The Top Five Ways to Fail At Business Continuity

Experienced business continuity professionals often advocate a series of accepted practices to increase the effectiveness and quality of a business continuity program. Common activities include conducting a business impact analysis (BIA), documenting plans, exercising response and recovery capabilities, and training key personnel. However, despite the close attention paid to the details of methodologies and best practices, business continuity professionals often find their programs are not as successful as they should be.

09DRG_p30

There are many factors that can contribute to a “less-than-perfect” business continuity program – or a program that truly fails to meet management expectations. What are those fatal mistakes that should be avoided and how can an organization prevent them from occurring? This article discusses five of the most common reasons why business continuity planning initiatives fail, their consequences and what can be done to avoid them.

1. Failing to Understand the Organization

Too often, business continuity professionals attempt to enhance their program by hastily layering in tools and software applications. However, this often becomes a waste of resources because a key underlying issue is a failure to understand the organization and its key products and services.

Business continuity is a process designed to mitigate risk within key areas of the organization. The source and type of risk that an organization desires to mitigate must be uniquely identified by management – because it is impossible to eliminate all risk. To ensure that the program is attempting to mitigate higher priority risks, business continuity professionals should have a solid understanding of the organization’s strategy, its essential products and services, and its long-term goals. This knowledge must originate from the organization’s highest level of management. Without this direction, the program may be mitigating risk with effective approaches and methods; however, it may be focusing on the wrong aspects of the organization or addressing risks associated with less critical products, services and business activities.

Solution:* A business continuity program should be designed to continuously align with the organization through direct communication with management. The best method to build and maintain this alignment is through a steering/advisory committee. This steering committee must stay apprised of the program’s current capabilities and provide continuous feedback based on strategic need and criticality.

In addition, business continuity professionals should build and maintain a general knowledge of the organization in order to enable an appropriate level of readiness and focus. The following activities provide some practical ways to maintain a current understanding of an organization:

  • Annually take a tour of relevant facilities (manufacturing, corporate, distribution, call center, etc.).
  • Regularly talk to managers or other subject matter experts about their processes (at lunch, after work or during scheduled meetings).
  • Regularly attend meetings not directly related to business continuity, but perhaps related to other areas of risk management or business strategy decision-making.
  • Continuously stay involved in organizational change management presentations and discussions.

2. Executing Methodology Instead of Managing a Program

There are a wide variety of business continuity methodologies and standards, all of which are designed to improve how organizations create and continually develop and improve their business continuity programs and practices. Although building a program based on best practices is a great starting point, without an overall strategic goal linking the activities together, it can quickly become a “check-the-box” exercise that does not provide the intended value – or result in an appropriate level of readiness.

For example, many methodologies recommend performing analysis activities, like a business impact analysis and risk assessment, to identify key recovery objectives, business continuity risks, dependencies and resource requirements. These activities can be time-consuming and therefore a tremendous amount of value is expected of them. These types of analyses can provide great insight if they focus management on planning for the continuity of the organization’s most critical activities and identify the most appropriate risk mitigation, response and recovery strategies. To be successful, the results of these analyses must be actionable, succinct and aligned with the organization’s most critical products and services (and the underlying organizational strategy) or they will provide no value at all. They must also enable continuous improvement.

Solution:* When a business continuity program is initially developed, the business continuity professional should identify planning activities that align to management’s risk tolerance and desired level of readiness. These activities should offer insight into the organization, with the outcome of each step enabling decision-making. If a program has already been started, these activities simply need to be re-evaluated or redesigned / integrated to ensure that they occur with a consistent direction or purpose throughout.

Organizations should utilize methodologies and standards to assist in the development or redesign of a program. However, they should use these as guidelines as the organization considers the overall set of interrelated program activities that will lead to an appropriate level of readiness. To summarize:

  • Engage management to establish priorities and scope.
  • Take the time to explain the business continuity planning approach and how each step builds upon the previous work completed.
  • Clarify that business continuity is a recurring effort that assumes a longterm commitment and continuous improvement.
  • Execute business continuity planning activities that build upon one another, with a focus on improving readiness when faced with a disruptive event.

3. Unnecessarily Using Business Continuity Jargon

As expected, business continuity jargon can be confusing to non-business continuity professionals. Jargon includes acronyms such as EOC, RTO, RPO, BIA and COOP, or common terms with different meanings such as emergency response or disaster recovery. Using these types of terms can create frustration and unnecessary barriers when trying to communicate with business and technology stakeholders.

