Paul Stiff, 30 April 2021
Paul Stiff Consulting Pty Ltd specialises in Strategy, Risk and Transformation. Unsurprisingly, and maybe somewhat in response to the pandemic, Business Continuity has been a popular topic with our clients. The points below, although by no means a guide or blueprint, offer some direction for successful Business Continuity Planning.
The changed context
The continuous increase in reliance on technology, and the change in culture towards working from home means that conventional thinking on Business Continuity focusing on manual processing and seats at alternate sites is well and truly obsolete. Focus is now on resilience measures, where flexibility, options and technology redundancy need to be considered first and foremost. The planning process becomes even more important as resilience needs to be planned and paid for well before any critical incident arises.
Although this article refers to Business Continuity, resilience is front of mind in the approach.
Governance
1. The Board is accountable to govern Business Continuity and the Business Continuity Program is owned by the CEO. Ultimately, if the company suffers a major interruption and countermeasures were not planned, the Board suffers credibility issues and the CEO has not done their job. In regulated industries, there may be consequences beyond financial impacts such as loss of license or allocation of contracts to other companies. The Board receives regular reporting on Business Continuity Planning, testing of Business Continuity Plans and Post Incident Reviews.
People and accountabilities
2. “First line” business leaders are accountable for defining their Business Impact Assessments (BIAs) and Recovery Plans. It is not the Risk Management department’s job to do it for them, but to define the methodology and make sure it is performed adequately. Business leaders will not only need to run the planning process, but also activation/deactivation of the plans and regular updates.
3. Involve relevant stakeholders (suppliers, other departments/process owners, customers, unions, regulators) in the Business Continuity Planning process to understand dependencies and the customer (and other) impacts of the potential disruptions. The Chief Information Officer is one of the most important stakeholders in the Business Continuity Planning process – avoid developing the Technology Disaster Recovery Plan separately from the Business Continuity Plan as technology is now a fundamental part of all companies operations.
4. Standardise the roles and processes for your crisis management and business continuity management teams – they will depend upon each other and alignment will facilitate performance under stress and simplify coordination and reporting.
The Business Continuity Program
5. Define the strategic continuity priorities first for example: continue services to most vulnerable customers, employee and customer safety and protect financial flows are 3 clear strategic priorities. All leaders need to understand these priorities and how their roles relate to those priorities. This step will make sure that leaders focus on the big picture during the planning process and not the inward looking attitude of “this is vital to MY work”.
6. Define the critical disruption period. This is highly dependent upon the nature of the business. In my experience this has generally been 1-3 days, with anything under the threshold defined as BAU incident management and managed through the BAU incident channels. This allows Business Continuity planners to focus on sequencing the critical actions at the beginning of a disruption.
7. Use the AS/ISO 22301 Business Continuity Management (BCM) standard (and AS/ISO 22313 BCM Technical Standard, AS/ISO 22317 Business Impact Assessment) to guide the planning process and content. These are standards to guide the implementation of best practice and cannot be used for certification. Adapt them to suit your requirements!
8. Use your company process model (ideally at level 3) to perform the Business Impact Assessments and use the top level process map overview as a traffic light dashboard to illustrate criticality of processes to your Board and Executives.
9. Rate Business Impact Assessments against your Board Risk Appetite Statement, and ideally the impact scales of your Corporate Risk Matrix if this is available. This allows impacts to be measurable, facilitates stakeholder understanding and allows planners to refine what is and what is not, acceptable. It also makes reporting for the Board straightforward.
10. The four traditional scenarios for business continuity are: unavailability of site(s), unavailability of technology, unavailability of supplier(s), unavailability of people. What other scenarios might be applicable to your business – reflect all of those relevant in your plans, rate their probability and potential impact alongside the BIAs.
11. Test your Business Continuity Plans and adjust them regularly! Testing is the only way to develop confidence in the plan and train staff to implement the plans.
Technology
12. Fund and forward plan the resilience of your applications availability in line with the criticality of the applications. Many applications are now offered by vendors as “Software as a Service SaaS”. How solid is your contract? What measures are in place to counter the risks? Has your SaaS vendor participated in the Business Continuity Planning? What do you know about their plans?
13. Use an application to manage your BIAs and Recovery Plans, not Excel spreadsheets, these rapidly become unmanageable and tracking review and updates is very difficult. There are applications available for all sizes and complexity of companies.
If this article has of interest to you, contact Paul Stiff Consulting Pty Ltd on paul@paulstiff.com.au or 0400 259 508 to discuss your Business Continuity Planning requirements.