So you’ve just been put in charge of business continuity at your organization. What’s the first thing you should do? In today’s post, we’ll tell you—and also explain why it’s important and how to go about it.
INTO THE DEEP END
Many people find themselves thrust into a business continuity (BC) role with little warning or preparation.
They frequently come from backgrounds in risk management, auditing, compliance, or IT.
It’s a daunting prospect to suddenly find yourself in charge of Business Continuity/Disaster Recovery (BC/DR) for even a small organization. It’s like being thrown in the deep end as a beginning swimmer.
Unless you have ice in your veins, or significant BC/DR experience elsewhere, you’re likely to feel overwhelmed. You will have to take time to educate yourself on your new responsibilities, and the learning never stops.
But the very first task is always the same.
SCOUTING THE TERRITORY
Regardless of how you came into the job, your first task is always going to be scouting the territory. You have to figure out where your company stands in terms of its recovery planning and vulnerabilities.
Specifically, you need to get a handle on the following:
- What your current level of recovery planning is across the areas of business processes, IT, crisis management, and critical third-party vendors.
- What your organization’s critical departments, applications, and business processes are.
- What the biggest threats are.
- What the biggest gaps and areas of exposure are.
The goal is not to get a complete understanding down to the tiniest detail. It’s to grasp the general lay of the land.
In BCM, we can’t afford to let the perfect be the enemy of the good. At this stage, the important thing is to get a rough familiarity with the situation.
We’ll look at the reasons why in a moment.
In doing your reconnaissance, you will encounter many different wrinkles depending on your organization’s situation.
Conducting your initial assessment might take you weeks or months, depending on the size of your organization.
Here are a few of the different situations you might encounter:
- You might have a knowledgeable predecessor you can consult.
- You might be on your own.
- Your company might turn out to have comprehensive, up-to-date recovery plans.
- Your company might have a few outdated assessments and plans.
- Various departments might have worked up recovery plans on their own.
- You might find that your company has done no BC planning at all.
DOCUMENTS AND PEOPLE
In doing your assessment, you will be gathering information about two things: documents and people.
You’ll be seeking to identify any written plans and documentation that the company has that pertain to BC.
And you’ll be identifying people at the organization who can help you understand the criticality of various processes in terms of the company’s ability to carry out its mission, and the current state of recovery planning.
In terms of identifying the best contacts, the best places to start are probably your supervisor and your predecessor, if you have one.
THE BACK-OF-THE-ENVELOPE ASSESSMENT
Business continuity is famous for its formal and somewhat complicated assessments, namely the Business Impact Analysis and the Threat and Risk Assessment.
BIAs identify which processes at the organization are most critical to its ability to carry out its mission. TRAs identify the biggest risks the organization faces, their likelihood of occurring, and the degree of damage each would cause.
This information is used to guide and prioritize recovery planning.
At this stage, you don’t have time to conduct formal BIAs and TRAs. You need to conduct quick, back-of-the-envelope assessments. You can do this by talking to a few well-informed people and asking them, “What do you think the most important processes at our company are?” and “What do you think the biggest threats facing us are?”
From these discussions, you can come up with a rough idea of the most important processes and biggest risks.
Are your quick assessments going to be as robust as formal assessments? No. But at this point, we are hustling to identify potential vulnerabilities to avoid being blindsided by a catastrophic failure. You can worry about perfection later on.
Does it still seem overwhelming? Consultancies such as MHA are available to help.
A BC consultant can be especially valuable in helping you tease out the hidden dependencies in your critical business processes and applications. These are the often-overlooked functionalities that must be in place in order for better-known technologies and processes to work properly.
I stated above what the next step is: identifying your biggest gaps and plugging them as soon as possible.
Again, don’t let the perfect be the enemy of the good. “Quick and dirty but up and running” is much better than “Perfect, but it only exists on paper.”
Get something in place to plug the biggest gaps right away. Over time, you can work on refining your assessments, beefing up your recovery plans, and building out your program in terms of governance, scheduling, and so on.
In this way, you can improve the umbrella of protection that you provide for your organization and its stakeholders.
For more on this and other hot topics in business continuity, check out these recent posts from MHA Consulting and BCMMETRICS:
- Start Here: The Business Continuity Management Guide for Beginners
- 1 Program, 6 Plans: The Half Dozen Plans Every BCM Program Should Have
- Weighing the Danger: The Continuing Value of the Threat and Risk Assessment
- How to Stop Third-Party Vendors from Becoming Your Achilles’ Heel
- 8 Tips for Building a Good Crisis Management Team
- What’s Up, Doc? When and How to Perform a Current State Assessment