Many business continuity programs rely on non-business continuity professionals throughout the organization to participate in the development, execution and implementation of key activities. Using excessive business continuity terminology creates an additional learning requirement, above and beyond the training requirements that are needed to effectively enable nonbusiness continuity professionals to participate in business continuity planning activities. Personnel throughout the organization will find it valuable and efficient when business continuity professionals avoid their jargon and speak in a language they understand.

Solution:* Wherever possible, eliminate the use of business continuity terminology and acronyms. This could mean using “plain language” or terminology normally used by the business. Alternatively, take the time to explain concepts that normally are summarized using a business continuity term (e.g. an alternative to using the acronym RTO might be “when an organization needs to begin operations”). Additionally, use terminology specific to your organization, and leverage appropriate processes and methods used to describe and measure organizational performance. It may be necessary to use some business continuity terms; however, these should be explained every time they are used and always used in a concise manner. Lastly, to avoid confusion, be sure to use terms consistently once they are introduced.

4. Unrealistic Recovery Objectives

Many organizations request that each business unit or business process define their own recovery objectives during the analysis phase of a business continuity planning effort. However, managers often struggle to define the appropriate recovery timeframe because:

  • They lack a context to make this decision because they are often not privy to the criteria that establishes criticality, or they may not be aware of the maximum downtime expectations for key products and services (as approved by the organization’s business continuity steering committee).
  • It is often difficult for managers to objectively determine the criticality of their own business processes. The tendency is for individuals to consider their process as more critical than it actually is, thus requiring significantly more investment than necessary. The cost not only affects the individual business process, but also ripples through to key interdependent processes, resources and technologies. On the flip-side are those managers that select recovery objectives that are longer than appropriate. Many process owners are tasked with managing competing priorities and face a dilemma – recommend a less aggressive recovery objective that requires less to enable and maintain, or instead, recommend a more appropriate recovery objective that may consume more resources.

Solution:* To ensure that the organization defines recovery objectives appropriately, business continuity professionals should stay actively involved with process owners throughout the analytic process. This involvement will ensure that managers understand executive expectations regarding downtime tolerances, as well as the criteria used to establish criticality.

Business continuity professional involvement will also assist with clarifying expectations that:

  • A recovery objective simply means when the process or technology restarts at that time.
  • Only minimum capabilities are needed at the recovery time objective.
  • The recovery time objective, combined with the time necessary to develop or deliver the product / service (commonly known as cycle time), should not exceed management’s downtime tolerance.

5. Failing to Create a Culture of Business Continuity

A business continuity program can have the best people, systems, analytic conclusions, strategies and plans, but that same program will fail if it does not have the support of the business or if the business fails to think about risk mitigation and recoverability when making day-to-day decisions.

A culture that fails to take into account business continuity implications can be easily diagnosed each time the business experiences a significant change and business continuity requirements, strategies and plans remain the same. Similarly, when managers fail to consider business continuity implications before making a decision, the business may be put at risk, or the costs associated with adding business continuity- related controls can escalate. All totaled, in these situations, it is clear that the business continuity program has failed to deliver a “business continuity culture”.

Solution:* Although this proposed “fix” sounds rather simplistic, the key is for the business continuity professional to participate continuously in organizational change management activities and develop / implement a training and awareness program targeting management’s decision-making process. Emphasizing proactive risk mitigation decision-making and the importance of including business continuity planning as part of change management is essential to success.

Overall, you will know you have influenced your organization’s culture when people raise business continuity implications early on in strategy discussions and during the decision-making process.

Conclusions

Business continuity planning is a rather straightforward concept. However, this risk management effort is complicated by the unique manner in which it is employed in each organization, the various approaches and confusing terminology available and management’s perception of the value introduced by formalized planning activities. With that said, this article introduced five of the more important pitfalls to avoid – regardless of organization size, industry, focus or operating environment.

Creating and maintaining a successful business continuity program is more than following a set of best practices; however, avoiding these five common issues can enable a more effective business continuity capability that aligns to organizational needs and drivers, thus delivering expected value.


About the Authors
Ryan Hutton and Jacque Rupert are consultants with Avalution Consulting. They focus on business continuity, including program definition, risk assessment, BIAs, strategy, plan development, testing and training. They have extensive experience working with government, utilities, manufacturing and distribution. They are frequest authors, and can be reached at ryan.hutton@avalution.com and jacque.rupert@avalution.com, or at (800) 941-0381.