How to build the perfect business continuity management soufflE...

Get free weekly news by e-mailChris Bakowski, senior consultant, Linus Information Security Solutions Pty Limited.

In order to make the perfect soufflé, you need a combination of factors to ensure that the end result is people asking for more! What are those factors to make the perfect soufflé? You need a combination of the right; recipe, ingredients and equipment.

The same hold true for the development of a business continuity plan.

The business continuity soufflé will only be successful and effective if it has:

* A recipe i.e. the right framework,
* The right ingredients i.e. BCM process and governance
* The right ‘equipment’ i.e. BCM software or a central repository for the development and maintenance of your BC plans.

A proven recipe to a chef is like a proven framework to a business continuity manager. This will ensure that the organisation has a structured approach to deliver appropriate business continuity capabilities.

Now that we have selected our recipe we then need to choose the right ingredients. What are our key ingredients?

Strong BCM governance:

Our (Linus) extensive experience in facilitating and mentoring organisations in the development of their BCM capabilities shows that unless BCM is supported at the most senior executive level, then the resulting business continuity capability will be inadequate.

Historically, sceptics within the organisation will argue the point of “Why do we need a business continuity plan when our organisation has never experienced a disaster or hasn’t had a need to invoke such a capability in the past?” In order to address these sentiments, it is imperative that the Governance Group consists of senior management who have authority to make decisions. They must also be active in creating interest and ensuring that their key business staff are provided with appropriate time to contribute to the process.

Essentially the key BCM Governance Group members need to lead by example and actively promote and encourage participation in the BCM process.

As equally important, the BCM Governance Group needs to be accessible i.e. available to meet, review and sign off on each stage of the BCM process as each key milestone is achieved.

Workshops vs. questionnaires:

We would strongly advocate the use of workshop(s) as opposed to conducting questionnaires as a key ingredient to obtaining critical information specific to the organisation and its business activities. The rationale for conducting Business Impact Analysis and Resource Dependency Analysis workshops is because they:

* Require the business to participate and make decisions.
* Ensure business buy-in and ownership of their strategies and cost implications to implement business continuity capabilities.
* Where external support is provided, workshops reduce the consultancy costs by:
- passing some of the work load to the client’s staff.
- ensuring BCM knowledge transfer.
- providing an internal reference or contact for all BCM related issues.

Workshop participation:

Another key ingredient to our BCM soufflé is that senior management must attend and contribute to the Business Impact Analysis and Resource Dependency Analysis workshops. Their active participation will have numerous tangible benefits, including:

* Showing that they want to participate as well as contribute to the BCM process.
* Ensuring that appropriate knowledge and experience is available to identify the key business activities performed within their respective areas. And
* Ensuring that they will be pragmatic rather than ‘trying to protect their patch’ particularly if their peers are also included and involved in the workshop.

Resource based recovery vs. scenario planning:

Historically we have seen evidence of organisations building business continuity plans that relate to a specific scenario i.e. trying to predict what type of event may take out their organisation and building a specific business continuity plan to negate this threat. We regard this type of thinking as ‘old school’ and would strongly argue that this approach is flawed.

The rationale for this statement is based on the fact that scenarios are infinite in nature and hence no organisation could possibly pre-empt every possible threat that may cause some form of operational disruption. A case in example is staff working in a call centre entering into a Tattslotto syndicate and winning Division 1 on Saturday night and all resigning on Monday morning. How would you build a plan to resurrect business services based on this scenario?

‘New school’ thinking says, ‘I don’t care or need to know what is the cause of the operational disruption is, but what I do need to know and plan for, is the resources that been lost, damaged or impacted as a result of the disaster’. This approach is far more pragmatic in that resources used within an organisation are finite in number and can be easily aligned to those business functions deemed to be time critical.

The Linus mantra is ‘scenarios are infinite, but resources are finite’
Scenarios do have a place in the BCM process, but only when you want to test the BCM capability. It is during an exercise where the use of scenarios helps the participates work through both emergency response and business recovery phases of a disaster and the facilitator and observers involved in the exercise can gauge their responses in a simulated and controlled environment.

