The Top Five Ways to Fail At Business Continuity*

By Ryan Hutton and Jacque Rupert

*Editor’s note: Five real-world examples of how to overcome these “top five” are included in an addendum following this article

Experienced business continuity professionals often advocate a series of accepted practices to increase the effectiveness and quality of a business continuity program. Common activities include conducting a business impact analysis (BIA), documenting plans, exercising response and recovery capabilities, and training key personnel. However, despite the close attention paid to the details of methodologies and best practices, business continuity professionals often find their programs are not as successful as they should be.

There are many factors that can contribute to a “less-than-perfect” business continuity program – or a program that truly fails to meet management expectations. What are those fatal mistakes that should be avoided and how can an organization prevent them from occurring? This article discusses five of the most common reasons why business continuity planning initiatives fail, their consequences and what can be done to avoid them.

1. Failing to Understand the Organization

Too often, business continuity professionals attempt to enhance their program by hastily layering in tools and software applications. However, this often becomes a waste of resources because a key underlying issue is a failure to understand the organization and its key products and services.

Business continuity is a process designed to mitigate risk within key areas of the organization. The source and type of risk that an organization desires to mitigate must be uniquely identified by management – because it is impossible to eliminate all risk. To ensure that the program is attempting to mitigate higher priority risks, business continuity professionals should have a solid understanding of the organization’s strategy, its essential products and services, and its long-term goals. This knowledge must originate from the organization’s highest level of management. Without this direction, the program may be mitigating risk with effective approaches and methods; however, it may be focusing on the wrong aspects of the organization or addressing risks associated with less critical products, services and business activities.

Solution:* A business continuity program should be designed to continuously align with the organization through direct communication with management. The best method to build and maintain this alignment is through a steering/advisory committee. This steering committee must stay apprised of the program’s current capabilities and provide continuous feedback based on strategic need and criticality. In addition, business continuity professionals should build and maintain a general knowledge of the organization in order to enable an appropriate level of readiness and focus. The following activities provide some practical ways to maintain a current understanding of an organization:

• Annually take a tour of relevant facilities (manufacturing, corporate, distribution, call center, etc.).

• Regularly talk to managers or other subject matter experts about their processes (at lunch, after work or during scheduled meetings).

• Regularly attend meetings not directly related to business continuity, but perhaps related to other areas of risk management or business strategy decision-making.

• Continuously stay involved in organizational change management presentations and discussions.

2. Executing Methodology Instead of Managing a Program

There are a wide variety of business continuity methodologies and standards, all of which are designed to improve how organizations create and continually develop and improve their business continuity programs and practices. Although building a program based on best practices is a great starting point, without an overall strategic goal linking the activities together, it can quickly become a “check-the-box” exercise that does not provide the intended value – or result in an appropriate level of readiness.

For example, many methodologies recommend performing analysis activities, like a business impact analysis and risk assessment, to identify key recovery objectives, business continuity risks, dependencies and resource requirements. These activities can be time-consuming and therefore a tremendous amount of value is expected of them. These types of analyses can provide great insight if they focus management on planning for the continuity of the organization’s most critical activities and identify the most appropriate risk mitigation, response and recovery strategies. To be successful, the results of these analyses must be actionable, succinct and aligned with the organization’s most critical products and services (and the underlying organizational strategy) or they will provide no value at all. They must also enable continuous improvement.

Solution:* When a business continuity program is initially developed, the business continuity professional should identify planning activities that align to management’s risk tolerance and desired level of readiness. These activities should offer insight into the organization, with the outcome of each step enabling decision-making. If a program has already been started, these activities simply need to be re-evaluated or redesigned / integrated to ensure that they occur with a consistent direction or purpose throughout.

Organizations should utilize methodologies and standards to assist in the development or redesign of a program. However, they should use these as guidelines as the organization considers the overall set of interrelated program activities that will lead to an appropriate level of readiness. To summarize:

• Engage management to establish priorities and scope.

• Take the time to explain the business continuity planning approach and how each step builds upon the previous work completed.

• Clarify that business continuity is a recurring effort that assumes a longterm commitment and continuous improvement.

• Execute business continuity planning activities that build upon one another, with a focus on improving readiness when faced with a disruptive event (see table).

3. Unnecessarily Using Business Continuity Jargon

As expected, business continuity jargon can be confusing to non-business continuity professionals. Jargon includes acronyms such as EOC, RTO, RPO, BIA and COOP, or common terms with different meanings such as emergency response or disaster recovery. Using these types of terms can create frustration and unnecessary barriers when trying to communicate with business and technology stakeholders.

