Laurence Guihard-Joly, GM, IBM
In a world where natural and man-made threats challenge companies and organizations of all sizes across industries and locations every day, the drive to advance a competitive business strategy while reducing risks is a constant balancing act. If yours is like most companies, you probably have some kind of a Business Continuity Management (BCM) program in place to help mitigate risk, but it probably does not do everything it could or should. Even the most well-defined and well-executed plan may not adequately protect your business if it has not evolved to address changing risks that arise as your strategy shifts, or simply if it has not been tested well enough.
Take for example, a leading U.S. insurance company, which realized that the absence of an effective governance structure to support its business continuity capabilities meant that it would quickly become out of date, putting the company at risk. They conducted a resilience strategy, which led to the creation of a Business Resilience Office consisting of representatives from all lines of their business as well as their IT organization.
“An organization-wide BCM program addresses top-priority business risks across the enterprise and provides consistency throughout the organization and among suppliers”
The new office provided guidance on BCM structure, roles, responsibilities, ownership and accountability, as well as direction on data collection and reporting of metrics, and compliance. They now have a continuous improvement program in place that significantly reduces potential disruptions to critical business operations in the event of a disaster. It also helped reduce the financial and service-related impacts of an outage.
For a successful Business Continuity Management program such as theirs, I recommend these seven essential practices:
1. Secure executive sponsorship
The role of an enterprise executive-level sponsor is to educate–with simple business terms--other decision makers within the organization about the strategic and financial impact of business continuity risks; help them understand that BCM is based on business requirements and can cover every aspect from strategy, to organization/ employees, to applications, process, data, infrastructure and facilities, and aid them in seeing IT as part of the solution rather than part of the problem. This step is essential for integrating your organization’s business continuity plan with its overall strategic business objectives. Securing an enterprise executive-level sponsor provides focus, support and commitment at the C-suite and board of directors level for your BCM program.
2. Conduct a comprehensive assessment of your current business resilience posture
This assessment should look at more than just your technology recovery capabilities. It should evaluate all aspects of your business continuity management program to help ensure that you have comprehensive coverage of business resilience, including continuity, availability, recovery, security, operational risk and crisis management. An accurate and realistic assessment can provide a clearer picture of the effectiveness of your current BCM plan and a baseline for improving it.
3. Elevate the BCM discussion to the enterprise risk-management level
BCM should be aligned with the overall enterprise risk-management program and conversation. But this can only occur if executives understand the relationship of BCM to their business strategy and how it supports strategic business objectives, as well as on the expectations of customers, business partners, stakeholders and regulators in any discussion about business continuity and tie BCM to strategic business objectives. By elevating BCM concerns to the enterprise risk-management level, your organization can better evaluate risks based on their strategic business impact.
4. Perform a holistic analysis by looking across organizational and location boundaries
Another common deficiency I find is that companies’ business impact analyses tend to be performed by their IT department. This method tries to “force fit” business requirements into existing technology recovery capabilities instead of letting true business requirements drive the IT recovery. A truly holistic analysis requires that you break down silos and look across organizational and location boundaries to identify how business transactions flow within the enterprise - look at strategic business impacts and prioritize business functions.
Take for example, a leading provider of financial leasing services with offices throughout Europe which discovered during an internal audit that in the event of a major IT incident, recovery of business-critical processes could take nearly four weeks. They performed a company-wide, holistic analysis, including a robust business impact analysis that was able to standardize their business continuity plan and allowed it to establish priorities in determining the sequence for the recovery of business functionalities across all the countries where they have offices.
5. Identify the most critical processes in terms of BCM priority for driving business strategy
Prioritizing your processes provides a clearer view of the most critical risks to your business and strategy, and allows you to make investment trade-off decisions that are fact based. It also allows you to focus resources on improving areas with the potential for the highest impact and avoid under-funding the most critical business services because resources are spread too thin.
6. Apply a common, integrated and company-wide BCM approach to enable more consistent planning and risk mitigation
An organization-wide BCM program helps address top-priority business risks across the enterprise and provides consistency throughout the organization and among suppliers. A consistent integrated BCM approach that is implemented organization wide across the various functions, location and business units, is more efficient, helps decrease overhead, provides a common, consistent language and terminology, aids employees’ enablement and empowerment, and enables end-to-end planning and testing across silos. It also facilitates the effective collaboration between the BCM and the Security teams and readiness for joint actions.
7. Establish a centralized governance structure integrated across business and IT
As discussed in the insurance company example above, a well-established governance structure helps you identify, manage and control critical BCM risks. It measures progress and helps confirm that BCM stays aligned with and supports your business strategy. It comes with a well-defined communication plan, and also provides the visibility and oversight required to help maintain your BCM program and to better manage compliance.
Evolving your business continuity program is no small feat, but the consequences of having an inadequate program can be devastating to your business operations and to your organization’s reputation. A continuous focus on executive sponsorship, integrated governance and strategic alignment are critical keys to ongoing success. A tested approach, like these seven essential practices, can help guide you as you seek to improve your BCM program, align it with your organization’s business strategy and drive competitive advantage.