By Andy Cuerel
Business Continuity Management Systems (BCMS) encompass comprehensive and often detailed suites of activities. Comprehensive, however, does not equate to incomprehensible. And detailed should not be a euphemism for over-engineered.
Consideration of the following should help keep your BCMS lean, mean and fit for purpose!
Be clear on what your BCM needs to protect
Many large organisations are complex – in their locations, activities and personnel structures. But they rarely rely proportionally on each ‘limb’ to achieve their core strategic and operational objectives. When setting out the scope of your BCMS, be clear which sections of the business relate to which organisational objectives and prioritise accordingly.
Too often this stage is undertaken as a ‘finger in the wind’ exercise – the gut feel and opinion of the business continuity management owner underpinned with a desire to achieve full coverage. Or worse still, based on historical (read: out of date) precedent applied across other resilience activities.
Base your programme scope on understanding the impact of loss and business interdependencies. Include it because you need to, not because you can.
The KISS principle is believed to originate from the US Navy in the 1960s, where it was recognised that the more complicated the design of machinery and infrastructure, the harder it would be to repair under combat conditions, ‘Keep it simple…’ could equally apply to BCM programmes.
If you have a legitimate need to record recovery timescales in your Business Impact Analysis (BIA) across eight incremental time-bands then go ahead. But in general, challenge any data capture activity with the question ‘what am I actually going to do with this information’?
Similarly, design and compose your plans to incorporate the minimum information required, in the most user friendly fashion. Remember, your plans may be used in anger by non-business continuity professionals in challenging circumstances. Does it add value for the first responder standing at the muster point to read (on page 1) ‘the history of BC planning in ACME Inc?’
No? So cut it out!
Resource for the long game
All elements of a robust BCMS require periodic maintenance and review, such as BIA and plan maintenance and steering group reviews. Set those intervals and assign roles and responsibilities at the outset. If you’re developing your programme to ISO22301 standards you’ll do this as a matter of course. But even if your approach is less formal, don’t build your programme in isolation and hope others will join in eleven months time.
Set out your expectations of others in advance and the long game will be much easier.
Integrate with Crisis Management
Ensure your BCMS integrates fully with your organisation’s crisis management framework if it is fit for purpose. If there is an existing silver tactical team, do not complicate matters with an equivalent business continuity team dedicated to continuity events.
A robust tiered crisis management framework should accommodate any business issue, incident or crisis, as long as its members are equipped with the right tools to coordinate and effect its response. In business continuity terms this usually means holding overarching site and detailed departmental recovery plans at silver and bronze levels respectively, thereby maintaining the appropriate distinction between ‘planners’ and ‘doers’.
Engage as well as embed
The importance of achieving awareness and buy-in at grass roots level for BCM programmes is well documented. This typically involves the dissemination of local continuity arrangements through team meetings, workshops and awareness sessions and other broadcast methods such as desk drops and lift posters. The focus is often on explaining to staff what they should expect to do, or where to go, once a continuity incident is declared and contingency resources invoked.
What is often missing however, is the responsibility for all staff to recognise incidents and escalate accordingly in the first instance. This is particularly important for situations when the absence of a ‘big bang’ event disguises the danger of an emerging situation, such as a rise of illness absenteeism or a progressive IT meltdown. In short, staff should be clear in their role to provide of information upstream, as well as receivers of instructions once an incident is underway.