Many business continuity programs rely on non-business continuity professionals throughout the organization to participate in the development, execution and implementation of key activities. Using excessive business continuity terminology creates an additional learning requirement, above and beyond the training requirements that are needed to effectively enable nonbusiness continuity professionals to participate in business continuity planning activities. Personnel throughout the organization will find it valuable and efficient when business continuity professionals avoid their jargon and speak in a language they understand.

Solution:* Wherever possible, eliminate the use of business continuity terminology and acronyms. This could mean using “plain language” or terminology normally used by the business. Alternatively, take the time to explain concepts that normally are summarized using a business continuity term (e.g. an alternative to using the acronym RTO might be “when an organization needs to begin operations”). Additionally, use terminology specific to your organization, and leverage appropriate processes and methods used to describe and measure organizational performance. It may be necessary to use some business continuity terms; however, these should be explained every time they are used and always used in a concise manner. Lastly, to avoid confusion, be sure to use terms consistently once they are introduced.

4. Unrealistic Recovery Objectives

Many organizations request that each business unit or business process define their own recovery objectives during the analysis phase of a business continuity planning effort. However, managers often struggle to define the appropriate recovery timeframe because:

• They lack a context to make this decision because they are often not privy to the criteria that establishes criticality, or they may not be aware of the maximum downtime expectations for key products and services (as approved by the organization’s business continuity steering committee).

• It is often difficult for managers to objectively determine the criticality of their own business processes. The tendency is for individuals to consider their process as more critical than it actually is, thus requiring significantly more investment than necessary. The cost not only affects the individual business process, but also ripples through to key interdependent processes, resources and technologies. On the flip-side are those managers that select recovery objectives that are longer than appropriate. Many process owners are tasked with managing competing priorities and face a dilemma – recommend a less aggressive recovery objective that requires less to enable and maintain, or instead, recommend a more appropriate recovery objective that may consume more resources.

Solution:* To ensure that the organization defines recovery objectives appropriately, business continuity professionals should stay actively involved with process owners throughout the analytic process. This involvement will ensure that managers understand executive expectations regarding downtime tolerances, as well as the criteria used to establish criticality.

Business continuity professional involvement will also assist with clarifying expectations that:

• A recovery objective simply means when the process or technology restarts at that time.

• Only minimum capabilities are needed at the recovery time objective.

• The recovery time objective, combined with the time necessary to develop or deliver the product / service (commonly known as cycle time), should not exceed management’s downtime tolerance.

5. Failing to Create a Culture of Business Continuity

A business continuity program can have the best people, systems, analytic conclusions, strategies and plans, but that same program will fail if it does not have the support of the business or if the business fails to think about risk mitigation and recoverability when making day-to-day decisions.

A culture that fails to take into account business continuity implications can be easily diagnosed each time the business experiences a significant change and business continuity requirements, strategies and plans remain the same. Similarly, when managers fail to consider business continuity implications before making a decision, the business may be put at risk, or the costs associated with adding business continuity- related controls can escalate. All totaled, in these situations, it is clear that the business continuity program has failed to deliver a “business continuity culture”.

Solution:* Although this proposed “fix” sounds rather simplistic, the key is for the business continuity professional to participate continuously in organizational change management activities and develop / implement a training and awareness program targeting management’s decision-making process. Emphasizing proactive risk mitigation decision-making and the importance of including business continuity planning as part of change management is essential to success.

Overall, you will know you have influenced your organization’s culture when people raise business continuity implications early on in strategy discussions and during the decision-making process.

Conclusions

Business continuity planning is a rather straightforward concept. However, this risk management effort is complicated by the unique manner in which it is employed in each organization, the various approaches and confusing terminology available and management’s perception of the value introduced by formalized planning activities. With that said, this article introduced five of the more important pitfalls to avoid – regardless of organization size, industry, focus or operating environment.

Creating and maintaining a successful business continuity program is more than following a set of best practices; however, avoiding these five common issues can enable a more effective business continuity capability that aligns to organizational needs and drivers, thus delivering expected value.

*For real world examples of the above solutions, see below.


About the Author

Ryan Hutton and Jacque Rupert are consultants with Avalution Consulting. They focus on business continuity, including program definition, risk assessment, BIAs, strategy, plan development, testing and training. They have extensive experience working with government, utilities, manufacturing and distribution. They are frequent authors, and can be reached at ryan.hutton@avalution.com and jacque.rupert@avalution.com, or at (800) 941-0381 begin_of_the_skype_highlighting (800) 941-0381 end_of_the_skype_highlighting.


The following 5 “Case Studies” are real-world examples which compliment the article above.