Don’t eat the elephant in one bite!

Through the data gathering phase i.e. BIA and RDA workshops, a significant number of business functions will be identified that will have a range of pre-determined recovery timeframes. In some cases we have seen organisations with in excess of 500 business functions with recovery time frames which range from a little as one hour through to one year and beyond.

For organisations not familiar with the process of creating a business continuity capability, this can be a daunting task in trying to create a capability that accommodates all of these business requirements.

Business continuity management is about being pragmatic but also creating a capability in a planned manner. Where the scale of the organisation is significant, it is important to consider staging or scoping the business continuity capability in time bands i.e. Stage 1 of the BCM process may be to limit the development of the business continuity capability to focus on only those business functions that have a recovery timeframe of 14 days or less.

This approach will have a twofold benefit in that it will ensure that the scope of the BCM program of work is able to be managed far more effectively but will also help the organisation’s business continuity coordinators to gain experience and expertise if they are not overly familiar in developing a business continuity plan. They can then use their experiences when the BCM program of work is expanded beyond the first stage.

This staged approach will ensure that the organisation can create a set of plans in a relatively short period of time and will also help justify the time and commitment made through being able to show a tangible output i.e. a set of organisational wide business continuity plans, albeit limited to a specific set of time critical functions.

Once this set of plans have been validated and tested, and gaps remediated, the organisation will have greater confidence in its ability to survive a crisis and senior executive endorsement to proceed to stage two of the BCM capability i.e. developing business continuity plans for those business functions that have a recovery timeframe of 15 days – 30 days or even up to 60 days.

Pragmatic exercises:

It is critical when conducting exercises focused on either emergency response or business resumption that you do it in a staged manner i.e. ‘walk before you run’. Start with basic Level one exercises where you simply have key managers sitting around a table reviewing key procedures and emergency response plans as a means of identifying gaps in the BCM documentation.

Once there is a level of confidence within the organisation regarding the accuracy and completeness of the BCM documentation, it is then appropriate to conduct a level two - walkthrough exercise. That is, create a scenario that may trigger the BC plans, but conduct the exercise in a controlled environment to ensure that the exercise itself does not create any negative reactions from key stakeholders or your customers and does not create any inherent risks.

When conducting exercises it is imperative to ensure that the scenario used is pragmatic and realistic as creating an implausible scenario will result a lack of buy-in from the key participants.

What are our tools that will go into making our perfect BCM soufflé?
The final element that contributes to making the perfect BCM soufflé is having the right equipment to ensure that the organisation can create, manage and maintain its plans in an effective manner.

Too often organisations will develop paper based business continuity solutions using MS Word and MS Excel which appear to be okay, but the difficulties arise when the BC coordinator tries to implement changes to the structure and content of the business continuity plans. The realisation is that there are no ‘links’ that enable these changes to be reflected through-out the plans.

These paper based plans also create issues regarding accessibility of the information, the ability to integrate new areas and functions across the organisation as well as the ability of the organisation to maintain its plans so they always reflect the needs, technology and structure of the organisation.

To ensure the effectiveness of the BCM program of work and the ability to ensure the continuity of the organisation’s BCM capability, consideration should be given to having a business continuity software solution. This provides a central repository for the BC plans, is accessible 24/7 and ensures that changes required to be made to the plans can be easily integrated and are simple to complete.

Without the right tools, the soufflé recipe and ingredients will not be effective and will disappoint your tasters.

In summary, the perfect BCM soufflé needs a combination of the three key elements being the right recipe (BCM framework), right ingredients (BCM stages and process) and the right equipment (BCM software) to make sure your tasters come back for more. Bon appetite!

Chris Bakowski, senior consultant, Linus Information Security Solutions Pty Limited

Date: 28th Nov 2007• Region: Australia/World •Type: Article •Topic: Plan dev.
Rate this article or make a comment - click here

Copyright 2010 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help