Business Continuity Software – More than “Just Plans”

Brian Zawada, FBCI Brian Zawada, FBCI | Mar 06, 2018

I had a conference call last Friday with a very experienced professional regarding the purpose and intent of business continuity software. She made an interesting comment, in which she proclaimed, “It’s all about the recovery plans.” I was surprised, as I’ve never thought of it that way. Or more accurately, I made a bad assumption – that being that EVERYONE thought the value proposition of software was far broader. It’s true, plans are an important outcome, but not THE outcome.

So, I pushed the conversation a bit, and this is where it got interesting. I started by offering some background regarding the Catalyst design principles, specifically how we wanted to introduce a business continuity software platform without unnecessary complexity (to aid in engaging the business), as well as one that connects business continuity to the strategy of the business. Then I transitioned to ISO 22301, and stated that software can really help drive efficiency and/or help perform many of the processes that make up the business continuity management system described in ISO 22301. Specifically, I pointed out key management system processes, including metrics, corrective actions, and the management review.

There was a pause and a question offered with a puzzled tone. “Metrics make sense because software can calculate that, but I don’t understand the other two. How can software perform that?”

So, I started by offering an explanation of what these processes are, that being:

  1. Metrics naturally measure… they measure if the organization is performing the activities it should to prepare (like executing a business impact analysis, for example), but it should also measure the residual risk due to a lack of response and recovery capabilities (meaning, gaps in strategies that could impact the delivery of the organization’s most important products and services).
  2. Corrective Actions are a combination of improvement opportunities and areas where the organization is not complying with obligations or expectations. Because closing corrective actions often requires time and resources, it’s important to prioritize and plan ahead to address each, with a focus on root causes that might close multiple corrective actions. Sources of corrective actions include (but are not limited to) the business impact analysis, risk assessment, gap analysis, audits/assessments, exercises, and crisis/incident response.
  3. Management Reviews review business continuity program and strategy performance (metrics) and alignment with preparedness priorities and expectations, as well as prioritize corrective actions for closure.

Then I explained the common challenges that many business continuity programs – and their program managers – face (putting aside ISO 22301 compliance for a moment). In many cases, it’s not calculating or reporting that the challenge. It’s automating and “connecting the dots” – meaning passing business requirements to plans, plans to scope the exercise, exercise results to corrective actions, metrics to management review, crisis/incident response to corrective actions, and corrective actions to management review. There’s some significant value in information flow to drive continual improvement (the value of ISO 22301).

Then I concluded with how software can help and add value – and it’s not just about “the plan”. It’s about constantly working to get better and better over time, meaning continual improvement, and that’s essentially a fourth design principle of Catalyst, one shared with ISO 22301.

If you’d like to explore this topic more or have questions regarding how Catalyst can help, please don’t hesitate to contact us.

_______________________

Brian Zawada, Avalution Consulting

Business Continuity Consulting | Information Security Consulting | Catalyst