Treating the Causes of Bad Business Continuity Training Programs

Faults & Fixes SeriesFaults & Fixes: Bad Training

As business continuity professionals, we tend to gravitate to the activities where we think we can deliver the most value. This often takes the form of the business impact analysis, helping management come up with strategies that minimize risk, and documenting these strategies into plans. Ensuring that a business continuity program employs effective training approaches and engages business process owners, unfortunately, often plays “second fiddle” to other activities. One only needs to browse any of the top business continuity and disaster recovery related publications to see this disparity. Searching for “business impact analysis” or “business continuity plan” yields substantially more results than “business continuity training.” Yet without effective training, all that hard work will likely either fail or not perform to desired standards during a real disruptive incident. Continue reading

FFIEC Updates Business Continuity Planning Booklet with Appendix J

FFIEC_Appendix_JAppendix J: Strengthening the Resilience of Outsourced Technology Services

The Federal Financial Institutions Examination Council (FFIEC) recently released an updated a version of its Business Continuity Booklet, which is one in the series of booklets that comprise the larger Information Technology (IT) Examination Handbook.

This article provides an overview of Appendix J and discusses the confirmed importance that continuity planning isn’t limited to just your organization; rather, it extends to all outsourced and supplier relationships as well. Continue reading

How-To: Effectively Scope Your Business Continuity Program

Program_ScopeEarly on in the development of a business continuity program, careful, pragmatic scoping can be the difference between quick and appropriate wins and a never-ending planning effort with little capability.  Organizations typically build programs due to customer and/or regulatory requirements; however, instead of taking the time to carefully scope and prioritize the business continuity effort (and provide resources accordingly), organizations often take an “all or nothing” approach to planning – plan for every “box on the org chart”, every facility, every application, and every resource.  Many organizations do not realize that business continuity can, and often should, initially address an organization’s most critical/time-sensitive products and services, expanding to other parts of the organization overtime.  Continue reading

Why Testing and Exercising is Essential for an Effective Business Continuity Program

BCAW 2015 LogoThis post is part of the Business Continuity Awareness Week (BCAW) 2015 flashblog. To learn more about The BCI and BCAW 2015, visit the website or follow the discussion on Twitter via #BCAW2015 and #TestingTimes.

Exercising. Whether you’re talking about hitting the gym or testing your business continuity strategies and plans, I’ve come to find that no one likes hearing this word. The typical reaction and excuses are similar, too: I don’t have the time; I have better things to do; I just don’t see the value.

Well, okay… the last one pertains a bit more to business continuity, but I’m sure you get my point. Continue reading

Treating the Causes of Bad Exercises

Faults & Fixes SeriesFaults and Fixes: Bad Exercises

Practice—it’s a key to success in any pursuit. Whether it’s within sports, hobbies, or business, practice is integral to fostering success, and business continuity planning is no exception. Arguably, the most effective way to practice implementing business continuity plans, processes, and strategies is by performing exercises. Not only will a good exercise improve preparedness, it will also socialize business continuity planning among the organization’s key leaders and demonstrate the value of business continuity planning. However, many exercises fail to “impress” and meet the goals of socializing capabilities, building competencies, and identifying opportunities for improvement. Within this perspective, we’ll take a look at some of the key causes and simple fixes that will allow business continuity practitioners to plan for and facilitate an engaging, beneficial business continuity exercise. Continue reading

Risky Business (Part 2): Too Lean, Too Late

Risky Business - Supply ChainMany organizations today aim to make operations as lean as possible. But, in doing so, are these organizations unknowingly increasing the risk of operational downtime and excess cost? Due to streamlining operations and eliminating redundant activities or suppliers, one misstep or disruption (either internally or externally), can result in time-consuming and costly operational delays, or much worse, impact market positioning or even threaten the survival of the organization.

This perspective is part two of a supply chain risk management-focused series called “Risky Business”. In part one, Managing Third-Party and Supplier Risk, we discussed the importance of protecting your organization from risks associated with a dependence on suppliers (and service providers), as well as how to analyze potential impacts and prioritize these risks.

In this perspective we’ll discuss the specific business continuity strategies and risk treatment options available to mitigate the risk associated with supplier dependencies to an acceptable level. Continue reading

Treating the Causes of Bad BIAs

Faults & Fixes SeriesFaults & Fixes: Bad BIAs

Nearly all business continuity practitioners understand the importance of conducting a business impact analysis (BIA) in order to lay the foundation for a viable business continuity program. Organizations who perform and continually improve effective BIA processes gather essential business information for the activities that support organizational product and service delivery, such as process-related information, justification for business continuity requirements, recovery objectives, and resource requirements necessary to achieve recovery objectives and performance targets following the onset of a disruptive incident. This information drives the selection of organizational business continuity strategies, serves as an input to business continuity plans, and provides insight into potential organizational risks. Continue reading

Rethinking Business Continuity Metrics

Rethinking_MetricsOne of the most challenging management system activities that business continuity professionals need to execute (outside of coordinating actual recovery following a disruptive incident) is developing meaningful business continuity program metrics. ISO 22301 does not tell practitioners how to craft meaningful metrics, only that we need to have and share them with management for feedback.

Many business continuity professionals experience challenges with their programs: Continue reading

What You Need to Know: Cloud Computing and Business Continuity

The_CloudCloud computing is potentially the most important technology development of this decade, so business continuity professionals should rightly be asking: “What does it really mean and how does it affect me?” This perspective is designed to address common questions about cloud computing.

What is the Cloud?
Bottom-line – it is a marketing term. Like all great marketing terms, it can be used to mean anything, and thus, it actually means very little. For our purposes, I’d like to suggest the following explanations for “the cloud”, which have proven broadly true in practical experience: Continue reading

Don’t Waste Your Time or Money on Business Continuity Planning

Waste_Time_on_BCNo one enjoys wasting resources in any form – effort, time, or money. However, organizations that implement business continuity planning in a haphazard attempt to meet a customer requirement, pass an audit, or simply don’t take the time up front to ensure that the proper resources and approach are in place, are setting themselves up to do just that.

This article explores the common business continuity-related mistakes and pitfalls that lead to wasting time, money, and effort, and provides solutions focused on performing business continuity planning as an integrated aspect of your organization that will mature and improve risk mitigation and response/recoverability efforts, as well as deliver long-term value. Continue reading