Too many business continuity professionals lack a clear and deep understanding of their own business continuity management (BCM) programs. In today’s post, we’ll examine the benefits of accurate program self-knowledge and suggest ways that you can obtain such knowledge and benefit from it.
Related on BCMMETRICS: What’s Up, Doc? When and How to Perform a Current State Assessment
WISE WORDS FROM THE PAST
Many sages in the past recognized the importance of self-knowledge.
The Greek philosopher Aristotle said, “Knowing yourself is the beginning of all wisdom.” His forerunner Socrates said, “The unexamined life is not worth living.” And one of the most enduring sayings from ancient Greece is, “Know thyself.”
Of course, obtaining self-knowledge is not necessarily easy. As Ben Franklin said, “There are three things extremely hard: steel, a diamond, and to know one’s self.”
In my opinion, all of these sayings hold true in the context of business continuity. It is both very important for business continuity professionals to have a clear and accurate understanding of their programs, and sometimes hard for them to obtain it.
THE PATH TO PROGRESS
In business continuity, self-reflection is the path to progress. By truly understanding our BCM programs, we gain insights that can help us make them better. Accurate self-knowledge helps us understand what we are doing well (and should continue) and what we are not doing well and should improve.
The costs of BC professionals not truly understanding their programs can be high. BC pros who don’t truly know their programs often overlook things that act as a drag on their efforts. Such problems can reduce the program’s all-around quality and harm its ability to provide valuable and functional benefits to the organization.
In contrast, BC professionals who have a true and accurate grasp of their programs can move forward with confidence. They can preserve the good in their programs and improve the weaker areas—all of which will strengthen their programs and better protect the organizations they work for.
THREE PROBLEM AREAS
In my experience, there are three BCM program areas where the issue of program self-knowledge—or the lack thereof—is frequently an issue: management support and commitment; staffing and capability; and BC program activities. Now we’ll look at each of these areas separately.
EYES ON MANAGEMENT
One of the most important things to get a grip on, and also one of the hardest, is what your management’s attitude is toward your business continuity program.
Management’s attitude and priorities toward the BC program are something that you have to contend with, for better or worse. Some people are lucky in this regard. Their senior management is knowledgeable and supportive. Others are less fortunate. This is not to say that management does not understand the need for BC, it is their perception of the level of protection required that can vary. Sometimes education can help in bringing management around toward a more supportive approach.
In terms of management support and commitment, I commonly see one of three attitudes among senior managers:
- Some feel that a formal and complex BC is not really necessary and that the organization will or should perform BC functions as part of day-to-day efforts or as part of a project. Also, they may feel that the likelihood of an event actually happening is so small, there is little reason to invest significant time or resources. This means BC will be ad hoc; implemented as part of someone’s day-to-day job.
- BC is only something that needs to be done to pass an audit or comply with regulatory requirements; an activity where you can just check the box, addressing the issue for the least amount of work and money. Again, there is a feeling that the probability of an event happening is so small that there is only a need for the minimum amount of preparation.
- Some in management have a mature commitment toward providing the appropriate level of BC to protect the organization. This does not mean everything is mature or fully implemented, but that solutions are being prioritized and implemented appropriately based on need and risk.
Your first challenge is to honestly assess where your senior management falls on the continuum. Here are some issues you might encounter in doing so:
- Members of your management might not agree with one another. Different people might be in different spots on the continuum. For this reason, you might find it helpful to talk to each manager individually rather than assuming that any information you receive represents the attitudes of the entire group.
- You might find it worthwhile to talk to the direct reports of these senior managers (or peers of yours who work under them) to try to learn the top managers’ true attitudes toward BC.
Understanding the reality of how your top managers feel about BC is key toward conducting an effective education campaign.
How can you help management understand the need for an appropriate level of BC maturity and increase their level of support accordingly? Here are a couple of ideas:
- Create opportunities to educate them. Education can be hard and take time. One thing that can help is sharing examples of actual impacts companies have suffered rather than talking about exposures in the abstract.
- Show how the BC goals support the organization’s priorities.
- Prioritize your actions based on business need rather than just following traditional BC steps or components. Understand the business and its priorities and align the BC efforts accordingly.
