Michael Porter once famously said “the essence of strategy is choosing what not to do”. While I am sure that Mr. Porter was not thinking of business continuity when making this statement, it is absolutely applicable to the implementation of a successful business continuity program. As the best way to drive business continuity program success is to properly scope the program by aligning it to the organization’s overall business strategy. This perspective aims to provide clarification on what exactly strategy connected business continuity means, as well as why it is important to all organizations considering the implementation of a successful, focused business continuity program. Additionally, we will explore conversation topics designed to “crystalize” the organization’s business strategy in a way that helps inform the scope and objectives of the business continuity program.
As business continuity practitioners, when the topic of strategy arises, we tend to think in terms of recommendations to address gaps identified during the business impact analysis (BIA). While addressing strategies for risk remediation is part of the business continuity lifecycle, when discussing strategy connected business continuity, we are more concerned with focusing on ensuring that processes related to the delivery of key products and services are given careful consideration. While the wording is slightly different, clause 6.2 in ISO 22301 (the international standard for business continuity management systems) describes business continuity strategy in relation to products and services and their inherent ability to influence the achievement of organizational objectives.
WHAT IS STRATEGY CONNECTED BUSINESS CONTINUITY?
In the simplest terms, strategy connected business continuity describes a business continuity program that is constructed to protect an organization’s key products and services and the processes and resources that support the delivery of those products and services. Key products and services are those that leadership has deemed to be critical to both the organization’s short-term goals and long-term success. By considering the organization’s strategy relative to its key products and services (which may include product development, production, distribution and customer support/engagement, as well as other time-sensitive internal business processes), those in charge of implementing the organization’s business continuity program have a much clearer view of what is actually important to the organization, and, therefore, can better assist leadership with identifying the proper scope of the program. While we will address best practices for identifying and discussing the organization’s strategy with leadership later in this perspective, it is important for now to understand how scoping the business continuity program in alignment with the organization’s strategy is crucial to the program’s overall success.
WHY IS CONSIDERATION OF STRATEGY SO IMPORTANT TO THE BUSINESS CONTINUITY PROGRAM?
The most surface level response to this question is that a poor understanding of the organization’s direction and key priorities leads to improper scoping of the business continuity program. Let’s go a level deeper, though, and explore the implications of an improperly scoped business continuity program.
An improperly scoped business continuity program results in one of two possible scenarios. One possible scenario (Scenario A), is that the program is scoped too broadly, possibly including products/services and processes that are not relevant to the organization’s overall strategy. The other possible scenario (Scenario B), is that the program scope is too narrow or fails to fully address and ultimately protect key products/services and processes that are directly related to the organization’s overall strategy. Let’s explore these two scenarios more in depth.
Scenario A – The business continuity program is scoped too broadly.
This scenario typically occurs when those responsible for the program’s design and implementation “cast a wide net” so to speak, in an effort to ensure they capture all pertinent data. This approach can be done with the best of intentions; however, it also can (will) result in wasted resources (both time and money) and a lack of engagement, as the program is seen as inefficient or overly burdensome due to an increased and unnecessary large scope.
Scenario B – The business continuity program scope is too narrow or fails to fully address and ultimately protect key products/services and processes directly related to the organization’s overall strategy.
This scenario typically occurs when those responsible for the program’s design and implementation either do not have a thorough understanding of the organization’s direction and/or key priorities, or are approaching the program with a “check the box” mentality. No matter the reason, failing to include and protect the organization’s key products/services and processes results in a business continuity program that is ineffectual due to gaps, and, therefore, plans that are unacceptable and perform poorly.
In the end, whether the organization is characterized by scenario A or B, by failing to incorporate organizational strategy into the conversations surrounding program design and scoping, the program’s effectiveness and performance suffers immensely.
HOW DO I IDENTIFY WHAT THE ORGANIZATION’S STRATEGY IS?
Simple. We ask. Many times, for those tasked with the design and implementation of the business continuity program, the organization’s strategy or direction is not always crystal clear (this can be magnified in the case of an outside practitioner). That is why it is important to have strategy conversations very early on with leadership. In some instances, unfortunately, senior leadership only involves themselves in the program at the very beginning and end of the program implementation, possibly checking in periodically. So, it is important for those tasked with the program’s design and implementation to seize the opportunity to ask the right questions up front. Addressing topics such as the organization’s risk appetite, how customers use the product or service, competitive landscape surrounding key products and services, priorities and obligations influencing the assignment of business continuity requirements, and short-term/long-term organizational goals and targets, helps remove ambiguity surrounding the organizational strategy. Let’s look at each of these conversations in a little more detail.
