People often ask which aspect of business continuity management is most important. Is it crisis management? The recovery of critical business processes? Data recovery?
Some people don’t even bother to ask the question. They just assume they know, and typically they are convinced that IT systems and data recovery are the essence of business continuity, with everything else being negligible.
Actually the question, “Which aspect of BCM is most important?” is a tough one to answer.
It’s not tough because it is difficult to identify the potential damage to the organization of being unprepared in the different areas. Rather, it is difficult in the same way as the question “Which wing of the airplane is more important, the left one or the right one?” is difficult. Or the question, “Which legs of your tripod can you remove and still have your camera standing up steady?”
Obviously an airplane needs both wings to fly and a tripod needs all three legs to stand by itself. In the same manner, your BCM program needs to have all three elements in place for your organization to be truly resilient.
The fact is, the events that can affect your organization can be divided into three types when it comes to which aspect of BCM are involved:
- Events that impact only your information systems.
- Events that impact only your business processes.
- Events that impact both.
To be truly resilient, your organization needs to be prepared for the full range of losses it could potentially suffer, including impacts to your information systems and to your business processes, and it also needs a good crisis management plan.
That said, if you are just getting started with a business continuity program, you will need to start somewhere, and there are sound reasons for tackling the three areas in a particular order.
We’ll reveal the order and explain the reasons for it below. First, however, it might be wise to say a word or two about terminology.
Many terms that are in common use in business continuity management lack recognized definitions. Frequently, different companies call the same BCM function by two different names, and companies can use the same term to describe different things. The meanings of the terms “business continuity” and “disaster recovery” seem to be especially fuzzy.
However, it really doesn’t matter what terms your company uses. What matters is that, regardless of what you call them, you focus your efforts on the following three underlying activities:
- Developing plans to recover from impacts to your computer and information systems.
- Devising plans to recover from impacts to the organization’s business processes (accounts payable, customer service, sales, etc.).
- Making plans to manage emergencies and crises.
Devising well-considered plans for all three of these areas is the key to having a truly resilient organization.
Now, even though these three areas can be thought of as the three legs of the business continuity tripod, all of which must be present in order for your program to stand, if you are just getting started, you will need to start somewhere. In that case we recommend that you prioritize the three areas in this order:
- Information technology
- Business processes
- Crisis management
The reason for this is not that one area is more important than the others. Rather, it has to do with what can be improvised and what cannot. For some areas, there is no chance at all of succeeding on an ad hoc basis. In others it is possible to an extent to improvise solutions in the heat of the moment.
We recommend you focus on IT first because it requires more planning, cost outlay, and training than the other areas. Basically, it is impossible to improvise a workable technology recovery plan in the middle of an unfolding crisis unless you already have the technology and processes in place.
Once you have the technology piece in place, you can focus on your business process and crisis management plans.
However, this is not to say that NOT making plans in advance for those two areas is a good idea. Just because it is more feasible to come up with ad hoc solutions to the business process and crisis management areas than with the technology part does not mean that the solutions improvised are likely to be very good.
If you don’t plan in advance to recover your business processes, you could still face high costs in the event of a disruption. For example, if an event such as a gas leak near your facility were to prevent your staff from accessing the facility, and no plans have been made to enable them to work from home or at an alternate site, you might suffer disruptions to your ability to deliver goods and services that could prompt your customers to transfer their business to one of your competitors.
Likewise, if you lack a crisis management plan containing prepared statements for the media, definition of crisis management roles, pre-approved decisions regarding when to relocate to a new facility, and so on, your company might suffer reputational and other types of damage that could have been averted through better planning.
A good analogy might be the safety plans you prepare for your home. At a minimum, you need to get the technology in place—the CO and smoke detectors—so you will be alerted to the problem while you still have time to do something about it. If, in addition to your detectors, you also have plans about what to take with you, how to evacuate, and where to meet up with your family members, your chances of getting everyone out safely and containing the impact of the event are much greater.
As a final point, it’s better to be at 60 to 80 percent readiness across all three areas than to be at 100 percent in just one. By this we mean that you have critical applications, processes, and management plans in place as a starting point.
In sum, it takes both wings to fly a plane and all three legs to hold up a tripod, and it takes planning in all three areas of business continuity—technology, business processes, and crisis management—to provide your organization with true resilience.
And while it’s true that to a limited extent, in certain areas, you might be able to come up with ad hoc solutions in the heat of the moment, this is a risky strategy that flirts with disaster (pun intended).
It’s far better to plan ahead in all three of the key areas of information technology, business processes, and crisis management.