Get The Business Continuity [Re]Vision Builder Guide
How to Implement a Focused Business Continuity Program
Feel like you have too many plans?
Feel like too many of your business processes are deemed “critical”?
Unsure of who should participate in the business continuity planning effort or if you’re allowed to engage the business?
If so, then you should revisit your business continuity planning drivers and review the scope of your business continuity program to achieve the right focus.
The Frame process from Castellan’s Business Continuity Operating SystemTM (BCOS) helps focus your business continuity program, drives alignment with the organization’s strategy and culture, and sets the stage for an appropriate level of engagement.
One of the issues most organizations experience is that key decision-makers and influencers are not consistently on the same page when it comes to program design parameters. This issue often leads to a program lacking in focus and engagement, and one characterized as inefficient. At the beginning of a business continuity project, with a focus on implementing a “year one” business continuity program, the person responsible for business continuity should plan to conduct a Frame meeting to effectively engage all key stakeholders designed to sync on drivers, scope, expectations, risk tolerance and program participation. By the conclusion of the Frame meeting, the program manager will have all the necessary information to finalize the business continuity engagement plan (described below) and complete business continuity program process documentation, which commonly takes the form of a policy statement (that summarizes what the organization should do), standard operating procedure (that describes how the organization will perform business continuity, and a business continuity steering committee charter (to summarize how leadership will engage with the program).
The remainder of this article discusses how to prepare and facilitate the Frame meeting and use the information to engage the organization during the BCOS Build and Evolve stages.
Preparing for a Frame Meeting
To host a successful Frame meeting, business continuity program managers must ensure that the right level of engagement and discussion occur to answer the following four key questions:
- Why are we investing in business continuity?
- What are we trying to protect?
- How much business continuity do we need?
- Who should be involved in the program?
Frame meetings typically consist of individuals on the executive leadership team, many of whom transition to a role on the business continuity steering committee. By bringing these individuals together to answer the four questions noted above, the person responsible for business continuity should have the necessary information to launch the program and transition into the Build phase.
Identifying and Scheduling Participants
The business continuity steering committee should be comprised of senior leadership that represents all in-scope products and services, as well as senior leadership that can have significant input in shaping the business continuity program. Ideal members will have the authority necessary to help direct program efforts and the organizational knowledge to answer those four Frame questions.
As with most organizations, finding time in which all members are available can be difficult; however, it is imperative that all members are present for the Frame meeting. The dialogue among participants is key, so that they can debate with, and question, one another with the objective of getting in sync on answers to the four questions. Additionally, 100% attendance ensures representation for all products, services, and processes that contribute, preventing inaccurate prioritization of business continuity requirements.
Although the cross-functional input from an executive team or steering committee is essential, it may be helpful to have a preparation meeting with the program sponsor to get insight into drivers and expectations. Some of the discussion topics may include:
- Program drivers (e.g., customer expectations, audits)
- Current-state response and recovery capabilities
- Preliminary answers to the four Frame questions
- Frame meeting participants, and input on appetite to involve others deeper into the organization
The Engagement Plan
One of the most important responsibilities of the person charged with leading business continuity is to engage with others to design, build, and evolve the business continuity program.
Engagement often takes the form of meetings. Great business continuity programs have effective meetings with the right people at the right frequency. Great meetings lead to strong programs that, in our case, deliver the right level of resiliency. The BCOS includes, by default, four meeting types, each described in the table below. The table suggests participation, frequency, and outcomes. Organizations should not make any changes unless there is a strong business reason for doing so. If you’re interested in meeting guides and agendas, please check back, as those will be covered in a future article.
The person responsible for business continuity should create an “engagement plan” to ensure effective coordination with all interested parties, and that person may also choose to begin drafting the engagement plan prior to the Frame meeting to help identify information requirements as part of Question #4.
Core elements of the engagement plan include:
Other interested parties exist in all organizations. The board, auditors, customers, and other risk disciplines are examples of other interested parties. Consult with each to determine:
- Their motivation to engage (what you can offer);
- What they can offer to drive resiliency (what they can offer); and
- How often they need to be engaged to add value.
And for each interested party grouping, define concrete outcomes and plans to achieve each. Add those to the table above.
Thinking about the engagement plan in advance of the Frame meeting may also lead to some preparatory discussions with the program sponsor, addressing the following topics:
- Identifying the appropriate implementation timeline, including key milestone dates
- Developing role descriptions noting responsibilities, including competency requirements, optimal engagement frequency, the best method to engage, and knowledge/information-sharing requirements
- Considering any potential cultural or operational road blocks that may occur
Attributes of a Frame Meeting
A Frame meeting is most successful when all participants are actively engaged and transparent about their thoughts and opinions. Throughout the meeting brainstorming rules must apply and all issues should be openly discussed.