Risk Appetite – Generally an organization’s risk appetite can be summarized as the amount and type of risk that an organization is willing to accept in the pursuit of its business strategy. An organization’s risk appetite can be quantified on a continuum, with risk adverse organizations who accept as little risk as possible on one end, and risk seeking organizations who may consider taking risks as part of the organizational strategy on the other. Typically, these risks can be grouped into one of the following categories:
- Financial Risks
- Operational Risks
- Reputational Risks
- Contractual or Regulatory Risks
Having a solid understanding on the organization’s posture towards acceptable amounts of risk, helps inform the program and influence the prioritization of findings and recommendations later on in the process.
Understanding Key Products/Services – In some organizations, specifically ones where the organization’s entire business revolves around one core product or service, understanding key products and services is very intuitive. However, in organizations that have a widely-diversified portfolio of product or service offerings, this is not always so clear, and a solid understanding of the organization’s key products and services is crucial to proper scoping of the business continuity program. Part of this understanding is having a good sense of how customers use and rely on these products and services. Often, organizations develop the program’s scope simply on the basis of revenue or profit generated by a product or service. While this may work in some cases, it should not be the litmus test for all, as some organizations may place greater emphasis on products and services based on other metrics, such as expected growth rates, the desire to enter new markets, or customers’ reliance on the availability of the products or services.
Competitive Landscape – While some organizations possess the competitive advantage of being the only “player in their respective sandbox”, most organizations have direct and indirect competitors threatening to encroach on their market share. Understanding the competitive landscape that the organization operates within shapes the organization’s view of downtime tolerances. For example, an organization that has no direct competition may be willing to tolerate a longer period of downtime than an organization who risks customers easily switching to a competitor in the event of a disruption.
Factors Influencing RTOs – During initial scoping conversations, organizational strategy helps frame leadership’s tolerance for downtime. This tolerance for downtime aids in sanity checking the data gathered during the BIA. For example, a department may state that they need a production related activity recovered and fully operational within one day following a disruption. However, leadership stated that that due to adequate safety stock levels at company distribution centers, the organization can actually tolerate production downtime of up to two weeks. Having a high-degree of visibility across the organization helps fit the more granular data gathered during the BIA into the “big picture” painted by leadership.
Short/Long-Term Organizational Goals – While conversations surrounding key products and services (and the reason they are a particular focus for leadership) hint at the direction the organization is heading, having direct conversations with leadership and developing a solid understanding of both short-term and long-term organizational goals/targets is a major factor in ensuring proper program design.
Including these topics in conversations with leadership ensures that those responsible for the program’s design and implementation have their finger on the pulse of the organization’s strategy, which results in the ability to truly develop a strategy connected business continuity program.
INTEGRATING ORGANIZATIONAL STRATEGY INTO THE BUSINESS CONTINUITY PROGRAM
After gaining a true understanding of the organization’s strategy by exploring topics such as key products/services (current and future), risk appetite, the customer, short-term/long-term goals, and the competitive landscape, it is then time to use this information to shape the design of the business continuity program. Let’s take a look at how leadership’s input regarding organizational strategy impacts program scoping on a more tactical level. It should be noted that scoping is a sequential process and best executed in a top-down approach, as evidenced below.
- Product and Service: The starting point for strategy integration is leveraging leadership’s direction on which products/services are determined to be the most crucial to protect. A product or service is essentially any beneficial outcome provided by an organization to its customers. These customers can be internally or externally-facing depending on the organization.
- Process: Working downwards, we look at the processes, which are groups of activities that convert key inputs to outputs in support of the delivery of the previously mentioned key products/services.
- Activity: Finally, we analyze the processes using the BIA, to identify and understand the key activities the in-scope processes perform. Additionally, in defining those activities, we come away with an understanding off all the resources required to perform the activities (e.g., technology, facilities, people, and suppliers).
Using this top-down approach to scoping – based on the organization’s overall strategy as dictated by leadership – ensures that the business continuity program is properly scoped from the very beginning.
Implementing a truly strategy connected business continuity program is not always the easiest thing to do, and tends to frustrate those seeking a “check the box” approach; however, for those looking for a substantive and actionable business continuity program that protects the organization’s best interests, it is imperative to consider organizational strategy. From our personal experience spanning many different types and sizes of organizations, Leadership better supports and engages in programs they feel are meaningful and help achieve organizational goals. Subsequently, directors, managers, and staff are more apt to positively engage in a program that leadership makes a priority. The best way to ensure that this occurs, is by designing and implementing a business continuity program that is in lock step with the organization’s overall business strategy.
Strategy connected business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help. Please contact us today to get started. We look forward to hearing from you!