Saul Midler FBCI
Standards and guidelines should not be blindly implemented, they should be seen as an expression of the philosophies of good Business Continuity Management (BCM) practice as they represent the collective ideas of BCM industry thought leadership. Whether you’re new at BCM or an old hand, the BCM industry continues to evolve and it makes good sense to learn from the industry. There are benefits of incorporating the philosophies of these standards and guidelines into your BCM program, including not re-inventing the BCM wheel or relying on novice ideas or intuition without foundation.
While standards describe what you should do, methodology describes how you do it. The methodology is BCM in context. It is neither rigid nor flexible – it is what you make it. Whether you know it or not, you’re using a methodology – even making it up as you go along is a methodology, albeit not a very good one!
There is a disconnect between what the BCM standards say and the methodologies that many organisations implement – philosophies and principles are lost in translation. They have false hope that what they are doing will protect the organisation. They take shortcuts that actually increase the risk of business failure. Examples we have seen include:
- Drawing a conclusion from spreadsheets and then directly writing a plan, creating risk due to a lack of quality strategy development;
- Setting Recovery Time Objectives (RTOs) for an entire Department resulting in plans at the Business Unit level which are too generic.
People are time poor, always looking for ways to get the job done faster, but you can’t just do a BIA and then write the plan. If it was that simple then the standards and guidelines would be leaflets and methodologies would be dot-points. And yet, organisations look at the standards and create methodologies that not only leave out key activities but bear little resemblance to industry norms.
For example, your BCM methodology must include Determining BCM Strategy, which describes how you will meet the requirements defined by the BIA. Strategies must be documented, costed, reviewed, signed-off and funded. Shortcutting the process by leaving out strategy is like telling a builder to go ahead and construct a four-bedroom house, then wondering why you didn’t get what you needed. Management need to know the costs of your BCM solutions and on what basis those costs were defined. This must be clear without estimations and guesswork and based on business-driven requirements.
There is more than one way to bake a cake.
More than one strategy should be considered, as recommended by global BCM thought leadership. Each option has advantages, disadvantages and cost – elements that require little effort to define, but facilitate choice and clear decision-making. Perhaps the best solution is to implement more than one strategy – and possibly not the one that was first intuitively defined.
There seems to be a trend to develop function contingency plans without resource recovery plans. So you know how, where, and when to restore a business function, but not how, when, or where to restore the required resources. Without developing resource recovery plans you run the risk of staff sitting around at the contingency site without PCs, desks, chairs, software and other infrastructure and resources required to actually perform their function. This is not efficient business recovery!
Exercising is also on the shortcut target list. Placing faith in procedures and capability without actual proof is clearly dangerous, but some organisations will not incorporate exercising into the annual corporate calendar. There may be one emergency response roundtable or the odd ITDR test but proving business function contingency and resource recovery is not considered. If there is one strategic element of the BCM lifecycle that should not be simplified, trimmed, marginalised or dropped; it’s exercising. There is always something to learn and an opportunity to improve.
To be frank, BCM is not simple. There are philosophies and concepts that may be difficult for some managers. It’s hard to comprehend why there is a belief that you can simplify the BCM process without foregoing quality. You can, however, simplify the BCM effort by leveraging the experience and expertise of others. This comes in many forms: standards, guidelines and commercial software with methodologies.
Consider this – methodology is your friend. It doesn’t need to be fixed or complex and it should explain how you will align to global thought leadership (standards and guidelines). Every software package has a methodology regardless of what the salesperson says. What you need to find out is how the software touches each of the key stages of the BCM lifecycle. Then it’s a question of how deep you need to drill into your organisation, not how you can shortcut lifecycle stages.
Foresight beats hindsight. [Every time].®