This article reviews GPG Professional Practice 2 (PP2): Embedding Business Continuity and explains why embedding business continuity into your organization is important for driving success, describes best practices for embedding business continuity into day-to-day activities, and provides a brief case study highlighting the benefits of this practice.
PP2 outlines a number of techniques on how to embed business continuity into the organization. Specifically, the BCI separates PP2 into the following topics:
- ORGANIZATIONAL CULTURE. Business continuity planning should be aligned with the strategic direction and regular operations of the organization. Additionally, the business continuity program should be engrained in the organization’s culture and an accepted part of people’s job responsibilities throughout the organization, not just business continuity professionals.
- SKILL AND COMPETENCE. All personnel with responsibility for executing business continuity-related activities must have the requisite knowledge and ability to perform in their designated role. Whether it is a steering committee member, plan owner, or business continuity program manager, skill and competence for each role must be defined in a measureable way and logically aligned to responsibilities within both the business continuity program lifecycle and the response and recovery process.
- TRAINING AND AWARENESS. To develop the appropriate skill level and competence among the organization’s personnel, those responsible for the business continuity program must develop a training program that closes any knowledge or experience gaps present within personnel capabilities compared against the requirements of his or her role. In addition to a detailed training plan, a targeted awareness campaign should be developed so business continuity becomes a day-to-day consideration in all business activities. Awareness activities can include brief trainings on responsibilities and expectations for general employees within incident response, drills for evacuation or shelter-in-place procedures, and resources to find more information about the business continuity program.
Avalution views the sections of this professional practice as three aspects under the same focus area, as opposed to discrete, individually performed activities. When an organization properly addresses each area of PP2 together, each element will build upon one another and, over time, create an organization that naturally incorporates and prioritizes business continuity planning in day-to-day operations and decision making. There are a multitude of reasons why embedding business continuity into an organization’s culture is incredibly valuable and necessary. Let’s explore some of the most significant benefits:
- INTEGRATES BUSINESS CONTINUITY INTO EVERYDAY PROCESSES. If business continuity planning is truly ingrained within the culture, the organization will pervasively make risk-conscious decisions. Business continuity will not just be a topic the executive team considers on a quarterly basis through management reviews or something a department manager only thinks about when he or she needs to update plans. When an organization makes strategic decisions, such as new capital investments or strategic shifts, management will naturally weigh business continuity-related risks and benefits throughout the decision making process. Organizations with a truly mature business continuity program work to minimize the likelihood of a business disruption and seek to improve response and recovery capability unconsciously throughout day-to-day operations.
- DISTRIBUTES RESPONSIBILITY FOR BUSINESS CONTINUITY PLANNING ACTIVITIES. Many organizations only have one person or a very small group of people tasked with business continuity planning on behalf of the organization. Organizations with a robust business continuity program distribute responsibility for business continuity planning (to varying degrees) across the organization’s employees, managers, and leadership. As an organization establishes business continuity planning principles in both job responsibilities and everyday processes, the skill, expertise, and experience of people tasked with planning grows through great training and awareness throughout the employee population. This approach increases the effectiveness and efficiency of the entire planning lifecycle from business impact analyses to plan development and maintenance, allowing business continuity practitioners to focus more on strategic enhancements and overall program goals.
- CREATES THE BEST POSSIBLE ENVIRONMENT FOR RESPONSE AND RECOVERY. At its core, business continuity planning minimizes the likelihood of a disruption affecting an organization and creates valuable response and recovery strategies that mitigate impact should a disruption occur. Organizations with truly embedded business continuity programs are best prepared to enact response and recovery should a disruption occur because the entire organization simply knows what to do. Personnel are naturally aware of their specific roles and responsibilities and deeply understand both the response/recovery process and reasoning behind it so they can make informed decisions, allowing the organization to meet recovery objectives during a disruptive incident.
PP2 STRATEGIES FOR SUCCESS
Affecting the normal way of doing things in an organization is a significant and often challenging goal for a business continuity practitioner. However, with the right knowledge and tools, it is very attainable. Let’s explore some strategies practitioners can use to begin embedding business continuity into the organization.
- CHANGE ATTITUDES. Are general employees aware of business continuity planning at your organization? Do they understand the value of the practice? It is the responsibility of a business continuity practitioner to socialize the purpose, practice, and value of business continuity planning throughout all levels of an organization through a detailed training and awareness program. The practitioner should create a training plan to build specific competencies over the long-term for personnel deeply engaged in the program and maintain awareness of planning throughout the organization. Training and awareness initiatives like a tabletop exercise or workshop often create short-term interest in business continuity planning. The true challenge is initiating a long-term attitude change by demonstrating the importance and value of the program and its evolution as the organization matures. As people are continually exposed to their business continuity responsibilities and truly understand the value of the effort they put forth, business continuity will become an innate aspect of doing business.
