It's a great feeling to have completed your BCP. Especially so, because at this moment you are in the unique and privileged position of knowing how to rebuild the business, no matter what happens. Get it signed-off and everyone is happy. A job well done, right?
Your answer very much depends on whether you mean to fully realise your plan's value as a lifeline for the business. Are you happy with an archive document or do you expect it to work and keep on working?
A good way to assess your position is as follows. Imagine there's a fire and you lose a vital production site. At every point during the recovery, from initial detection to return-to-normal, those in decision making positions have the option to respond either in the way you planned, or they can dump your plan and trust instead to their luck and experience. And once they deviate, a return is highly unlikely.
If they choose this second path, we enter uncharted territory, an unfamiliar environment where each step, each decision is new and untested. It’s not a place you’d willingly go if you had a trusted, adaptable continuity plan in place. So, what could possibly make us ditch an apparently good BCP?
Though it pains me to say it, faced with any of these conditions in a major incident, it is probably reasonable to discard the BCP in favour of secure knowledge and experience, whilst accepting that your chances of success with a seat-of-the-pants, entirely reactive response are much diminished.
So, here’s the rub. Each of the three conditions implies activities you need carry out after you get plan sign-off. Each is continuous and demands commitment if you want to preserve and improve, rather than undermine your business continuity response capability. We’ve taken the time to explain the things you should do in the Blueprint below and I hope you find it useful.
As the name suggests, continuity is a non-stop, permanently-live activity. It must be kept fully aligned with the shape of the organisation if it’s to remain functional and valuable. The power that drives us to do this is Policy. It enshrines what stakeholders demand, requiring us to continually monitor, prioritise and control our activities.
The mechanism we use to do this should ideally be convenient and self-adjusting, like a car’s cruise control. Drive up a hill and power increases to keep speed constant; descend and it reduces, both effortless because of the way it’s designed.
Business continuity should be similar. When things change, the business continuity management system (BCMS) should be smart enough to detect and adjust, coping painlessly without undue lag or over-run. Get it right and the result is seamless; get it wrong and we might face overspend or leave the organisation exposed to risk.
In a car, the cruise control is most likely a mix of computer and electro-mechanical gizmos that live behind the dash and in the engine compartment. And whilst qualities such as BC leadership don’t have an equivalent well-defined home automatically, it’s a good idea to create one - a Framework document in which records for all key controls can conveniently reside. Content might include an activity planning schedule, organograms, documentation plans, test records, performance KPI, improvement activities and so on. Doing this also keeps administration data out of active BC plans, making them slimmer and easier to use.
Get all of this right and you should wind up with a BCMS that’s closely-coupled to the shape of the organisation, capable of responding quickly but economically to change so it stays on track.
A conscientious middle manager can see the business she recently joined would struggle if it was affected by a flood or similar incident. She uses her own time to produce documents but remains a voice in the wilderness, receiving acknowledgement from a few insightful others, but with no mandate, budget or support, her initiative evaporates.
She leaves and joins a competitor and relates her experiences to her new CFO who agrees to a continuity initiative. He gains support from the Board and a programme is announced, including a new BC manager role with goals, accountability and budget. Plans are developed, publicised and validated on a quarterly schedule, creating buy-in across the organisation.
Note that she has identical motivation in each hypothetical situation but is able to deliver a totally different outcome. Securing top management backing is a BCM imperative, and to do this you may need to educate and position it in a way that satisfies the organisation’s risk appetite as interpreted by senior individuals. Enthusiasm alone is rarely enough.
In peacetime, formal sponsor and manager roles may be sufficient. However, you will need to involve others (imagine a major incident where just two people know what to do). The term BC Champion is often used for someone with responsibility for continuity within a function or department. It’s usually informal but instrumental, detecting and communicating change, raising awareness and maintaining grass roots capability. You need to coopt someone from each functional area to do this.
In an incident, you have no time to debate how your response will be organised. It must be pre-agreed with clear roles and responsibilities, communication channels and supporting facilities if herd behaviour and possible chaos is to be avoided. All this should be clearly set out in your BCP and tested regularly. Each role should be well-defined with a succession plan, updated as incumbents change. Organisation provides the foundation for capability and is a mainstay of your BCMS.
The alarm sounds just as you put the finishing touches to your business continuity plan. Evacuation takes place smoothly and everyone files out of the building. At this point no-one can benefit from your plan’s contents, no matter how good it is.
Perhaps they could access it electronically, but they don’t have the collaborative guidance, training or discipline needed to make it work, nor do they have time to assimilate it. It means they will be unable to combine their skills with contingency resources to meet deadlines they don’t yet know about. They lack the capability to recover.