Related on BCMMETRICS: How To Pitch Your Business Continuity Plan To Management & The Board
UNDERSTANDING STAFFING ISSUES
Gaps surrounding staffing and staff capability can be especially difficult and frustrating. You can at least analyze where things stand in this area and address what you find. A couple of things you can do are:
- Review the section above on understanding management commitment and support of the program. This can be a key to determining how to work toward modifying any staffing needs.
- Do the individuals handling BC have other primary responsibilities? If so, their focus will be elsewhere, and they will have limited time to devote to the BC program. You must also consider if the scope of the program is compatible with the number of hours they have available for the work, and if they have the experience and training necessary to perform the BC duties that have been assigned to them.
Here are a few things you can try to address issues involving staffing and staff capability:
- Educate management. Remember to speak their language, use “what if” scenarios, and provide them with a roadmap to success.
- Join and participate in user groups. Often the local chapters of the various BC-related groups have good resources and informative sessions, and the networking opportunities can be very helpful. People are usually willing to share, and you may be able to get some good collateral rather than starting from scratch.
- Perform a justification on needs, if appropriate. Show the business value that BC is or could be providing. For more information, see our presentation on Demonstrating the Value of your BC Program to Management.
- Reach out to an outside business-continuity consultant who can help. This should be someone who is willing to do what is best for your organization and not just use their methodology. (MHA Consulting provides this service, as do many other fine BC consulting companies.)
- Again, prioritize your actions based on the level of support that is actually available. What will provide the most value and protection to the organization? Sometimes 20% of the actions can provide 80% of the protection.
TAKING ACTION
The final area where we often see a lack of program self-knowledge is BC program activities. It is important to accurately assess the efficacy of your different program components, including:
- Business Impact Analysis. Assess the BIA data’s usefulness and correctness. Through your interviews, you have gathered both objective and subjective information that will drive plan development. It is also important that this information is understood and accepted by the organization at all levels.
- Risk Assessment. Assess whether your Risk Assessment process and results provide actionable information rather than just being a list of things that could potentially happen, especially if the items are obvious and/or have been remediated.
- Documentation. Assess the effectiveness and usability of your documentation (such as plans and checklists), as well as the likelihood people would actually use that documentation in a crisis event and the degree to which they have it available or know where to get it.
- Program Status and Organizational Capability. Assess the organization’s actual recovery and resiliency capability. These are two different capabilities. Being resilient implies weathering the storm and not losing functionality. Recovery refers to the speed with which you can go from down to functional. When considering both of these capabilities, you should look at the organization as a whole rather than at individual departments. Just because IT can recover systems or keep a system from going down does not mean the organization is prepared (i.e., it does not matter if applications are available if there are no people available to use them).
Here are some suggestions for dealing with the above:
- Modify your BIAs to be more effective and efficient. Don’t gather extraneous information here; stay focused on impacts, dependencies (internal, external, technology), and single points of failure over long discussions on Recovery Time Objectives.
- Modify your risk assessments to identify actual risks and the probability of those risks occurring, and group them by the level of impact. Include the level of remediation in place.
- Modify plan development to be based on checklists and institutional knowledge rather than on detailed procedures (which people already know). Plans should focus on actions to be taken based on the type of outage (that is, facility outage, resource impact, or technology impact), not the specific potential risk or the reason for the outage (bomb, fire, flood, and so on).
- Ensure you and your organization know your actual overall resiliency or recovery position, not just the level of preparedness of individual departments or application capability. Remember, we are dependent on both internal and external factors, so just because one area is prepared, does not mean the entire organization is prepared.
STANDING THE TEST OF TIME
I don’t know what Aristotle and Socrates’s opinions were on business continuity, but their thoughts on the importance of self-knowledge have stood the test of time.
And program self-knowledge is definitely important to you as a BC professional.
A clear understanding of where you program stands—especially in the areas of management support, staffing, and program activities—are invaluable for helping you improve your program and better protect your organization.
FURTHER INFORMATION
For more information on this and other hot topics in business continuity, check out the following recent posts from MHA Consulting and BCMMETRICS: