Senior management engagement is critical to business continuity success, so it’s becoming more and more common for organizations to involve management when designing and implementing business continuity programs. However, after the initial implementation project wraps up, it is much less common for organizations to regularly engage management on program direction, capability, and maturation, via what the management system concept calls a “management review”. While the concept of management reviews is relatively new to the business continuity profession, when fully implemented and combined with appropriate messaging, management reviews are the best way to get management to participate actively and stay engaged, as well as close program gaps and improve performance.
If you are new to the concept of management reviews, we recommend first reading How to Perform Effective Management Reviews, which provides the background and a detailed step-by-step look at the ISO 22301 clauses that define management review, and explains ISO’s concept of products and services. The article also covers two common reasons management reviews can be ineffective, which include:
- Information Doesn’t Relate to Products and Services: Many business continuity practitioners believe that presenting department-level recovery objectives and resource requirements to executives is the clear and obvious choice; however, to executives, information presented in this manner is the equivalent of throwing puzzle pieces on a table and expecting them to see the big picture. By presenting information based on how executives actually view the organization (i.e. products and services that drive revenue), you’ll gain executive buy-in and enable them to strategize on solutions to reduce exposure and enable recovery of products and services within defined objectives.
- Program Fails to Track and Report on Action Items Closure: What doesn’t get measured, doesn’t get done, so it’s important to document and present progress (or lack thereof) to management to enable appropriate escalation, support, and closure.
As many practitioners don’t currently have much experience or practice in holding management reviews, I’ve compiled a list of the five most common reasons (in addition to the two mentioned above) that management reviews often fail to elicit the level of management involvement and support necessary to enable optimal program improvements.
The perspective examines the typical symptoms of “bad management reviews” and their common root causes, and then provides suggestions on how practitioners can best design and execute management reviews to ensure the sessions are effective and promote change.
- Getting management to pay attention to business continuity is nearly impossible
- Steering Committee members do not have the authority to authorize policies or require changes
- Management complains that they invest but see no measurable improvement
- Management doesn’t connect with the presentation (two parts)
SYMPTOM: GETTING MANAGEMENT TO PAY ATTENTION TO BUSINESS CONTINUITY IS NEARLY IMPOSSIBLE
Root Cause: Policy/SOP fails to hold management accountable for performing regular reviews
Again, what doesn’t get measured doesn’t get done. Executives are incredibly busy, so requesting their attention in an ad hoc manner will likely result in meetings being pushed to a later date, cut short, or canceled. However, if your program sponsor signs off on a policy that requires regular leadership involvement with a defined group of participants (such as a Business Continuity Steering Committee) and your SOP defines a specific frequency to meet, then a failure to hold management meetings means failure to comply with policy requirements. If your policy already requires leadership involvement, consider requesting that the program sponsor remind the group of their obligation.
SYMPTOM: STEERING COMMITTEE MEMBERS DO NOT HAVE THE AUTHORITY TO AUTHORIZE POLICIES OR REQUIRE CHANGES
Root Cause: BCSC membership is at the mid-management level, instead of the executive level
While some executives think that business continuity is tactical and thus can be delegated down as an operational responsibility, steering committees are typically most effective when they include the strategic leaders of the organization who are ultimately accountable for performance and ensuring the organization meets its stakeholder expectations. An organization’s executives are the individuals most in tune with strategic stakeholder expectations, they have the authority to tolerate/accept risk, and they have the power to invest in business continuity to reduce unacceptable risk. In reality, business continuity is not just “having a plan in place” – it’s the capability of an organization to minimize impacts and appropriately prioritize response and recovery activities to meet strategic objectives, and executive involvement is one of the best ways to achieve this.
SYMPTOM: MANAGEMENT COMPLAINS THAT THEY INVEST BUT SEE NO MEASURABLE IMPROVEMENT
Root Cause: Presentations fail to use a consistent structure that clearly demonstrates improvement
When executive leadership invests in something, they expect to see tangible outcomes and improvement. An inability to demonstrate such progress can lead management to be less willing to invest further in the program. Utilizing a formal template that includes specific metrics enables management to compare the previous management review’s status to the current state and identify trends, issues, and progress. Specific sections to incorporate into the management review include:
- Previous action items
- Program component/activity updates
- Program metrics that demonstrate compliance with policy and procedure expectations
- Program metrics that demonstrate a validated capability to meet product and service downtime tolerances
- Analysis on gaps and recommended actions
- Upcoming initiatives and program next steps (including any necessary investment/resource requests)
For additional guidance on developing value-adding metrics, read: Quality Metrics – Business Continuity Program Performance versus Recoverability.
SYMPTOM: MANAGEMENT DOESN’T CONNECT WITH THE PRESENTATION (PART 1)
Root Cause: You’re presenting the “wrong” data
As mentioned earlier, executives typically best comprehend the impacts of information when it is presented from a top-down perspective. Rather than trying to build a picture from the ground up by displaying department level information in an effort to paint a picture of capability, try first presenting the management defined goals for the recovery of products and services, and then presenting how current strategies enable or fail to support achievement of these objectives. Leadership requires information that enables them to make decisions, so this approach presents gaps as a roadblock to achieving goals. This is more relatable to executives and more likely to elicit a solution.
SYMPTOM: MANAGEMENT DOESN’T CONNECT WITH THE PRESENTATION (PART 2)
Root Cause: You’re presenting the data “wrong”
As Dale Carnegie teaches, “You are the message”. Ultimately, it doesn’t matter how great your message is, if it is delivered poorly, management will receive it poorly. Bad presentation skills or poor supporting materials can completely destroy executive confidence and interest in further investing in a business continuity program. One of the most powerful presentation approaches is a persuasive argument, so determine what specific actions you need from leadership (focusing on the few with the highest priority), define an argument that supports why such action or investment is necessary, limit presentation word counts to only the most important bullet points necessary to communicate urgency, and practice calmly delivering the argument. If you present information in terms and language that management can understand, it will enable them to process the data and take appropriate action.
Addressing these issues will significantly improve your message to leadership and better enable them to support the program with appropriate attention and investment.
Continue to visit avalution.com or our business continuity and IT disaster recovery blog for more posts in Avalution’s Business Continuity Faults & Fixes Series.
Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help.
Please contact us today to get started. We look forward to hearing from you!
Avalution Consulting: Business Continuity Consulting