A Business Continuity Scoping Approach That Contributes to Better Management Engagement and Prioritization of Risk Management Efforts
One of the most common questions business continuity professionals ask is how to keep management involved in the ongoing preparedness effort and prioritize the implementation of business continuity strategies with limited resources. Business continuity professionals strive to have engaged, interested management teams, but often struggle to achieve this goal. Whether management disinterest has been present from the beginning of the preparedness effort, or whether interest has waned over time, there is one key strategy that Avalution strongly suggests organizations implement in order to achieve greater levels of both management involvement and input regarding business continuity planning: scoping and planning based on the recovery of products and services.
A growing number of international business continuity standards – and standards in other disciplines –reference this concept. Products and services are defined as:
- “Beneficial outcomes provided by an organization to its customers, recipients and stakeholders” (BS 25999-2)
- “Beneficial outcomes provided by an organization to its customers, recipients, and interested parties” (Draft International Standard 22301)
- “Results of a process” (ASIS/BCI BCM.01-2010)
Why is this concept a difference maker? What are the benefits? How does scoping, planning, and reporting around products and services increase management interest? This article aims to answer these important questions.
Common Scoping Approaches
Organizations scope their preparedness programs using a number of different approaches. This section identifies a number of the most-common approaches and explains the benefits and drawbacks associated with each.
- Organizational Chart
The first, and most common, approach to scoping business continuity programs is by using the organizational chart to identify all departments and corresponding owners. While this is likely the most thorough and straight-forward approach, it often results in a tremendous amount of effort for the business continuity professional to perform a business impact analysis (BIA) and then develop plans for all identified departments (some of which may not require pre-planned recovery strategies). In addition, by reporting the organization’s readiness based on which departmental BIAs and plans exist, top management often cannot relate to how departmental recovery translates into the organization’s ability to deliver products and services to customers (which in essence is the organization’s actual preparedness or recovery capability).
Another common approach to scoping business continuity programs is identifying the facilities in which the organization operates and then identifying the activities that occur in each. While this is also a very thorough approach that can ensure all facilities are able to respond to a disruptive event, it, just like the organizational chart, does not effectively enable top management to easily establish priorities among the activities at the location that deliver “important” products and services. In addition, since most organizations perform the same activities at a number of facilities, performing planning on a facility-by-facility basis often does not account for the coordination that would have to occur between the facilities during an actual disruptive event. Planning and prioritizing risks on a facility level may result in business locations acting in silos rather than creating a fully coordinated and streamlined preparedness effort. Additionally, not all activities in all facilities align to management’s priorities. As a result, this approach often introduces some inefficiency.
A number of business continuity programs evolve from or focus exclusively on information technology recovery. Naturally, this approach focuses on the recovery of technology assets, which leaves the remainder of the business at risk – including business risk associated with the loss of facilities, suppliers, equipment and people (as well as failing to plan for the implementation of manual workarounds in the absence of technology). Technology is very important, but planning for the recovery of technology alone will fail to protect the organization and enable it to meet its obligations.
A fourth approach – and one gaining in popularity due to associated program efficiency and effectiveness – to scoping a business continuity program is by way of products and services. While it may be uncommon for middle and lower management to view the organization in this way, product and service delivery (to both internal and external customers) is precisely how top management views operations. In addition, on-time, consistent and profitable product and service delivery are often how management prioritizes organizational investments and measures its success. For example, for a manufacturing company, in-scope products and services may be identified by those that generate the highest revenue or margin, have the most exposure in the marketplace, or deemed most likely to drive future growth. Or, for an insurance company, in-scope products and services may not be tied to physical products, but rather by the services that the company delivers (i.e. processing claims, paying premiums, etc.).Scoping and reporting the capabilities of the program based on whether or not the organization can deliver its products and services within management-approved downtime tolerances is a key to gaining and maintaining management’s interest.
Why is Scoping Based on Products and Services Better?
