Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers   Disaster Resource Guide Advertisers

Strategic Planning for BCM

By Eric A. Beck

By applying strategic planning methodology when developing business continuity policy and standards, practitioners can gain acceptance of their program proposals at the executive level and enjoy greater program success.

Most business continuity practitioners are well aware of recent regulatory initiatives (e.g., Sarbanes-Oxley, Basel II) driving improvements in both corporate governance practices and internal operating controls. These regulatory drivers have created new awareness about the need for operational continuity at the boardroom level of most public corporations, and other organizations as well. They have also provided practitioners with new political leverage to make their case with executives for increased investment in formal Business Continuity Management (BCM) programs.

However, many practitioners still find difficulty in laying a credible administrative foundation for their BCM program proposals, a foundation that requires effectively written business continuity policy and standards. By applying strategic planning methodology when developing BC policy and standards, practitioners will not only enhance the credibility of their BCM program proposals at the executive level, but increase the probability of successful program implementation.

Business continuity policy and standards are the key foundation of a well-defined and effectively executed BCM program. Policy should communicate executive management's mission and vision for business continuity risk management, its key risk management objectives, and fundamental responsibilities assigned for program development and implementation. Standards, on the other hand, should present the strategy (i.e., method or approach) for implementing key elements of a BCM program. Without such policy and standards defined and adopted by executive management, BC practitioners can often find themselves spending more time explaining the benefits of BCM to middle management than actually mitigating risk.

Many BC practitioners will struggle when attempting to draft BC policy and standards for the first time, particularly when it comes to structure and content. This could be due to a lack of experience in communicating at the executive level, or confusion about the distinction between policy and standards. For those in the middle of this struggle, however, there is good news. By understanding the structured thought process associated with strategic planning, practitioners can use this process to develop a more effective presentation of BC policy and standards that will increase chances for executive approval and adoption. First, however, we must understand the basic steps of the strategic planning process and their relevant application to BCM.

What Is Strategic Planning?
Strategic planning is a well-established management discipline providing a structured approach to problem analysis and resolution. First developed by military planners for development of strategic and operational war plans, strategic planning was adopted by corporate planners during the 1960s as a structured method for developing business strategy (Mintzberg, H. The Rise and Fall of Strategic Planning. 1994. New York: The Free Press). Since this time period, the analytics of strategic planning methodology have become a mainstay for decision making across a wide array of disciplines as applied in both the public and private sectors. In our case, strategic planning provides a roadmap for designing effective and workable BC policy written in the language of governance and executive decision making.

Although one can find several variations in approach, most strategic planning models will structure problem analysis around common methodology with clearly definable steps. As it applies to BCM, these planning steps include:

1. Draft a Mission Statement:
A mission statement is often a single sentence or paragraph that answers the question "why does this thing exist?" In a general business context, a "thing" could be a company, a program, a business unit or department, a product or service, or various other things. A mission statement will often include a statement that defines the problem that is subject to analysis and resolution, and a statement of vision for a desired future result or end-state. In the context of establishing a BCM program, a mission statement should answer the question "why does the BCM program exist?" and may define the scope and nature of business continuity exposure as an operational risk management problem.

2. Establish Objectives:
The terms "objectives" and "goals" are often confused in the context of strategic planning, but they are not the same. Objectives are desired outcomes of a strategic planning process and are typically defined qualitatively. Goals, by contrast, are quantifiable metrics that measure steps accomplished along the way to achieving a desired objective. In the context of BCM policy, one should focus on defining broad risk management objectives and assign the definition of goals (metrics) as a task oriented to the development of BCM program standards. For example, an objective would be to establish the scope of business operations for which a viable recovery capability will be developed (i.e., both mission critical business functions and information systems).

3. Define Strategy:
To paraphrase Michael Porter, lead professor of Harvard Business School's Institute of Strategy and Competitiveness, strategy is the choice of a unique value proposition that results in performing activities differently than competitors. A more generic definition would be a method or approach to achieving an objective. If we have established business continuity objectives (or outcomes) of a BCM program, a business continuity strategy would define our method or approach to achieving the objectives of this program. Methods would include a general approach to implementing key elements of a BCM program such as governance, crisis management, risk assessment, strategic and tactical planning, validation testing, quality assurance, and training.

