Implementing ISO 22301: The Business Continuity Management System Standard
What Does Effective Business Continuity Management Look Like?
I recently read a column in the Disaster Recovery Journal where the editor interviewed John Copenhaver regarding Standards, Resilience and the Future of Business Continuity Management (BCM). John made the following statement when asked about the importance of standards:
“However, while these things matter [how to get the attention of top management, what methodologies to use, what the right terminology is and so on], they are not necessarily the root cause of why we as a profession are not as effective as we might be. I think that there are deeper problems to address, such as what does effective BCM looks like, where is the discipline heading and where will it be in five years time?”
I thought the question regarding “what does effective BCM look like” was intriguing. It’s such a basic question, but, as I continued to think about it, I could see why a simple answer isn’t that easy to give. As such, I added the topic to the agenda of a recent Castellan firm-wide meeting for discussion. The section below provides a summary of our consulting team’s thoughts on this very important question.
The Environment in Which We Work (Core Challenges)
When the topic of effective BCM came up in our team meeting, a discussion immediately started regarding the environment in which most organizations operate, and how environmental characteristics impact the successful implementation of effective business continuity management thinking/solutions.
Some of the issues our consulting staff raised that they believe have an influence on “effective BCM” include:
- Risk Appetite
Risk appetite is something often discussed, but how do you get executives talking about it, how do you summarize the outcome of the discussion in order to affect organizational decision-making, and how can it be measured?
Culture is also a hard thing to describe, and there doesn’t appear to be proven techniques to account for risk taking/aversion and translate that that into a level of preparedness.
- Risk Perception
Different management teams have different perceptions of risk. And, further, risk perception is often heavily influenced by past experiences with disruptive events. How do you sell management on preparedness without threats of organizational catastrophe or personal liability?
Change is a near-constant phenomenon in today’s organizations – in both the public and private sector. As such, traditional annual planning processes often fail to keep up with such change, and implementing business continuity solutions after the fact is often far more expensive and complex.
- Resource Constraints
Resource constraints are also a recurring challenge – both in terms of monetary resources and personnel time. Similar to the comment above about organizational change, considering and implementing business continuity solutions as part of change management processes is often far more efficient.
- Threat Environment
Regardless of geography, it seems as if organizations face a far more expansive threat environment when compared to years past. As such, there is a need for organizations to implement flexible response and recovery processes – and unique crisis management team skills – that address a wide variety of potential scenarios.
- Standards Development
International standards are establishing expectations for business continuity management. This is helping enable discussions between entities regarding preparedness expectations.
Too many organizations think BCM equates to creating plan documentation. This misconception often fails to create personnel awareness and a process to understand risk.
Based on these eight issues, it’s clear that a one-size-fits-all solution will not work in all organizations and in all situations, which is why “effective BCM” is so difficult to describe. Some organizations will be very adept at proactive preparedness planning as part of organizational and technology change management processes, whereas others may excel at implementing preparedness solutions as part of a more traditional business continuity planning process. Regardless, there are some common characteristics associated with organizations with effective BCM.
What Does Effective BCM Look Like?
As noted in the introduction to this perspective, Castellan couldn’t come up with a simple, one sentence answer to this important question. Instead, here’s a summary of what we feel are organizational characteristics associated with effective BCM:
- A culture of preparedness where employees and contractors consider the implications of downtime and disruption when making resource decisions (during project work and before organizational/resource change takes place)
– Initial discussions are addressed in strategic and operational planning and decision-making, which help establish broad expectations and preparedness parameters
- A recurring planning process that establishes priorities and looks for single points of failure that require mitigation or planning
– The recurring planning process addresses the activities and resources where the risk of downtime exceeds management’s appetite and where response/recovery strategies were not developed and implemented during project work or other organizational change efforts
– This recurring planning process doesn’t just result in the development of plans for a response to the loss of resources, but also focuses equally on decreasing the likelihood of disruption
- Flexible plans and well-trained individuals that enable a timely response and recovery, regardless of scenario
- Confidence that the organization can successfully react to a wide variety of disruptive events, particularly those outside of its control (with confidence influenced by practice, continuous improvement and metrics reporting)
The key question is: how does an organization implement a program – and culture – that leads to effective BCM?
How Can an Organization Implement Effective BCM?
It’s true that a recurring planning process is needed to implement effective BCM, similar to what many organizations employ and is described in current and emerging standards (BS 25999-2, NFPA 1600 v2010 and ISO 22301). Each of these standards calls on the need for policy, management involvement and the closure of gaps in preparedness (based on established priorities). But, effective planning goes beyond the traditional planning lifecycle (business impact analysis, strategy identification, planning, testing, training/awareness and maintenance/continuous improvement) because, after all, the planning process is a check to ensure all elements of the organization have a strategy/plan to address loss and downtime (and if gaps exist, implement appropriate solutions).
However, to be most effective and efficient, organizations need the tools and processes to think about preparedness during project mode and before organizational change takes place – rather than retrospectively. Think about the following change activities and how an organization should think about business continuity management.
Overall, to be successful in this model where business continuity is engrained in organizational change management processes, there must be:
- Visible management involvement and support
- Available policy (expectations) and tools/techniques to enable:
– “Real-time” preparedness
– Recurring planning process to identify and close gaps
- Employee training and awareness efforts to keep business continuity planning top of mind
- Management review of performance measurements (metrics and gaps)
- A recurring business continuity planning process to:
– Identify gaps between capability and requirements
– Perform testing and training
– Report on performance compared to management expectations
To summarize, the Castellan team views effective BCM as part of day-to-day operations where personnel think about the risk of downtime (in a pragmatic manner) and apply the business continuity planning process to establish downtime tolerances and solutions. In essence, the traditional business continuity planning process is really a quality assurance process, a performance reporting mechanism and a continuous improvement enabler.
The keys to implementing effective BCM include management support (tone at the top), governance and measurement efforts, employee awareness processes and the tools to ensure business continuity isn’t overlooked during project activities.
Get resilience insights delivered to your inbox.