|
By Ryan Hutton and Jacque Rupert
The following 5 “Case Studies” are real-world examples which compliment the article by the same name which was featured in the 14th annual Disaster Resource GUIDE.
1. Failing to Understand the Business
Organization A engaged in business continuity planning for the past three years. At first, the business continuity planning team had active management involvement in defining requirements, participating in exercises and enforcing business participation in the planning lifecycle. Unfortunately, over time, that involvement diminished – they saw their time as more valuable when focused on other initiatives. Management saw the program produce documentation, but they did not see it enabling a better response or recovery effort when compared to an ad hoc response effort with little pre-planning (with the exception of technology recovery). The business continuity planning team became rather isolated for over two years, and as a result, became progressively less aligned with management’s perception of the most important elements of the business. Even worse, as the organization changed, the business continuity planning team became less knowledgeable of the organization’s key products and services. They knew the organizational chart and seemed to have BIAs and plans covering each component, but the content never seemed to resonate. Overall, the program was stale.
Things changed when the business continuity planning team took a different angle and approached management with a different focus – that being a focus on the continuous delivery of the organization’s key products and services as opposed to a focus on ALL elements of the organizational chart. The business continuity planning team not only demonstrated how the new focus of the program supported the recovery of key elements of the organization aligned to these products and services, but also pointed out where recovery strategies fell short. Discussions focused on capability, the value (and efficiency) the new focus offered the organization and what customers were expecting. Before long, management supported recurring steering committee meetings to enable continuous improvement efforts – aligned to key products and services and the components of the organization responsible for each. As a result, requirements became clear and actionable, plans began to make sense and had real capability, and best yet, a culture of preparedness emerged that now permeates day-to-day decision-making.
2. Executing Methodology Instead of Managing a Program
As part of the creation of their business continuity program, Organization B’s newly-formed business continuity team reviewed many best practices and standards to shape their program. After careful review of existing, external resources, the team decided to implement a popular planning tool that provided both an embedded methodology and a set of templates to assist them in their planning efforts. Following the identification of a program sponsor, the tool-set guided them to perform a business impact analysis and risk assessment. The business continuity team decided to take initiative and issue a survey to all departments throughout the organization. In order to lead this effort, they used the templates that were acquired with the software tool-set.
When all the BIA questionnaires were returned and validated, the team presented the results to their program sponsor and steering committee. The sponsor reviewed the results and returned with a number of questions inquiring about the team’s understanding of the business’ needs and priorities. It became very clear that despite the careful attention paid to collecting completed questionnaires, the program was already in trouble because the planning team failed to offer a strategic summary and set of recommendations that resonated with executive management (or recommendations that could be acted upon).
The business continuity team decided to reconsider their approach in order to better understand the business and develop a set of recommendations for management’s approval and action. First, the team requested an executive steering committee from their program sponsor in order to give more clarity and direction to the program. The program sponsor assembled a group of executive managers and the business continuity team presented their approach. The team also facilitated a discussion to scope the program up front by identifying critical products and services, as well as program objectives. The steering committee was immediately engaged, weighing in on what they considered to be critical to the strategic goals of the organization. With the defined clarity the steering committee introduced, the business continuity team chose to perform a series of interviews to explore current-state operations and performance metrics, interdependencies, resource dependencies and overall recovery objectives – with impact-oriented justification. The team then summarized these requirements and structured a presentation that allowed the steering committee to react to the recommended requirements.
Overall, the presentation and summary report strategically-aligned to the organization’s core products and services, which enabled the ongoing development and improvement of response and recovery strategies that matter most to stakeholders. Additionally, the steering committee stayed involved in all key program decision making and remained active supporters.
3. Unnecessarily Using Business Continuity Jargon
The new business continuity manager at Organization C had ten years of business continuity planning experience before assuming her new position, which involved the creation and development of pragmatic business continuity strategies.
As she began to embark on gaining organization-wide support for the new program, she quickly found herself unable to relate to her peers throughout the organization. When she attempted to speak to managers regarding their department’s processes, dependencies and requirements, she often received blank stares and confused responses. She could not understand why her co-workers at her previous company understood her questions but her new co-workers could not. Terms such as “dependencies,” “functions,” and “RTOs” were common and understood in her previous organization, but now, no one seemed to understand, even when she provided explanations and definitions.