So think of continuity capability paralleling the spark of life that differentiates inert bodies from living breathing people. There are steps you must take to bring your plan alive for the business, notably:
a. Build familiarity. Regularly debate, challenge and agree on each line of the plan with those who may need to act on it. Make them take responsibility for what it contains and how it links with other areas. Make sure they fully understand every action point and decision path.
b. Challenge assumptions. Pick out the individual solution threads (also called strategy. options) that form the building blocks of your planned response and materially prove they work. For example, check out an alternative supplier’s promise to deliver the 1000 widgets to spec inside a week, or that IT can re-route to the recovery venue inside the 24 hours deadline.
c. Practice, practice, practice. People learn by doing and experiencing things and not simply by reviewing a document. If that’s current practice, don’t expect them to be competent when the plan gets used. They won’t know what to do and may impose an unwelcome burden, delaying your response. Schedule frequent tests and be sure to involve senior decision-makers.
By doing these things regularly you build continuity capability, the capacity to carry on doing business in the face of extreme disruption because everyone involved instinctively knows what to do.
How much did your organisation change over the past 12 months? Think about changes to products, plans and strategies, people, processes, systems and data, equipment, plant, infrastructure and more. Add to that all the variations in your relevant external environment, including laws and regulations, competition, customers, supply chains and geopolitical situations. Generally, we underestimate the scale of what’s taken place because most changes are small and fall below our radar.
Now look at your business continuity programme and you should see it aims for continuity at the point of disruption. Clearly, any response you make must be based on the here and now, not a year ago when the plan was written or last updated. Yet the chances of your plan staying current for even a few months without review is slim, from staff turnover alone.
Consider a twofold approach:
a. Proactive monitoring and measurement. Schedule regular formal reviews that include quantified assessment against one or other of the Internationally-adopted standards, such as ISO 22301 or the BCI's GPG. Alternatively, consider some form of practical repeatable fitness or maturity test against policy. In any case, doing this allows you to track progress towards an agreed goal or level of achievement easily and using appropriate key performance indicators (KPI). The review should yield a list of required changes that can be scheduled-in as part of your BC programme
b. Scanning and reactive response to unplanned change. Ad hoc and potentially comprehensive changes to the BCP should be possible in response to major operational changes that make it non-workable or inadequate e.g. a business acquisition. This implies you have a set of criteria that can be used to identify qualifying changes in operations or the external environment, such as emergence of a new risk to a line of supply.
Combine the two and you should find your BCMS and capability stay up-to-date, accurately delivering what the organisation needs.
Arguably, there comes a point where improving business continuity capability over-delivers on policy requirements and therefore offers no justifiable reason to invest more on improvement. However, the point where all requirements are completely satisfied is rarely attained.
If you adopt a box-checking approach to BCM it becomes relatively easy for a small or medium-sized organisation to superficially satisfy best-practice criteria. Box-checking however, carries no guarantee and ferments misplaced confidence, exposing the organisation to risk it believes it has dealt with. All you did was fulfil static audit criteria.
Look again at capability and the dimensions it offers for attainment and improvement. Instead of checking a box, try grading yourself on the depth to which you have achieved each practical aspect of required capability. Taking this route can lead to the creation of a Capability Maturity Model or CMM, a useful improvement tool.
CMM grades each capability attribute along a maturity continuum, say from initial to repeatable, defined, capable and efficient. You can adapt these as required, knowing that scoring in this way provides a far more granular basis for measuring attainment and ultimately, improvement.
This view of business continuity takes us beyond a check-box approach and shows us what lies ahead, creating aspiration. It allows us to incrementally and systematically improve our response and hence our expectation of uninterrupted business. It allows us to better reflect, measure and deal with the effects of natural erosion due to change and other organisational phenomena, all this makes the aim of continual improvement a mantra for many professionals.
In this Blueprint we established that even the best-laid business continuity plans are susceptible to the ravages of time. They decay in direct proportion to the rate of organisational and environmental change. Unless we expend effort revising them, they rapidly become useless or worse, offering outdated, misleading advice at a crucial time that cannot be relied-on.
It means that if you don’t plan to invest in BCM post-completion, your expected return on investment will go into the red, potentially within a few months of the documents being signed-off. Simply, if you want a reliable recovery capability, you categorically must take the time to keep your plans current and prove beyond reasonable doubt that they work.
It’s also true to say that light-touch maintenance covers perhaps 90% of all change. This can be carried out by a trained administrator, accessing the BCMS for perhaps a few hours each month to apply updates. Our advice is therefore to view BCM fundamentally as a two-stage activity. Simply:
1. Build a BCMS that works
2. Keep it working
Our final unsurprising revelation is that the cost of completing the first stage (cash, business involvement, investment and effort) typically far outweighs that of the second. Consequently, it attracts more kudos, attention and budget. However, during that stage and right up to its first test, your plan has comparatively little value. It becomes useful when it enters stage two and only then can any return on investment start to be realised. So what does it all mean? Simply, that you spent all this time, money and expertise on getting in good shape, and that you should absolutely maintain the momentum you built. Don't take your foot off the gas - get it there and keep it there.