which of your business processes are most critically time sensitive. It identifies which processes would cause the most harm to the organization if they were down for a prolonged period.
The BIA provides information critical to the development of a sound, detailed BC strategy. It identifies the following:
- All business processes performed and the recovery time requirements for those processes.
- Interdependencies between processes.
- Applications and systems used and their importance.
- Functional importance of applications in terms of IT.
- Shadow IT functions with critical business dependency. (It is often incorrectly assumed that the vendor handles backup and recovery for SaaS/cloud-based applications, relieving the organization of the need to think about this.)
- The full nature and complexity (or lack thereof) of the processes.
- The roles of the different departments within the organization.
- Gaps in IT recovery and business availability/recovery requirements.
Step 6: Develop the Business Continuity Strategy and Documentation
Once you have obtained management support, identified your team, and done a BIA, you are ready to develop your overall BC strategy. (You can also develop individual department strategies and actions for recovery and continued operations during an emergency or outage event.)
The steps and actions needed might include workarounds for when technology is unavailable. They should also include a plan for how functions will continue for an extended period of time in the event of a disruption. Issues to consider include: the building or location dependencies, how people will continue to work remotely if there are regional impacts, and how customers will contact the organization during the event. Your strategy should also include the IT disaster recovery plan to recover applications and technology.
In developing your strategies and actions, remember that documentation is not the end goal. The end goal is for the organization to be prepared and for individuals to know what they should do. The documentation is a supportive deliverable, not the ultimate deliverable.
Step 7: Develop a Schedule to Maintain Your Strategies
Once your strategies and plans are defined, continuous review and update is necessary. BC strategy development is not a “one and done” activity. A maintenance schedule must be decided on and communicated to the departments and strategy owners. The roadmap and maintenance schedule must include regular disaster recovery exercises. No one is able to perform without practice.
If you are compelled to make a choice between documenting your strategies and conducting exercises, choose exercises. It’s best to make sure that people know generally what to do. Plan documents have a way of ending up sitting on a shelf and being ignored. The likelihood of people using a document in a real event is minimal. Plan documents make their greatest contribution when they are referenced during exercises.
Functional continuity only occurs when BC is considered part of day-to-day operations by everyone across the organization. Resist the idea that the BC office owns BC; BC is everyone’s responsibility. The BC office coordinates and assists in updates and may have to drive people to complete the work initially. However, BC team members should avoid doing the work themselves, focusing instead on educating others on why it is important and showing them how it can be done efficiently. (The best way of doing this is through short quarterly sessions rather than in an annual review.)
Business continuity is a life cycle and should be part of organizational culture. It is a process of continual review, refinement, and improvement. Business continuity must be viewed as an ongoing function. If it is viewed as a project with an end, it will become stale and ineffectual.
Protecting Your Organization and Its Stakeholders
A sound business continuity strategy is the foundation of a strong BC program. By following the steps described above, you can develop and implement a BC strategy at your organization that can help you promptly recover your business processes in the event of an outage, thus protecting your company and its stakeholders.
For more information on business continuity strategy, and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting: