A journey, not a destination
Creating a business continuity plan is hard work, involving time, resources and great attention to detail. The professional usually starts with an analysis of business risk, to help an organization quantify its vulnerabilities by identifying mission-critical activities and planning for their recovery or continuance in the event of an incident. A risk assessment phase allows the organization to assess the likelihood of failure of any of their critical assets and processes. At this point, the organization begins to develop effective continuity plans, and an initial set of testing plans. The process For many stakeholders, these few steps constitute ‘the process’. After having assessed the risk and built plans to mitigate that risk when needed, management breathe a collective sigh of relief, since the goal has been reached. But has it? In fact, business continuity is not a quick Olympic sprint to a goal line; we know it is an ongoing process that must be continually tested, exercised and tweaked in order to ensure that the organization works optimally at all times. One of the key ingredients involves testing both the plans and the people involved. The post-BC program Various forms of testing form the bulk of the activities after the initial workload period of putting together an effective BCM programme. Without an effective ‘post-BC’ program well executed work can often become out of date, ineffective and at worse, redundant. We all know stories of organizations that have had to ‘start again’ and the huge effort in material and resources that this entails, when careful post program planning and adjustment would have been more effective in many cases. Importance of testing Many professionals accept that the importance of testing cannot be overstated, yet it is one of the most-frequently shortchanged steps in the process. If an organization feels that the end goal is to produce plans, with the hope that someday the plans will be tested, then that organization might well find itself in dire straits if a crisis actually occurs. The intent of business continuity is just that – to ensure that the business goes on as usual, even when circumstances are anything but usual. That calls for both building and maintaining effective and up-to-date continuity plans. BS 25999, the business continuity management British Standard, is driving the move to view BCM as a continuous process, embedded into the fabric of daily work life to an extent never before seen. As BS 25999 accreditation becomes a requirement for supplier contracts, business funding and even insurance, the requirement to test and report on the findings of the testing come to the fore. Components of testing Testing, then, takes two important forms: the testing of the plans themselves, and testing the capabilities of the personnel involved in carrying out those plans. As seasoned practitioners indicate, testing should involve rehearsing people, exercising plans and testing systems. All of this collectively can be referred to as ‘testing’, yet each individual element deserves close scrutiny. The vital side-effect of such testing that that real people – the ones we will rely on in times of crisis – become trained in the deployment of plans. Thus we will be able to rely on them more fully when the need arises. Just as athletes rely on practice to build up ‘muscle memory’ that comes into play in times of stress, so too will business continuity managers grow to rely on their subconscious remembrance of what to do and how to do it, in times of chaos. Testing the plans Testing may start with a simple tabletop exercise in one functional unit, in which relevant personnel evaluate the plan and fill in the gaps. Since an initial plan rarely covers all contingencies, there is usually some amount of modification needed. Then the exercises can become more realistic, and can encompass multiple functional units that must work together to meet the goals of the organization as well as external (e.g. regulatory) requirements. While many organizations will undertake initial testing of business continuity plans, it is not uncommon to find that either a) the testing stops after initial, rudimentary testing, or b) the testing takes place in an unrealistic environment: referees are present, the plans are tested in silos, or other unnatural events conspire to render the testing less than optimal. One of the most crucial aspects of business continuity testing is injecting the element of stress. By simulating an actual crisis situation, and involving the individuals who will take part in the response, the plans can be tested in a way that more closely aligns to the eventual usage. This will help to educate the team as to what they might encounter in a real disaster, and will help identify individuals who might not be able to handle the pressure when a crisis occurs. Reviewing capabilities Each time the plans are reviewed, the capabilities of the people who will be implementing the plans should also be reviewed. In reality, the success of any business continuity endeavour is measured by the extent to which those responsible for executing the plans can carry out their duties. Keep in mind that a disaster creates chaos, confusion, tension and stress – none of which is conducive to people operating at peak efficiency. Some people manage well day-to-day, but not so well in a crisis – and vice versa. People manage differently, under different stress loads. Some adapt to change more easily than others. Two key elements to exercising plans involve developing the assurance that: - the right people are in the right BC positions; The right person for the job An exercise of your crisis management team, if conducted in as true-to-life a manner as possible, may uncover some surprising truths. By injecting the issues of tension, confusion and stress, this exercise can show team members’ true capabilities. Certain players might function quite well in normal times, but lack the qualities needed to lead