As Published in the Spring 2019 Issue of the Disaster Recovery Journal
We’ve helped to build and run hundreds of high-performing business continuity programs. One of the most consistent themes we’ve noticed is a lack of engagement and enthusiasm within an organization prevents even the most well-intentioned program manager from maximizing the value their business continuity program delivers. This is true for both robust, multi-year programs, as well as for programs in their first year of implementation. To help solve for engagement issues, we have developed a framework that also enables a more meaningful experience for the business continuity professional. We believe the right framework enables continuity professionals to answer “yes!” to the following statements:
- I am empowered to make my organization resilient
- I have the resources needed to protect the organization aligned to management’s expectations
- I am challenged to grow personally and mature the program
- I enjoy my work
To this end, we’ve identified six key ingredients that drive business continuity success – each of which the best, most high-performing programs possess. Even better, these six ingredients fully align to traditional standards, like ISO 22301, and industry regulations, such as the FFIEC handbook.
If you feel like the answer to any of the above four points is “no,” or the enthusiasm and drive for business continuity within your organization is low, we believe focusing on these six ingredients will drive the engagement you need for success. What follows is an overview of each.
Six Key Ingredients
Ingredient I: Frame
The first major ingredient for success is framing the parameters of the business continuity program with direct engagement from executive leadership. We use a 90-minute “frame meeting” as our first major step in a program implementation (this can also be used for existing programs that are many years old). The reason we engage executive leadership to frame the program is because this top-down approach helps drive clarity and direction at a strategic level. Actively participating in the frame meeting should get everyone on the same page and contribute to management buy-in. We’ve found the best way to do this is by making sure program stakeholders are in sync on these four, high-level questions:
- Why are doing business continuity?
- What are we trying to protect?
- “How much” business continuity do we need?
- Who should be involved in the program?
Getting in sync on the “Why?” should be easy since a well-prepared organization can ensure the delivery of critical products and services following the onset of disruptive incidents with much more certainty than an unprepared organization. That segues nicely into the “What?” question. At first, people tend to get bogged down in applications or facilities that seem vulnerable or important. But the goal here is to get leadership to agree on the essential products and services stakeholders require or expect to be available. Once leadership determines the most time-sensitive products and services, this guidance will be used to direct business continuity planning participants to focus on the right business activities and resources.
“How much?” might seem like an odd question but getting input on time sensitivity and unacceptable levels of organizational pain further helps scope the program and establish a collective understanding of risk tolerance, which may be expressed in downtime tolerance. Finally, “Who?” is an important question to address up front because executive leadership’s participation helps you drive accountability and engagement when building or maturing the program. And, taken one step further, naming the right people to the right roles this early streamlines everything that follows.
Ingredient II: Process
Another benefit of getting in sync with executive leadership and framing the program from a top-down perspective is that it systematizes the business continuity planning processes. Business continuity is an ongoing effort, not just a one-and-done set of meetings or checklist for an audit. A good program starts with clear, concise documentation. The documentation should lay out a clear process that must be followed by everyone in the organization.
Process design and documentation might involve some iteration to fine-tune. When getting started, it helps to think about the average person within the organization who might get called to participate in the business continuity program. Prior to the onset of a disruption, program management needs to define a standard business continuity process that isn’t overly complex and easy as possible to learn and follow. Trapping people in overly complex flow charts and technical jargon limits their participation, and, by extension, makes the business continuity professional’s job more difficult. An effective business continuity process without unnecessary complexity drives engagement.
Ingredient III: Participation
Documenting and communicating a clear process lays the groundwork for participation; however, energizing that participation requires some additional effort. The good news here is that the same line of thinking used to create documentation applies to interacting with people. This effort starts with reviewing the outcomes of the initial frame meeting, where the business continuity program manager led a discussion to define program sponsorship, a steering committee, program management, and other business roles.
Now comes the time to get a little more tactical. The best way to drive participation is to start with documenting role-specific responsibilities and the knowledge and experience necessary to be effective in that role. Next, it’s about putting the “right people in the right seats.” We like to talk about “GWC” when it comes time to clarify roles and responsibilities. The person assigned to each role should be able to respond positively to the following questions:
- Do they Get it (understand the needs)?
- Do they Want it (are they motivated to take on the responsibility)?
- Do they have the Capacity to perform it (ability and time to perform the responsibilities)?
When you can identify people within your organization who perform well in their roles, have experience with your products and services, and have the desire to help your organization build resilience, it makes all the difference.