1. Failing to Understand the Business

Organization A engaged in business continuity planning for the past three years.  At first, the business continuity planning team had active management involvement in defining requirements, participating in exercises and enforcing business participation in the planning lifecycle.  Unfortunately, over time, that involvement diminished – they saw their time as more valuable when focused on other initiatives.  Management saw the program produce documentation, but they did not see it enabling a better response or recovery effort when compared to an ad hoc response effort with little pre-planning (with the exception of technology recovery).  The business continuity planning team became rather isolated for over two years, and as a result, became progressively less aligned with management’s perception of the most important elements of the business.  Even worse, as the organization changed, the business continuity planning team became less knowledgeable of the organization’s key products and services.  They knew the organizational chart and seemed to have BIAs and plans covering each component, but the content never seemed to resonate.  Overall, the program was stale.

Things changed when the business continuity planning team took a different angle and approached management with a different focus – that being a focus on the continuous delivery of the organization’s key products and services  as opposed to a focus on ALL elements of the organizational chart.  The business continuity planning team not only demonstrated how the new focus of the program supported the recovery of key elements of the organization aligned to these products and services, but also pointed out where recovery strategies fell short.  Discussions focused on capability, the value (and efficiency) the new focus offered the organization and what customers were expecting.  Before long, management supported recurring steering committee meetings to enable continuous improvement efforts – aligned to key products and services and the components of the organization responsible for each.  As a result, requirements became clear and actionable, plans began to make sense and had real capability, and best yet, a culture of preparedness emerged that now permeates day-to-day decision-making.

2. Executing Methodology Instead of Managing a Program

As part of the creation of their business continuity program, Organization B’s newly-formed business continuity team reviewed many best practices and standards to shape their program.  After careful review of existing, external resources, the team decided to implement a popular planning tool that provided both an embedded methodology and a set of templates to assist them in their planning efforts.  Following the identification of a program sponsor, the tool-set guided them to perform a business impact analysis and risk assessment.  The business continuity team decided to take initiative and issue a survey to all departments throughout the organization.  In order to lead this effort, they used the templates that were acquired with the software tool-set.

When all the BIA questionnaires were returned and validated, the team presented the results to their program sponsor and steering committee.  The sponsor reviewed the results and returned with a number of questions inquiring about the team’s understanding of the business’ needs and priorities.  It became very clear that despite the careful attention paid to collecting completed questionnaires, the program was already in trouble because the planning team failed to offer a strategic summary and set of recommendations that resonated with executive management (or recommendations that could be acted upon).

The business continuity team decided to reconsider their approach in order to better understand the business and develop a set of recommendations for management’s approval and action.  First, the team requested an executive steering committee from their program sponsor in order to give more clarity and direction to the program.  The program sponsor assembled a group of executive managers and the business continuity team presented their approach. The team also facilitated a discussion to scope the program up front by identifying critical products and services, as well as program objectives.  The steering committee was immediately engaged, weighing in on what they considered to be critical to the strategic goals of the organization.  With the defined clarity the steering committee introduced, the business continuity team chose to perform a series of interviews to explore current-state operations and performance metrics, interdependencies, resource dependencies and overall recovery objectives – with impact-oriented justification.  The team then summarized these requirements and structured a presentation that allowed the steering committee to react to the recommended requirements.

Overall, the presentation and summary report strategically-aligned to the organization’s core products and services, which enabled the ongoing development and improvement of response and recovery strategies that matter most to stakeholders.  Additionally, the steering committee stayed involved in all key program decision making and remained active supporters.

3. Unnecessarily Using Business Continuity Jargon

The new business continuity manager at Organization C had ten years of business continuity planning experience before assuming her new position, which involved the creation and development of pragmatic business continuity strategies.

As she began to embark on gaining organization-wide support for the new program, she quickly found herself unable to relate to her peers throughout the organization.  When she attempted to speak to managers regarding their department’s processes, dependencies and requirements, she often received blank stares and confused responses.  She could not understand why her co-workers at her previous company understood her questions but her new co-workers could not.  Terms such as “dependencies,” “functions,” and “RTOs” were common and understood in her previous organization, but now, no one seemed to understand, even when she provided explanations and definitions.

It was not until four months into the effort that the Director of Customer Interaction (the person charged with managing the organization’s five call centers) gave the business continuity program manager some feedback.  She said, “I’m new to business continuity. We have never done this before.  I think I understand why we need to perform a business impact analysis, write plans, and participate in exercises, but to me, the approach does not resonate because the emerging outcomes do not seem to create a call to action.  What would get me more actively engaged - and thus allow me to be more effective in assisting in the planning effort - is engaging me in discussions where we explore performance standards and expectations.  For example, in my business area, understanding what would happen if a call center failed and how that impacts metrics – like customer wait time standards and call abandonment rates – those are things that I can action and plan for.  To me, estimating impact of failure and establishing relaxed performance expectations when in recovery mode will allow me to determine the number of people I need to answer calls, the technologies I must have available to answer those calls, and even which call centers can meet these expectations in a ‘fail-over’ role.”