others during a crisis. It is even possible that some members of the team – even the leaders – will need to be replaced in order to ensure the highest level of business resiliency. In one such federal government exercise several years ago, the testing began in the normal fashion, however, after half an hour, the director of the crisis management team stood up and acknowledged the emergency manager was better suited to managing the crisis than he was and delegated his responsibility. While uncomfortable, the admission was in the end extremely beneficial to the team. Self limitation recognition rarely comes to the front during tests and can be one of the business continuity manager’s greatest political tests in balancing the right people in the right places. Imagine if the testing had not taken place, and the manager would have found himself unable to lead in a time of crisis! Business continuity can almost be seen as analogous to the systems involved in landing an aircraft. Air traffic control management, trained and experienced pilots, crew, passengers and a host of other people rely on one another and sophisticated systems to ensure that this flight CR-1-SIS hits the tarmac at the right speed on the right spot with everyone on board in good order. Business continuity involves using all the tools available – plans, testing, exercising and training – to reach a favourable outcome. Working together as a team Another important element in exercising the plan is to build relationships among team members – many of whom might not have worked together as a team in the past. And here, the idea of BC integration into the business becomes paramount. While it is important to get the teams together to do an exercise of plans, it is vitally important to do this any time something changes in the business. People come and go on a regular basis, and yesterday’s team may no longer be intact today. For this reason, having a truly integrated business continuity plan in all the different places you operate, in all the different departments, requires an ongoing process that itself calls for a degree of project management. An organization with a global business continuity plan has probably tested its plan locally, in the headquarters office, and is confident that the team can carry out the plan when needed. However, what level of assurance does the organization have that remote offices can react in the same timeframe? It is for this reason that BC plans should be exercised by multiple teams, covering each part of the global BC plan, and that anomalies are brought to light early on, in order to find ways to ensure smooth operation of the global team. Making corrections to the plans Throughout the testing and exercising steps outline above, lessons will be learned. Steps will be added to plans, other steps will be modified, and some might be taken out altogether. Communication within the teams will be enhanced and streamlined. Interfaces with other functional units, departments, divisions and business units will be identified, tested and modified. Individuals will be identified as possessing strong leadership skills, and may be designated as team leaders (sometimes replacing incumbents who do not demonstrate the ability to, or do not wish to, fulfil such roles). All of these changes must be fed back into the BC plans. This is how an organization builds, strengthens and maintains effective and up-to-date plans. Responding to changes in the business How often does an organization undergo change? Downsizing, mergers and acquisitions, divestitures – all of these are major changes to a business and, it is to be hoped, recognized by BC practitioners as triggering a revisit of all the steps in the process. A business impact analysis, followed by a risk assessment, and then a revision of the business continuity plans, should naturally follow such a major business change. However, even seemingly minor changes to a business could, and sometimes should, trigger a revisit of the steps in the process. A change in a production line, the addition of an important new product that is vital to the financial well-being of the company, or the outsourcing of an important service function – any of these can be reason enough for the BC team to revisit earlier steps. In fact, the simple passage of time is often the culprit. How many organizations today are relying on BIA work done years in the past? A journey, not a destination Business continuity is a continuous process, designed to ensure that your organization operates at peak efficiency when times are normal, and continues to operate efficiently when things go dreadfully wrong. This implies a system that is continually tested and exercised, with mid-course corrections taken as needed, and that continually responds to the business reality of the organization. It is a process that is totally dependent on the people who build the plans, who keep them up-to-date, and who implement them when needed. This means that the process must be built into the very fabric of the organization, becoming part of employees’ life and thought processes. To summarize: the business continuity process does not end with creation of plans and testing procedures. In some sense, it actually begins at that point. The plans must be tested in a realistic manner, and the people responsible for implementing them must be involved. These people must be evaluated to ensure that they are right for the job, and they must have a chance to practice what they will do in order to internalize the steps so that they can react naturally in times of crisis. Finally, the plans must be kept up-to-date not just in terms of standard processes and people, but also in terms of the actual organization’s goals, evolving structure and business requirements. Author:
•Date: 12th Sept 2008• Region: UK/World •Type: Article •Topic: BC general |
SPONSOR: Business Continuity from Backup Technology
Copyright 2010 Portal Publishing Ltd • Privacy policy • Contact us • Site map • Navigation help