The Next Wave in Business Continuity Management (part two of two)

Wave Part2 SmallAvalution presents part two of “The Next Wave in Business Continuity Management”, dealing with how to get proactive in reducing availability related risks, and ensuring your continuity program has the highest standards of quality.

1. Coordinate Your Risk Management Programs

Where do the boundaries of emergency response begin and end? For example, is there overlap between risk management’s insurance efforts, facilities management and business continuity? What about business continuity and enterprise risk management?

All organizations have a finite risk management budget, and executives are demanding closer coordination amongst risk management disciplines in order to conserve resources and increase effectiveness.

2. Performing Internal QA

It’s true that real world events are the best measure of readiness, followed by exercises and simulations. However, a number of organizations have developed a continuous process to assist with their measurement of program readiness by forming Quality Assurance teams. These experienced business continuity professionals develop measurement standards, interact with planners and plan owners, review processes and documentation and participate in exercises. Most importantly, they develop quantitative measures designed to gauge business continuity readiness, and communicate results to executive management.

Quality Assurance can be a cumbersome, time-consuming process, therefore leveraging planning tools and relying on data management strategies are keys to success. The automated gathering of business continuity program information is important to allow Quality Assurance personnel to focus on their most important task – coaching planners to improve their plans and strategies.

3. Integrate Continuity Planning Into Change Management

Change is constant. Reacting to change – as opposed to being proactive with change – can result in more business continuity strategies that are more expensive than necessary because recoverability is designed and implemented after the fact. Additionally, there will be recoverability gaps with a reactive approach to change since new processes and technologies are introduced into the business while viable recovery strategies catch up weeks later.

Work with your organization’s Project Management Office (PMO) and other change managers to play an advisory role in meeting the organization’s business continuity standards before projects “go live”. There is a time investment for the business continuity team, but this investment is much less when compared to working on plans and strategies after the project is operational.

4. Shrinking Budgets – Shrinking Recovery Objectives

Shrinking budgets and shrinking recovery objectives are not mutually exclusive; they are happening to many organizations simultaneously. Below are ideas that address one or both of these challenges simultaneously.

  1. Create program activity awareness: Business continuity management is often misunderstood by executive managers. Viewed as a technology, a project or even worse, a plan on a shelf, business continuity managers need to focus on obtaining buy-in for their team’s annual objectives. They should seek approval for a policy document, outlining the organization’s business continuity lifecycle, and detailing key activities, and the roles and responsibilities necessary to effectively execute these activities. With tight budgets, the business may have to assume a number of key business continuity related tasks, which should be clearly communicated and understood by all responsible groups.
  2. Communicate the value: Decreasing budgets are often a symptom of poor internal communications and “internal sales”. The answer to a shrinking budget should focus on communicating the level of protection afforded by the continuity group. A common metric for showing an increase in protection levels is a comparison of overall annualized loss expectancy (ALE) figures.ALE is easy to calculate for your organization by using the following formula:Single loss expectancy (the amount of money that would be lost for a single failure) multiplied by the annualized rate of occurrence (i.e., once every 25 years equals a 1/25 ARO).This level of analysis will quantify continuity planning’s contribution to risk reduction in a way executive management can support.
  3. Utilize risk management to prioritize functions: Partnering with other risk management entities to prioritize business functions will help validate lower recovery objectives. In addition, a quantitative risk factor scoring common to all risk management groups will result in an efficient and less subjective list of priorities.

Conclusions

Continuity programs continue to mature, but expectations are rising as well. The past ten years have seen rapid change, from technology-centric disaster recovery programs to today’s enterprise-wide business continuity management efforts. More change should be expected. Can you say your program is characterized as:

  • Structured;
  • Efficient;
  • Flexible;
  • Visible;
  • Collaborative; and
  • Creative?

If so, it’s highly likely your executive management team will find great value, comfort and confidence in your ability to deliver continuity and availability now and into the future.