In addition to the benefits already described, Avalution argues that scoping business continuity programs based on products and services is the best method for four important reasons:
- Downtime Tolerances
If the organization identifies products and services within the scope of its business continuity program, management can assign each product/service a downtime tolerance. Then, following a dependency analysis (understanding which organizational elements and resources contribute to the delivery of products and services), downtime tolerances can be inherited by each. This ensures that activity/department recovery objectives are congruent with management’s expectations and priorities. Using this approach not only allows the business continuity professional to report back to management based on whether or not the organization’s capabilities meet downtime tolerances, but also holds management accountable for providing the necessary resources to meet their own downtime expectations.
- Fewer Plans
By scoping the business continuity program based on products/services and performing a dependency analysis to understand which organizational elements and resources contribute to the delivery of the in scope products and services, the business continuity professional can eliminate the need to perform a BIA and develop business continuity plans for organizational elements and resources that fall outside the scope of the products and services that require business continuity strategies. This approach allows the business continuity professional and the management team to focus and protect the activities and resources deemed most important to the organization, without wasting time planning for lower priority organizational elements.
- Management Engagement
As discussed throughout this article, the most beneficial aspect of scoping a business continuity program based on products and services is to gain (or re-gain) management involvement. Since management views organizational success based on the on-time, consistent and effective delivery of products and services, this approach enables them to draw the parallel between normal operations and the impact that downtime would have on product and service delivery. In addition, this approach allows the business continuity professional to report recovery capabilities based on whether or not the organization can meet or exceed management’s tolerance for downtime specific to products and services. As an example, which of the following do you think would resonate better with management in terms of reporting business continuity readiness and performance? A. Our organization has 80 up-to-date BIAs and plans spanning across 100 departments in 4 locations; OR B. Our organization can recover the capability to produce product X within three weeks, which is less than management’s downtime tolerance of four weeks.
- Prioritize Risk Treatments
A critical aspect of the BIA and risk assessment process is to identify risks, understand the impact and likelihood of the risks, and outline possible risk treatments for these key risks. In almost all cases, the BIA and risk assessment processes identify numerous risk mitigation opportunities or gaps where recovery strategies fail to align to emerging recovery objectives. By prioritizing the organization’s risk mitigation opportunities and business continuity planning efforts by products and services and their associated downtime tolerances, the business continuity professional is better-positioned to present prioritized risk treatment options to management for consideration. For example, if there is a department that is the sole contributor to the delivery of service X (which has a management-approved downtime tolerance of 24 hours), and none of their staff can work remotely, management may consider investing in additional remote access capability to ensure that critical personnel can continue to deliver the service from alternate locations following a facility disruption. This is a more effective and focused approach than merely trying to convince management to increase remote access capabilities for all “critical” personnel.
Having introduced the benefits to scoping a business continuity program based on products and services, you are probably wondering where to begin! Consider these five steps to get your organization started:
- Review documentation that describes the key products and services delivered to the organization’s external customers. Sources of this information may include:
– Annual reports
– Marketing materials
– Product/service catalogs
– Website (“About Us” or product/service pages)
– Marketing and sales personnel
- Identify the products or services delivered to internal stakeholder groups that are necessary to meet strategic objectives and customer and other third-party obligations, for example:
– Mail distribution
– IT service support
- Use the information found in steps one and two to develop a comprehensive scope statement. Present this scope statement to your management team for review, feedback and approval.
- Following the approval of in-scope products and services, request that the management team establish downtime tolerances for each essential product and service that management wishes to protect. In preparation for this request, understand the financial, reputational, regulatory, contractual or operational impacts that may result if the organization fails to deliver these products and services, and present a summary of this information to management as inputs into the decision-making process.
- Perform a dependency analysis in order to align organizational elements (facilities, people, technologies, suppliers and other resources) to products and services. Apply the BIA on each in-scope organizational element (for more information on how to perform a BIA that is consistent with this approach, see our Ultimate Guide To Business Impact Analysis).
Overall, the suggestions provided above will deliver results – some that are difficult to achieve otherwise. Scoping via products and services will help your organization establish the scope of its preparedness effort according to management’s viewpoint, priorities and objectives – ultimately increasing management involvement and interest, and ensuring the business continuity program aligns to management’s expectations in the most efficient manner possible.