- SET THE TONE FROM THE TOP. To embed business continuity into an organization’s culture, the program must be aligned with and supported by the organization’s leadership. Management should allocate sufficient resources to the program so it can to thrive, formally approve the business continuity policy, actively participate in strategy development and investment, and regularly review the performance of the business continuity program. Involving the organization’s leadership throughout establishing the framework of the business continuity program (as outlined in PP1) will set the foundation for initiating organizational change – the attitude of leadership will trickle down into the rest of the organization.
- LEVERAGE A MANAGEMENT SYSTEM. A management system is an efficient, repeatable way to align a business continuity program with the strategic direction of an organization. Organizations aligned to ISO 22301 treat business continuity planning as a long-term, repeatable program rather than just a one-time project, which is essential for instilling business continuity into the normal operations and values of an organization. The standard drives accountability throughout the program, which ensures business continuity plans strategies are meeting an organization’s recovery requirements. The table below provides a comparison to the GPG activities to sections within ISO 22301.
PP2 CASE STUDY
An organization’s response and recovery plans and strategies are only as effective as the people tasked with maintaining and using the strategies. In a perfect world, everyone tasked with a role in business continuity planning would buy-in from the start and immediately dedicate themselves to their role within the planning process. However, this world is not perfect and often business continuity is not a priority. Consider the following case study that illustrates why organizations invest time and money in embedding business continuity into their culture.
Company X began business continuity planning two years ago. They hired a full-time Business Continuity Manager to establish and manage the program. She established a policy and program documentation (standard operating procedures), but had trouble engaging management throughout the process. Management acknowledged planning was important, but other strategic priorities in the organization dominated time and attention of the organization. Taking this cue from leadership, many department plan owners with key responsibilities in the business continuity planning process barely participated in their department’s business impact analysis and did not take an active role in creating or even understanding what was in their business continuity plans.
The Business Continuity Manager was extremely worried about the engagement of the business and had little confidence that key people within the organization could actually use the plan documentation to respond and recover from a disruptive event, risking meeting Company X’s obligations to its stakeholders. Prior to an event actually taking place, the Business Continuity Manager decided to hold a tabletop exercise with Company X’s Crisis Management Team to illustrate both the importance and challenge of their current state of business continuity planning. She created and facilitated an engaging session based on a realistic scenario that affected one of their competitors.
Following the three-hour tabletop exercise, Company X’s leadership was appalled at how unprepared the organization was for a disruptive event, even though they have had planning in place for two years. The Business Continuity Manager then walked leadership though the issues, identifying the root cause of management engagement. She outlined the consequences of inaction and a proposed path forward to remediation. Leadership revisited the business continuity policy and standard operating procedures, aligning the document with the organization’s current strategic direction. The Business Continuity Manager then created a detailed Training and Awareness Plan to ensure personnel within the organization had the proper training to meet the expectations laid out for them within the standard operating procedures. Management also visibly and publicly emphasized the importance of participation in the planning process as part of a Town Hall meeting. Throughout this process, Company X took one step back to reassess its program foundation and approach, and then two steps forward to ensure business continuity is truly taking root in the organization.
PP2 provides strategies and tools for a business continuity practitioner to integrate business continuity into the culture and day-to-day activities by generating awareness of planning approaches and outcomes, changing attitudes towards the value of business continuity planning, and removing roadblocks as they arise. Properly embedding business continuity into the culture of an organization will create advocates and experts in proper business continuity planning, as well as response and recovery execution, greatly increasing the efficiency and effectiveness of the program’s planning lifecycle and creating a more resilient organization overall.
- The BCI’s Good Practice Guidelines
- ISO 22301: 2012
- Implementing ISO 22301: The Business Continuity Management Systems Standard
- Introduction: BCI Good Practice Guidelines Series
- The Need to Establish Business Continuity Governance: An Overview of BCI Professional Practice 1
- Business Continuity Strategy Design: An Overview of BCI Professional Practice 4
- Business Continuity Implementation: An Overview of BCI Professional Practice 5
- Business Continuity Program Validation: An Overview of BCI Professional Practice 6
If you’d like to discuss the GPGs, or aligning to ISO 22301 or pursuing certification, please reach out to us. We look forward to hearing from you!