Ask any manager in business today what his or her biggest challenges are and it’s a fair bet that you’ll hear resource constraints in the top two or three. Unfortunately, additional responsibilities seldom bring additional staffing. In this environment, resistance to taking on new processes, especially those not viewed as part of the core business, is pretty much guaranteed. Add to this the fact that Business Continuity is outside the area of expertise of most business people and you have created a tough sell. Overcoming these obstacles and establishing a Business Continuity program that is owned and maintained by the business requires clear leadership, the right tools, and monitored cyclical activities to keep plans current.
The basis of any program is a clear policy articulated by corporate management or the board of directors that establishes Business Continuity Management as part of the business’ overall risk management responsibility. The policy should include provisions for regular reporting and oversight as well as the overall elements that the program must contain. As with other core business activities, performance in this area should be included in the objectives and evaluations of the business unit management.
Once a policy is established and communicated, a methodology should be established that allows the business to meet objectives without creating insurmountable obstacles of time and expertise. Tools, whether they are commercial products such as LDRPS, eBRP or simple Word documents, must be established and configured to minimize the business units’ maintenance effort. Expecting the business to initiate the process, perform the analysis and create the necessary documents on their own seldom, if ever, produces quality or sustainable results. Instead, a central project team should coordinate BCM activities with appropriate subject matter experts and business unit involvement. This team will be responsible for documenting a business impact analysis for the entire organization and establishing consistent documentation standards so that line of business personnel can effectively conduct planning activities.
Regardless of how well a Business Continuity project is implemented and how well plans are documented, it will all quickly become useless if it is not maintained. To keep the program visible and encourage regular maintenance, a cycle of events and a process for regular reporting of progress should be established. Quarterly activities and goals could include a BIA refresh, plan updates, call-tree/communication tests and plan testing. Each of these activities will create a deliverable that can be monitored. Scorecards should be developed and become part of regular corporate risk committee meetings, both to motivate the business units and to document oversight.
Overall, the keys to successfully delegating the Business Continuity process to the business are motivation and facilitation. Establishing policies and tying compliance with those policies to the evaluation of business unit management helps ensure a proper level of visibility and urgency. Building tools that make maintenance a straightforward process and training business unit personnel in their use during the initial project makes compliance a manageable task. Cyclical activities break the work load into less intimidating pieces and regular monitoring and reporting keeps the whole process on track.