Hunting the Black Swans in Your Continuity Program
This is the tenth in the DRG ongoing series regarding hunting and mastery of the black swans in your continuity program. Look for it on the first Wednesday of each month.
10 Steps to Building a Black Swan – free Business Continuity Management Program
Many organizations, especially SMBs (Small and Medium-Size Businesses) have not yet developed Business Continuity Management (BCM) Programs. While this profession is a relative newcomer, starting in the 80's as Disaster Recovery, and growing into Business Continuity only in the early 1990's, this field has grown rapidly the 21st century as events such as the 9/11 attack on the World Trade Center and Hurricane Katrina made clear the vulnerability of all businesses to unforeseen events. Auditors began demanding that organizations develop a "BCP": a plan to guide an organization's response to any operational interruption. A BCM profession, complete with national standards, and recently an ISO standard, has developed since then.
Unfortunately, there is also a lot of misinformation as new companies hit the market and "not-so-qualified" practitioners emerge from all corners. Professionals may be certified by the BCI, DRI, and a host of smaller training organizations.
Despite all of this, many "BCP" programs continue to fail. One of the most important reasons for failure is the building of Black Swans right into the program! The following ten principles will help you to avoid nurturing black swans that can undercut your program's success. Above all, following these guidelines will prevent the program failures that not only make failed efforts of no value, but also create a larger burden for all subsequent efforts. Do your best to be right the first time: use these principles to guide your success. Skipping one or more of the following steps will make the task much harder, and may even cause program failure. So DO NOT SKIP ANY OF THE STEPS!
1. Participate in Professional Organizations: Get Educated
There are many professional organizations within this field, including the Association of Contingency Planners (ACP), which has chapters in most US States. Annual fees are extremely modest. Most chapters have speakers at every meeting to keep members current with developments in the field. You can also enroll in training courses and take a certification exam. The major sources of such certifications are the BCI (Business Continuity Institute) and the DRII (Disaster Recovery Institute International). BCM Professional Organizations are also a good source for you to identify local practitioners who can help you, as well as other regional groups in your area.
2. Secure Expertise
Be careful! Taking a few introductory courses and getting a basic certification does not qualify you to design and implement a BCM Program for your organization. If you want to ensure your program's success, AND avoid some of the most persistent black swans, engage an experienced (10-15 years of progressively more demanding work) BCM professional to help you. Oddly enough, many otherwise reasonable people think that anyone within their organizations can develop and maintain a BCM Program. You would never think of entrusting the repair and maintenance of your expensive sports car to someone standing on a street corner and wearing an advertisement! Don't do the equivalent with your BCM Program. You will need to check references, not just directly, but with members of the professional organization you have just joined. Ask for appropriately sanitized samples of the consultant's work with organizations similar to yours. Be careful to avoid "one size fits all" methodologies. Every organization is different, and you need a customized approach that fits your individual culture. There is no silver bullet here!
3. Define a BCM Policy and Get Executive Management Sign-off
A BCM Policy is intended to assure that Executive Management understands that the BCM Program provides a critical ongoing service to the organization and to express their commitment to supporting such a function within their organization with funding and executive reporting. The policy assigns responsibility for this Program to a new or existing business unit, and enables funding to be allocated on an ongoing basis to develop and maintain the organization's continuity capability. Note that this is a new business function; it is NOT a one-time project. This policy should be no more than 3-4 pages in length and should be signed off by the Legal Department and physically signed by the highest-ranking executive in the organization.
4. Form Program Steering Committee
This BCM Program Steering Committee should be chaired by a BCM Program champion within senior Management of the organization. Committee members should represent all of the critical areas of the organization. This PSC will review all deliverables of the BCM Program and will also act as program champions within each of the major organization areas. In this way all of the PSC members will become spokespeople for the program within the organization and will become a critical means of building support for the BCM Program throughout the organization.
5. Define Individual Projects
In order to determine what specific kinds of resources you will need and when you will need them, you must lay out your development plans at a high level, and then obtain the preliminary consensus of the PSC. This task begins the education of the PSC members…and eliminates the emerging black swans while they are small and weak.
6. Write Project Plans: Activities, Resources, and Time
Once you have preliminary consensus of the PSC for your program development tasks, you can then flesh out project plans for each of the development areas, including detailed requirements: timing, resource qualifications and numbers, deliverables, costs, etc. An external senior BCM professional can be very useful in this detailed area, and will help you to avoid the most common errors (forgetting required tasks entirely or under-estimating task resource requirements). And so yes, this means that serious project planning and management tools and skills are necessary for success.
7. Obtain concurrence from Steering Committee
With this task, the PSC members begin to understand the process of BCM Program development at ground level. They are beginning to understand that it will take more than one year to develop all aspects of the program, and that it is much more complex than they thought: it is really about changing the culture of the organization. And it will likely be more expensive than they had thought because they really did not think about all of the necessary tasks. A BCM Program begins at the beginning, but ends only when the organization ceases to exist. Awareness of these issues is the death knell for emerging black swans.
8. Define the Applicability Limits (Up and Down) for This Program
It is necessary to define the situations to which this program will apply. Generally very small incidents, such as failure of a hard drive in a single PC, will be excluded. You may wish to limit applicability of your BCM Program to physical disruptions, but be careful. A cyber-incident may have no physical effect but be extremely disruptive to key revenue-producing operations. A reputation incident may have no physical dimension at all, but can take down your entire organization within a very short time. A nuclear attack probably is too large to include for any private-sector firm. Work with the members of your PSC to determine exactly which kinds of events are included, as well as those that are excluded.
9. Design Plan Templates
There are four different kinds of plans you will need to develop: individual business unit plans, emergency management and communications plans, logistics support plans (for example, physical security, insurance, restoration, move, employee support, etc.), and IT infrastructure and individual IT application plans. Each of these requires a different template. Some may exist already in BCM Planning software you have chosen, so you will need only to customize them to suit your needs. Others may need to be created to meet your specific needs. This set of customized templates that you design will drive your information collection processes, such as the Business Impact Analysis and the Risk Assessment. Information collection is a laborious process at best; make sure that you collect ALL of the information that you need and NONE that you will not be using.
10. Continuous Knowledge Transfer to In-house Resources
Throughout the initial development and continuing refinement of the plan through exercises and awareness-raising activities, you will initially need to rely on external specialized resources. However, you should also be paying these resources to transfer their knowledge to internal resources as those become more familiar with the profession and gain certification and experience. And so make sure that this continuous task is explicitly included in the contracts for these resources.
And so there you have it…follow these guidelines and you will significantly increase your chances for success while eliminating the most common black swans in Business Continuity. A winner in anyone's book!
About the Author
Kathleen Lucey, FBCI, is President of Montague Risk Management, a business continuity consulting firm founded in 1996. She is a member of the Board of Directors of the BCI, and the founding President of the BCI USA Chapter. IBM chose her as the first winner of its Business Continuity Practitioner of the Year Award in 1998. She speaks and publishes widely in both North America and Europe. Kathleen may be reached via email at email@example.com.