It was at that point that the business continuity manager finally understood her role and what she needed to do to be effective.  She realized that she needed to get away from an exclusive use of business continuity jargon and metrics, and instead, get into the mindset of the people she was working with to implement appropriate response and recovery strategies.  She then began to think of ways she could relate to them by asking questions specific to operational performance measurement, other metrics and how does a customer become satisfied with the organization (including what differentiates them from their competitors).  By doing this, the business continuity manager was able to facilitate an in depth dialogue that resulted in actionable requirements and solutions.

4. Unrealistic Recovery Objectives

Organization D was experiencing significant organizational change. People, products, facilities, and strategies all shifted as various departments shut down and new ones started in order to adjust to fluctuating markets and changing product demand.  Unfortunately, at the same time, business continuity planning activities and other risk management initiatives were minimized in order to provide time and resources for other priorities. Due to resource and time limitations, the program was forced to identify requirements using a quick survey that was sent to managers.  The use of the survey resulted in minimal collaboration between respondents and the business continuity program, thus the analysis had inconsistent criticality ratings, which appeared to be based on the manager’s personal perception.

After a relatively prolonged period of resource constraints, the H1N1 outbreak sparked renewed interest amongst the C-level executives.  A successful business case presentation to the executive management committee gave the business continuity manager the support needed to conduct a more thorough evaluation of requirements, since the original data gathering effort failed to gain the support of the organization’s leadership team.  This presentation concluded with a discussion that asked the management committee one question – “What are the most important products or services that we deliver to our customers and employees?”  This question led to a focused and more efficient analysis and planning effort.

A data gathering plan was developed and then approved by the executives. It included a clear description of the organization’s impact thresholds based on the availability of critical products and services (as opposed to focused on recovering the “organizational chart”), which gave business continuity planning participants a standard for developing consistent and accurate recovery objectives. The data gathering plan described an approach whereby business continuity professionals facilitated meetings with product and service-specific subject matter experts to gather business process information, identify recovery requirements, and seek final approval of the analysis.

The results were far more aligned to the way executives think.  They not only agreed with the results, but they commented that the requirements gave them something to plan for.  The planning participants also found the collaborative process provided an invaluable educational process specific to how recovery objectives led to response and recovery strategies.  After developing the final reports and presenting them to the executive team, plans were updated to enable an appropriate and cost effective business continuity capability – with an eye toward long-term continuous improvement.

5. Failing to Create a Culture of Business Continuity

Organization E had a relatively robust business continuity program – boasting dedicated staff, an appropriate budget and plans covering most organizational departments. The program was even compliant with leading standards.  However, the preparedness of the organization was found to be inadequate when a major hurricane destroyed the workspace of several critical departments and many managers were unsure  as to how to respond effectively and efficiently.  Many departments responded relatively well to the disruption without too much direction, yet overall, the organization’s response seemed to be slow and several critical processes failed to meet their recovery objectives, thus resulting in significant operational, financial, and regulatory impacts.  Overall, a number of unforecasted customer expectations were missed.

The disaster forced the business continuity program to re-evaluate their priorities, but more importantly, the way in which planning takes place and how to become more effective when faced with a crisis.  The After Action Report, or “Hot Wash,” discovered a very interesting fact:

Those business activities that successfully met management expectations (and customer expectations) did more than the annual planning requirements.  Yes, they had plans, reviewed these plans, kept the plans up to date, evaluated contingency processes and resources and appropriately participated in exercises.  However, they did one thing that others did not – and it was above and beyond the “minimums”.  Simply put, they considered the business continuity implications of each decision being made every day.  Based on feedback, this made business continuity “real” and it allowed everyone to become familiar with processes, strategies and plans.  In other words, risks were minimized, but where they were unmitigated, management could focus on how to recover if those business activities failed.

Unfortunately, the organization’s crisis management process was not immune from this deficiency.  The primary reason – triggers, team membership and response procedures failed to reflect the reality of how this organization’s management team made decisions.  Again, periodically discussing crisis management within the context of strategic decision-making allowed the team to explore the culture of crisis decision-making more thoroughly, and the results of these discussions were reflected in processes and documentation.

Nearly two years later, a similar disaster would retest their capabilities.  This time, because of the evolution of the business continuity program, the resulting response and recovery effort exceeded stakeholder expectations and resulted in a significantly improved customer and business partner perception.