Any organization that invests time and effort into improving its resilience is to be commended, but unfortunately many companies prioritize the wrong things in their business continuity endeavors. In today’s post we’ll look at the three most important aspects of business continuity—and share a bonus fourth item that applies to all of them.
Related on MHA Consulting: The Science and Art of Writing an IT/DR Recovery Plan
Everyone knows the old rhyme, “One for the money, two for the three show, three to get ready, and four to go.” In business continuity, the “three to get ready” are:
These are the three most important aspects of BC—the areas every company should devise recovery plans and conduct exercises for in advance in order to reduce their vulnerability to disruptions and ensure they can quickly return to normal operations after an event.
The order in which the areas above are listed is intentional. This is the order in which they should be prioritized.
There are a few reasons why this order is recommended. They include: the relative likelihood of an event affecting that area, the potential impact if the area is not addressed, and the chances that the organization could successfully improvise a response in a given area.
Why is information technology the top priority? IT has a relatively high likelihood of being disrupted, the potential impact of such a disruption is high, and the ability to improvise a response absent any preparations is effectively zero. (It is impossible to improvise a workable technology recovery plan in the middle of an unfolding crisis unless you already have the technology capability in place—meaning data protection, recovery solutions, and hardware.)
Business continuity comes next because improvising solutions in this area is more feasible than doing so in IT. This does not mean it’s a good idea. It’s potentially a very costly one. Having appropriate technology workarounds and planning for non-technology events requires planning and preparation. If you don’t plan in advance to recover your business processes, you may not be able to do so effectively in the event of a disruption. (For example, if a gas leak across the street prevents your staff from entering your facility, and no plans have been made to enable them to work from home or at an alternate site, you might be unable to deliver goods and services to your customers, possibly prompting some of them to switch to your competitors.)
Crisis management is third because—while every event needs some level of crisis management—this is the area that is most amenable to ad hoc solutions. But again, this is not to say that banking on your ability to improvise crisis management is wise. It is very risky. We routinely see companies suffer preventable wounds because they lack a crisis management plan, don’t have prepared statements for the media, have not clearly defined crisis management roles, and so on.
While the order of prioritization for the three areas is as stated, the key to having a truly resilient organization is devising well-considered plans for all three areas.
In the beginning, I mentioned that many organizations make the mistake of prioritizing the wrong things in their BC activities. I also promised to share a fourth key aspect of business continuity.
I would say that the most common misplaced emphasis is on the preparation and information-gathering stage of BC.
This might seem inconsistent coming from a consulting firm that describes the BIA as the cornerstone of a good BC program and often talks about the importance of the threat and risk assessment.
Both of those tools are critical, we believe.
But in this post we’re looking at the challenge from the point of view of an organization that has limited time and resources and little or nothing in place.
We often see organizations, when they decide to get serious about BC, get so bogged down in doing the BIAs or Risk Assessment that the business departments lose interest and disengage before any actual planning gets done.
For those organizations, we have key area No. 4:
Functional recovery. After the key areas described above, possibly the most important aspect of BC is developing a rough, functional recovery capability (rather than doing everything by the book and striving for perfection). It’s better to be at 60 to 80 percent readiness across the three main areas (IT, business processes, crisis management) than to be at 100 percent in just one. BIAs are great, but performing a BIA does not make you more prepared. Even without one, most organizations will know 80 percent of what they need to recover and in what order. Get something in place quickly. It might not be pretty, but this isn’t a beauty contest.
When it comes to shrugging off a real-world impact, even a basic and partially functional recovery plan beats a perfect BIA every time.
Many organizations prioritize the wrong aspects of BC, squandering their efforts and leaving their companies exposed. Companies should focus on the three areas of information technology, business processes, and crisis management—in that order—to ensure they can recover from disruptions in a timely manner.
Additionally, it is more important to quickly achieve some level of functional recovery capability than to get bogged down in preparation and information-gathering. BIAs and threat assessments are valuable, but quickly achieving some degree of functional recovery capability is essential.