A checklist to consider if a proposed business continuity management project would be a success based on the support offered by top management. By Sandesh Sheth, Business Continuity Consultant, Enterprise Risk Management Consulting Group, Satyam Computer Services Limited.
Top management commitment is the factor that determines the tipping point between potential success and failure when developing and implementing business continuity management projects and systems. This article is based on our consulting experience with various organizations worldwide. In almost all of the cases where we were able to successfully develop, implement and validate a business continuity management system, the topmost contributor to the success was the keen interest exhibited by top management. When we say top management, it implies the Steering Committee formed for the execution of the business continuity project.
The ten things that indicate existence of management support are:
1. Top management was the driver behind the initiation of the business continuity project
In all our successful consulting assignments the reasons for business continuity initiation has been a need felt by top management. The genesis of the need being either a recent disaster that affected an organization that they knew of; or a regulatory mandate to have a business continuity management system in place. It is usually a case of ‘top-down force’ rather than a ‘bottom-up pull’.
2. Top management was the initiator of the project charter
A project charter is a document that formally authorizes a project. A project charter issued by the top management ensures organization wide commitment for the project and the availability of resources.
3. Attendance by top management at the project kick-off meeting
Attendance by top management with an introductory briefing by top management personnel is important to get the organization-wide visibility that a business continuity project needs.
4. Validation of recovery time objectives (RTOs) and recovery point objectives (RPOs)
The BIA is a process designed to prioritize business functions by assessing the potential quantitative (financial) and qualitative (non-financial) impact that might result if an organization was to experience a business continuity event. RTO is the period of time within which systems, applications, or functions must be recovered after an outage (e.g. one business day). RPO is the targeted point in time to which systems and data must be recovered after an outage as determined by the business unit. Top management validates and, where necessary, challenges the RTOs and RPOs obtained.
5. Selection of business continuity and backup strategy
Top management makes the final decision on the business continuity strategy – for example, choosing between a cold site, warm site, or hot site based on the RTO and also the backup strategy based on the RPO.
6. Active participation by top management during emergency procedure drills
Top management actively participates in building evacuation drills, hoax bomb calls, power down procedures, lights out drills, disaster scenario simulations, etc. They make the hoax bomb call, initiate the call tree exercise, activate the fire alarm. This creates awareness on what the objective of the activity is and how the employees are responding to such simulations.
7. Observer during disaster recovery exercises at the alternate site
A top management representation at the alternate site during disaster recovery exercises signifies the importance that is attached to the business continuity project. A follow up by top management is to be involved in the review of the objectives set and achieved during the exercise and the review of the lessons learnt.
8. Attendance at local business continuity forums, symposiums, conferences and training events
Top management representatives should attend business continuity and disaster recovery related conferences, forums, etc. which expose them to industry best practices and also enable discussions with other participants in the same industry. In our assignments we actually have the Project Sponsor and Project Manager undertake one of DRII’s exams. The incentive for them is they understand what is it that we do (no more black box brigade syndrome), they could validate our deliverables and they need not hire a consultant to maintain their plans or, if they did, they knew what to expect.
9. The ability to give an elevator speech on business continuity management
For top management to be able to explain a business continuity management system, its return on investment and its components within the attention span of a spectator is the hallmark of management commitment to understanding the essence of business continuity.
10. Succession planning exercise
Validation whether the successor to the top management representatives is able to perform the same jobs as the reporting manager (top management) is the logical conclusion for an effective business continuity management system.
How to capture the value created by this article? For the business continuity coordinator / project manager / consultant: let the top management know what could ensure the successful execution of a business continuity project. We do this in our assignments where we set client expectations and our expectations from the client. This would involve explaining why it is important for top management to attend the kick off meeting, send regular updates to all managers on objectives set and achieved, create roadmaps at regular intervals to ensure course correction, set targets for exercises, etc. The start point would be the use of the parameters discussed in this checklist so that that top management could sign off on what is expected from them.
Sandesh Sheth is a Business Continuity Consultant, a Six Sigma Black Belt and a Certified Information Systems Auditor and Project Management Professional presently working for State Judiciary Information Systems in the US. He has been developing and implementing business continuity management systems for organizations worldwide for the past six years. He represents the Enterprise Risk Management Consulting Group of Satyam Computer Services Limited. Sandesh can be reached on firstname.lastname@example.org
Make a comment
•Date: 19th Jan 2007• Region: US/World •Type: Article •Topic: BC plan development
Rate this article or make a comment - click here