Sweating the Big Stuff: 5 Things that Really Matter in BCM
Do you know the book “Don’t Sweat the Small Stuff”? Today’s post is about sweating the big stuff.
It lays out the five things that matter most for the success of your organization’s business continuity management (BCM) program.
DETAILS, DETAILS
Most business continuity managers are extremely detail-oriented. They have to be to do their job. If BCM teams don’t sweat the details of what they do, then their work is probably not very good and whatever plans they have made can probably not be relied upon.
However, everyone has the defects of their good points. Sometimes, people who are very detail-oriented can become focused on the wrong or less impactful items.
Imagine that you have been in a fender bender caused by another driver. The detail-oriented person gets out and carefully takes pictures of all of the scrapes on their car caused by the collision. The overly detail-oriented person does the same thing while not realizing that the front half of their car is hanging off a cliff.
By this definition, there are a lot of overly detail-oriented people on BCM teams!
We at MHA have found over the years that many BCM programs are obsessing over minor dents and scrapes at the same time as their programs are hanging off a cliff, so to speak.
With all that in mind, we thought it would be worthwhile to remind you about what really matters when it comes to business continuity management.
THE 5 KEY THINGS
Here are the five things you should most focus on in running a BCM program:
1. Program Design
This is the framework you create to manage the BC program. It includes a level of control, backing, and structure and an overall program design that aligns with your other corporate initiatives. The framework ensures that management and staff remain focused on what matters. It includes the policies, program management of issues, and coordination of the rest of the organization’s groups as they perform their tasks. How much organization do you need? Less is probably more, especially at the beginning. Basic policy and roles are probably enough to get started. Management buy-in is key. Functional buy-in is key. Words alone get you nowhere and can become the focus while the functional capabilities or gaps are not addressed.
2. Business Impact Analysis
The Business Impact Analysis (BIA) is the technique used to determine the organization’s tolerance for risk to specific processes and characteristic pattern of loss arising from a disruption. The resulting data establishes timeframes for recovering these functions and processes and their associated systems and applications. This does not need to be overly complex. The most important items are the systems used and any dependencies, along with any critical documents that may not be available on your systems. Understanding the time in which a process needs to be available (recovery time objective or RTO) can be accomplished with a formal BIA. Often, a quick “gut check” is accurate enough. Preparation is important but need not be overwhelming. The BIA is a key data gathering activity and should not be ignored. The most impactful data concerns the systems and dependencies. The identification of the RTO is important and constitutes the main data point, but it does not have to be a time sink.
3. Risk Assessment
This involves the collecting of potential risks associated with people, processes, systems, and environmental circumstances. The assessment identifies the risks and potential impacts related to those risks. This is then used to identify strategies and priorities to remediate the risk or known gaps. This area should be modified as times and business needs change. If you continue to list the same threats and risks as you did 10 or 15 years ago, you’re probably wasting time on past threats and missing new ones. Focused effort here provides the information about what actually should be addressed rather than just checking the box that what has been done in the past or is in place is sufficient.
(For more information, see our post Compliance and Residual Risk – It’s Not Just for Big Companies.)
4. Continuity Planning
The Business Continuity Plan (BCP) is not the ultimate backstop where risk mitigation measures have failed or were inappropriate and the organization faces a potential disaster. The BCP identifies the people, processes, systems, and other structures that must be provided to the company in a timely fashion to ensure its survival during a crisis or disruptive event. Risk mitigation should prevent or at least minimize impact. No matter what, you need a BCP and it must integrate with the mitigation measures in place. There may be business tasks which need to be modified based on the mitigation strategies or solutions in the event of a disruption, including manual workarounds to use while systems and technologies are unavailable. Remember, having something is better than nothing. Ensure your plan is actually functional and not just a task. The goal is a good checklist with actionable items rather than a narrative. These are not audit documents, but true actions that are needed.
5. Assurance (or Training & Testing)
Assurance is a set of activities that help ensure that your continuity provisions work. Training encourages staff to develop a consistent understanding of risk and continuity issues and builds familiarity with aspects that could affect them. Periodic review or audit ensures that your continuity provisions continue to reflect the needs of the business. Rehearsal and testing provide controlled means of simulating real incidents, allowing you to find and fix problems under safe conditions. If you uncover issues without fixing them, then there is no assurance. Functional testing that simulates real life and actually tries to find the holes is key. This is not the time to hide weaknesses but to shine a light on them. The only failed exercise or test is one where there are no findings or improvements.
AVOIDING INSANITY
Guard against the tendency to do the same things over and over, looking for the small flaws rather than the big one. Remember what Einstein said: “Insanity is doing the same thing over and over and hoping for a different outcome.”
SEEING THE FOREST
It’s great to be detail-oriented. In fact, it’s essential. But don’t lose sight of the forest for the trees. Go searching in a different part of the forest. You might find some interesting trees, holes, or trails that need maintenance. Keep the little things in perspective, and sweat the big stuff, as sketched out above. This might push you out of your comfort zone, but it will definitely push your BCM program to a better place.
FURTHER READING
Are you a BCM professional who wants to raise your game and protect your organization? Check out these other posts from MHA Consulting and BCMMETRICS:
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