Facilitating a great Frame meeting requires the ability to direct conversation around the four key questions and bring everyone into the conversation. By bringing the right executive leaders together, the person responsible for business continuity can determine “why” the organization cares to develop a business continuity program (drivers and stakeholder expectations). After determining “why”, the discussion can shift to “what” the organization is trying to protect and “how much” business continuity the organization needs. To do this, the Frame meeting facilitator works with executive leadership to determine the key products and services that the organization provides to its clients (as well as the core supporting processes deemed urgent and time-sensitive). By identifying these products, services and processes, the discussion can then shift to considering “how much” business continuity the organization needs, meaning downtime tolerance and capability. After outlining the scope, purpose, and objectives, executive leaders should then consider “who” needs to be involved in the business continuity program.
With each key question, there are some subordinate or probing questions for additional discussion and should be considered when facilitating the meeting:
- Why are we doing business continuity?
- What is driving us to implement/improve our business continuity program?
- Are we a risk-taking or risk-adverse organization?
- What expectations must we align to regardless of circumstance (regulations, customer SLAs, etc.)?
- What are we trying to protect?
- What are our organizational strategy, objectives, and culture that influence scoping?
- What are our core values?
- What are the key products/services we provide to our customers?
- How do we value these products/services (e.g., revenue-based, brand image, health/safety)?
- How would you prioritize recovery efforts among products, services, and processes?
- How do you see the business in three to five years? What impact does that have on the program currently, in terms of scope and objectives?
- What do we want the business continuity program to achieve?
- “How much” business continuity do we need?
- What are the downtime tolerances for the products/services we identified?
- What level of impact on the customer and our employees are we willing to accept/tolerate?
- What are some potential threats that could lead to disruption and is there a history of disruption?
- Do we have single points of failure or are there resources that would be difficult to recover and, therefore, lead to prolonged downtime?
- Who should be involved in the program?
- Confirm the Program Sponsor: The person engaging executive leadership and accountable for business continuity program performance (this individual is typically on the executive leadership team).
- Confirm the Program Manager: The person responsible for managing the program on a day to day basis. This individual will report directly to the program sponsor and function as the liaison between the business and steering committee
- Confirm the Steering Committee Participation: Represents the interests of the organization, specifically in-scope products/services and supporting processes. This group will provide strategic oversight and support for the program, review performance metrics, and assist with prioritizing corrective actions.
- Confirm Process or Department Leads: The people providing data during the Build phase and participating in Evolve. Individuals in this group will be tasked with participating in the planning process and driving continual improvement.
- Are there any other key program participants within your organization? What other groups/teams should be notified of program progress and engaged through Evolve?
Prior to concluding the Frame meeting, the person facilitating the Frame meeting should summarize the answers to each of the four questions to seek endorsement by the participants.
Overall, the Frame meeting should take approximately 90 minutes; however, additional time or a follow-up meeting must be scheduled if the executive leadership team has not reached consensus on the program boundaries and characteristics – meaning business continuity obligations, expectations, priorities, objectives, scope, requirements, and participation.
After the Frame Meeting
The Frame process works to bring focus to the business continuity planning process and create the engagement necessary to sustain momentum over time. A successful Frame meeting ensures that a roadmap is set that is both clear and actionable for the program. Frame meeting conclusions serve as inputs into “building” business continuity capabilities and even evolving the program over time. Key next steps, beyond documenting the engagement plan (described above) include using the information gathered to create business continuity program process documentation, which is the first step in Build:
- Business Continuity Policy: Document capturing management expectations of the program and its participants, with coverage of the program purpose, objectives, and scope.
- Business Continuity Standard Operating Procedures (SOP): Document providing guidance and standards for how to implement and sustain the program, as well as how to perform business continuity planning.
- Business Continuity Steering Committee Charter: Document establishing the governance committee, including a description of roles and responsibilities and what engagement looks like over time.
BCOS Frame enables a focused approach to business continuity planning that is aligned to your organization’s business strategy (and its most important products and services) and right-sized for its needs.
If you would like to discuss how to execute the Frame process in your organization, please contact us today. We’re excited to learn more about your program, challenges, and goals. We look forward to connecting with you soon!
Get business continuity insights delivered to your inbox.