4. Implement Tactical Solutions:
Tactical solutions refer to the elementary activities, procedures, or capabilities that collectively execute a defined strategy and produce results that achieve established objectives. In a BCM context, tactical solutions will implement a broad set of requirements that result in a viable and executable recovery capability. These requirements typically include establishing and training staff in their recovery roles and responsibilities, implementing effective vital records and data backup procedures, establishing a resilient telecommunications infrastructure, acquiring alternate operating facilities, procuring redundant equipment and infrastructure, and documenting business recovery actions and procedures.

5. Validate Tactical Capabilities:
Validation testing is a key post-implementation activity that provides a level of confirmation that solutions or controls are operating as expected in order to execute strategy and achieve objectives. BCM validation testing involves exercising tactical recovery plans for both business function and IT recovery in order to measure and validate capabilities to execute recovery in alignment with business requirements.

6. Ensure Quality Over Time:
Quality assurance involves tactical procedures and capabilities that measure the gap between management expectations and business performance, as well as trigger responses that ensure that they remain aligned over time. As such, effective BCM quality assurance controls act as investment protection to ensure that tactical recovery solutions perform as expected and continue to execute defined business recovery strategy.

As presented above, the strategic planning framework provides an outline for how to structure the content of business continuity policy and standards. These steps can also frame the content requirements for business continuity guidelines, tactical controls, and recovery procedures.

Strategic Planning Applied to BCM Policy Development
BCM programs are established to define and implement those processes and capabilities required to understand business continuity risk, measure exposures that threaten continuity of operations, and implement viable and cost-effective countermeasures. Such programs are born with the adoption of BCM policy, framed with the development of relevant program standards, and then come to life with implementation of relevant controls and procedures. The strategic planning framework provides us with a roadmap to follow that patterns these program requirements.

By accurately mapping the elements of strategic planning to their appropriate counterparts in BCM program development, a BC practitioner can communicate more effectively with executive management and achieve a higher degree of success in breathing life into the BCM program. The Table above provides a description of how the elements of strategic planning map to the development of BC policy, standards, and tactical recovery requirements.

Additional Considerations in Effective BCM Policy Development
While the strategic planning framework provides an effective structure for developing content for BCM policy and standards, and for implementing tactical capabilities, there are other key considerations for the business continuity practitioner that will improve the chances of policy adoption and program success. For example:

Keep It Simple:
BCM policy should be a one- to three-page summary of mission, vision, objectives, and fundamental management responsibilities. Details of implementation method, approach, process, or key tactical requirements are best documented in BCM standards for reference by executive management as they consider relevant.

Draft BCM Policy in Its Risk Management Context:
Effective risk management requires the adoption of an enterprise-level approach that balances all required elements of risk, including market, credit, business, and operational. As a key element of operational risk, investments in BCM must be balanced against those in other aspects of operational risk that may involve information security, physical security, personnel, regulatory compliance, IT, financial and accounting control, and corporate reputation. Therefore, policy and standards should be drafted to recognize this balance, with subsequent investment priorities being established by executive management.

Incorporate Avoidance and Risk Transfer:
Business continuity planning is most often focused on ensuring resiliency and recoverability from an operational disruption. However, investments in avoiding an operational disruption are usually the optimal starting point for risk mitigation. Therefore, policy and standards should specify objectives and operational requirements that address a balanced investment in avoidance, continuity, and risk transfer vehicles such as appropriate insurance coverage.

While the business continuity practitioner may find the process of BCM program implementation a challenge, BCM policy development should not become a stumbling block to success. By applying the principles and framework of strategic planning to BCM policy and standards development, practitioners will enjoy greater success and acceptance of their program proposals at the executive level.

About the Author
Eric A. Beck is an Associate Director with the Protiviti Technology Risk Practice. He may be reached via telephone at 646-428-8222 or via email at eric.beck@protiviti.com.

 
 
Copyright ©2008 DISASTER RESOURCE GUIDE P.O. Box 15243, Santa Ana, CA 92735 714/558-8940
Fax 714/558-8901