It was not until four months into the effort that the Director of Customer Interaction (the person charged with managing the organization’s five call centers) gave the business continuity program manager some feedback. She said, “I’m new to business continuity. We have never done this before. I think I understand why we need to perform a business impact analysis, write plans, and participate in exercises, but to me, the approach does not resonate because the emerging outcomes do not seem to create a call to action. What would get me more actively engaged - and thus allow me to be more effective in assisting in the planning effort - is engaging me in discussions where we explore performance standards and expectations. For example, in my business area, understanding what would happen if a call center failed and how that impacts metrics – like customer wait time standards and call abandonment rates – those are things that I can action and plan for. To me, estimating impact of failure and establishing relaxed performance expectations when in recovery mode will allow me to determine the number of people I need to answer calls, the technologies I must have available to answer those calls, and even which call centers can meet these expectations in a ‘fail-over’ role.”
It was at that point that the business continuity manager finally understood her role and what she needed to do to be effective. She realized that she needed to get away from an exclusive use of business continuity jargon and metrics, and instead, get into the mindset of the people she was working with to implement appropriate response and recovery strategies. She then began to think of ways she could relate to them by asking questions specific to operational performance measurement, other metrics and how does a customer become satisfied with the organization (including what differentiates them from their competitors). By doing this, the business continuity manager was able to facilitate an in depth dialogue that resulted in actionable requirements and solutions.
4. Unrealistic Recovery Objectives
Organization D was experiencing significant organizational change. People, products, facilities, and strategies all shifted as various departments shut down and new ones started in order to adjust to fluctuating markets and changing product demand. Unfortunately, at the same time, business continuity planning activities and other risk management initiatives were minimized in order to provide time and resources for other priorities. Due to resource and time limitations, the program was forced to identify requirements using a quick survey that was sent to managers. The use of the survey resulted in minimal collaboration between respondents and the business continuity program, thus the analysis had inconsistent criticality ratings, which appeared to be based on the manager’s personal perception.
After a relatively prolonged period of resource constraints, the H1N1 outbreak sparked renewed interest amongst the C-level executives. A successful business case presentation to the executive management committee gave the business continuity manager the support needed to conduct a more thorough evaluation of requirements, since the original data gathering effort failed to gain the support of the organization’s leadership team. This presentation concluded with a discussion that asked the management committee one question – “What are the most important products or services that we deliver to our customers and employees?” This question led to a focused and more efficient analysis and planning effort.
A data gathering plan was developed and then approved by the executives. It included a clear description of the organization’s impact thresholds based on the availability of critical products and services (as opposed to focused on recovering the “organizational chart”), which gave business continuity planning participants a standard for developing consistent and accurate recovery objectives. The data gathering plan described an approach whereby business continuity professionals facilitated meetings with product and service-specific subject matter experts to gather business process information, identify recovery requirements, and seek final approval of the analysis.
The results were far more aligned to the way executives think. They not only agreed with the results, but they commented that the requirements gave them something to plan for. The planning participants also found the collaborative process provided an invaluable educational process specific to how recovery objectives led to response and recovery strategies. After developing the final reports and presenting them to the executive team, plans were updated to enable an appropriate and cost effective business continuity capability – with an eye toward long-term continuous improvement.
5. Failing to Create a Culture of Business Continuity
Organization E had a relatively robust business continuity program – boasting dedicated staff, an appropriate budget and plans covering most organizational departments. The program was even compliant with leading standards. However, the preparedness of the organization was found to be inadequate when a major hurricane destroyed the workspace of several critical departments and many managers were unsure as to how to respond effectively and efficiently. Many departments responded relatively well to the disruption without too much direction, yet overall, the organization’s response seemed to be slow and several critical processes failed to meet their recovery objectives, thus resulting in significant operational, financial, and regulatory impacts. Overall, a number of unforecasted customer expectations were missed.
The disaster forced the business continuity program to re-evaluate their priorities, but more importantly, the way in which planning takes place and how to become more effective when faced with a crisis. The After Action Report, or “Hot Wash,” discovered a very interesting fact:
Those business activities that successfully met management expectations (and customer expectations) did more than the annual planning requirements. Yes, they had plans, reviewed these plans, kept the plans up to date, evaluated contingency processes and resources and appropriately participated in exercises. However, they did one thing that others did not – and it was above and beyond the “minimums”. Simply put, they considered the business continuity implications of each decision being made every day. Based on feedback, this made business continuity “real” and it allowed everyone to become familiar with processes, strategies and plans. In other words, risks were minimized, but where they were unmitigated, management could focus on how to recover if those business activities failed.
Unfortunately, the organization’s crisis management process was not immune from this deficiency. The primary reason – triggers, team membership and response procedures failed to reflect the reality of how this organization’s management team made decisions. Again, periodically discussing crisis management within the context of strategic decision-making allowed the team to explore the culture of crisis decision-making more thoroughly, and the results of these discussions were reflected in processes and documentation.
Nearly two years later, a similar disaster would retest their capabilities. This time, because of the evolution of the business continuity program, the resulting response and recovery effort exceeded stakeholder expectations and resulted in a significantly improved customer and business partner perception.
|