Ingredient IV: Engage
Business continuity only succeeds when participants engage with the program, but this engagement isn’t always easy to produce. Engagement really starts with compelling, high-performing meetings that engage the right people on the right topics at the right time. It may sound simple, but you need your participants to participate! Initially, this involves a bit of planning to identify the appropriate meeting cadence, as planning and executing engaging meetings at the right cadence makes a major difference. During the meetings, you must avoid the tendency to lecture; instead, view it as an opportunity to facilitate an engaging discussion among participants where the group creates energy and gets work done. Focusing on these objectives keeps everyone engaged during the meeting, which leads to them providing better program feedback.
We’ve all sat through a meeting where no one asks a question: it’s boring and it sucks the energy out of the room (physical or virtual). That realization led us to attack the problem head-on. Our solution is to develop focus meetings, held at regular cadence (ideally weekly or bi-weekly) established by the program manager and the business continuity team. Within the meetings, the business continuity team reviews goals, to-dos, issues, and metrics (covered in more detail below). In one hour or less, the program manager can drive the program forward, and ensure that solvable issues are handled, and larger issues are escalated.
But it’s not just about meetings among the business continuity team. It’s also about meetings with your program sponsor, program steering committee, and other program stakeholders (e.g. business unit coordinators). Consider developing an engagement plan that summarizes how and when to engage with different stakeholder groups, as well as what to cover, during meetings.
Ingredient V: Measurables
“What gets measured gets done.” This statement is not only true, it’s a key ingredient for a successful program. Measurables help program management, steering committees, and leadership figure out what’s working and what isn’t. Whether you call them key performance indicators (KPIs), key risk indicators (KRIs), metrics, a scorecard, or something else, the terminology doesn’t really matter here. What does matter is how you use measurables to identify the areas where you meet or exceed expectations, as well as the areas that need some extra attention. We accomplish this by tracking two distinct types of measurables:
- Activity + Compliance Metrics: These are fairly straightforward metrics, and usually serve to ensure that program deliverables are on track and consistent with expectations (as noted in a policy statement or regulatory requirement, for example). Chances are, you already track some of these, including number of BIAs updated, number of plans updated, or number of exercises completed. Activity + compliance metrics help answer the question, “are we doing what we said we would do (or should do)?
- Products + Services Metrics: These metrics help program leadership focus on evaluating the actual recoverability of the business activities and resources that contribute to the delivery of the products and services the business continuity program is meant to protect. For example, product recovery capability measured against leadership’s stated downtime tolerance.
These metrics help leadership (often the program sponsor and/or a steering committee) understand current-state business continuity capabilities and where gaps exist. Highlighting these recoverability gaps is crucial to enabling leadership to decide which gaps to prioritize for remediation.
As with every other key ingredient, these measurables are built on the outcomes of the other ingredients. When you frame the program properly, executive leadership aligns on what the organization’s key products and services are, as well as on the recovery timelines necessary to meet expectations. You can then establish measurables to track business continuity capabilities that are worded in the language of the business executive. Then, when delivered to the right program participant at the right time, and discussed during the right meeting, energy levels remain high and program maturity rises (driving accountability across the organization).
Ingredient VI: Improvement
When a program establishes a good list of measurables and begins to track them, opportunities for improvement quickly reveal themselves. The program leadership’s task then becomes prioritizing and addressing these opportunities. Again, using the language of the executive is crucial. Executive leadership at every organization sets strategic goals, takes action to drive success, and leads experiments to identify improvement opportunities. Business continuity programs should do the same.
Business continuity improvement can be driven by actions, goals, and experiments. Actions are short term “to-dos” that move the program forward in two-week increments. Goals, set by program leadership and the steering committee, are quarterly, annual, or multi-year targets that should represent small steps forward. Additionally, we like to drive improvement through experimentation. Experiments must be low-risk actions where failure is always an option and learning is the primary goal.
Sometimes experiments are strategic, sometimes tactical, but the goal is to try new things in a controlled environment so you can determine if something new might help your organization better insulate itself from risks. For example, you might work with your IT team to attempt an application failover at an alternate site, or you might have a team work remotely one day per month to determine what they might miss if they cannot access the facility. In either of these cases, the emphasis should be about learning rather than sticking with what’s safe.
Putting it All Together
Our business continuity operating system is comprised of three major sets of activities: frame, build, and evolve. Each stage includes detailed instructions and tools to build and improve business continuity capabilities, consistent with the needs of the organization.
Regardless of the standard or methodology you use to drive your program, the foundation of your approach should be built on these six ingredients. Your approach should be systematized, simple and practical, drive engagement with the program stakeholders, put the right people in the right seats, and create confidence in response and recovery capabilities. When you run a program that tackles the right problems using the right approach, we are confident you will be able to make the following four statements:
- Yes, I am empowered to make my organization resilient!
- Yes, I have the resources needed to protect the organization aligned to management’s expectations!
- Yes, I am challenged to grow personally and mature the program!
- Yes, I enjoy my work!
Brian Zawada and Josh Wills, Avalution Consulting