Michael Porter once famously said “the essence of strategy is choosing what not to do”. While I am sure that Mr. Porter was not necessarily thinking of business continuity when making this statement, it is absolutely applicable to the implementation of a successful business continuity program. There is no better way to ensure business continuity program failure then to improperly scope the program by ignoring the organization’s overall business strategy. This perspective aims to provide clarification on what exactly strategy connected business continuity means, as well as why it is important to all organizations considering the implementation of a successful, focused business continuity program. Additionally, we will explore conversation topics designed to “crystalize” the organization’s business strategy in a way that helps inform the scope and objectives of the business continuity program. Continue reading
As I reflect on my first year as a business continuity professional, I contemplate what has made me successful to date. In my previous role of being an officer in the U.S. Army, I lived and breathed risk assessments and contingency planning (addressing a loss of resources). When I first started in the military, my focus was very tactical, ensuring that there was always a plan to replenish our basic supplies (e.g., bullets, food, gas, and water). These plans were very basic and more reactionary than anything else, but I always knew that as long as I had these resources, I could continue the mission. Continue reading
Bad ideas certainly are not exclusive to popular culture; in fact, articles and case studies litter the internet documenting both public and private organizations attempting to resurrect failed models and strategies in hopes that new capabilities or use cases will finally make a particular idea just as good in practice as it was in theory or on paper.
In the wake of several high-profile, unpredictable, catastrophic incidents (“Black Swan Events”) in 2012, Avalution received a number of requests to develop highly-specific, scenario-based plans from our clients. Planning for Every Scenario is “For the Birds” explains that Black Swan Events cannot be predicted, and advises that organizations that implement flexible strategies, applicable in almost any type of scenario to manage response and recovery, enjoy the highest levels of success when faced with a disruptive incident.
However, the demand for scenario-based plans seems to be back.
We understand why organizations may think scenario-based plans are a good idea; however, their appropriateness, utility, and long-term value is limited – much like line dances, vampire romance movies, and mullets.
Instead, in this perspective we’re going to use a case study to make the argument for a resource loss-based plan development approach. Continue reading
Yes, plan documentation is extremely important. BUT… many organizations fail to recognize that effective business continuity plans – and truly prepared and resilient organizations – are the result of a larger business continuity planning lifecycle that begins with requirements setting and ends with practice (and of course, the process recycles on a continuous basis).
Bottom line – plans are just one key ingredient in the development of an effective business continuity program.
This perspective provides an outline for what Avalution promotes as effective business continuity planning. Please explore the links provided within this document for more in-depth explanations of each step of the planning process. Continue reading
Designing a governance structure and describing its intended performance in the form of program documentation is the first step to ensure your business continuity program produces repeatable results that align to stakeholder expectations.
According to the Business Continuity Institute’s Good Practice Guidelines’ first professional practice, governance provides the foundation for a repeatable and scalable business continuity program.
But what exactly is “governance”? Governance is typically the combination of documented policies and procedures, supported by senior/executive-level management, that define the scope, objectives, approaches, and outcomes associated with a business continuity program. Continue reading
Reader Note: This article is a continuation from Avalution’s November 2014 article titled: We just did a BIA and Risk Assessment … Now What? How to Perform an Effective Business Continuity Gap Analysis. If your organization just finished a business impact analysis (BIA) and risk assessment, but has not yet performed a gap analysis, it may be helpful to read about performing an effective gap analysis before continuing on to this article.
Once an organization understands gaps between business continuity requirements (as defined in the business impact and risk assessment) and current capabilities, management can determine which gaps they wish to address through strategy selection – either through risk mitigation or resource-specific recovery methods. Determining methods to decrease the likelihood of a disruptive incident reduces the potential that a risk will materialize, while identifying methods to respond to and recover from a disruptive incident decreases downtime and protects the organizations’ brand and financial position (among other assets). Continue reading
Early on in the development of a business continuity program, careful, pragmatic scoping can be the difference between quick and appropriate wins and a never-ending planning effort with little capability. Organizations typically build programs due to customer and/or regulatory requirements; however, instead of taking the time to carefully scope and prioritize the business continuity effort (and provide resources accordingly), organizations often take an “all or nothing” approach to planning – plan for every “box on the org chart”, every facility, every application, and every resource. Many organizations do not realize that business continuity can, and often should, initially address an organization’s most critical/time-sensitive products and services, expanding to other parts of the organization overtime. Continue reading
One of the most challenging management system activities that business continuity professionals need to execute (outside of coordinating actual recovery following a disruptive incident) is developing meaningful business continuity program metrics. ISO 22301 does not tell practitioners how to craft meaningful metrics, only that we need to have and share them with management for feedback.
Many business continuity professionals experience challenges with their programs: Continue reading
No one enjoys wasting resources in any form – effort, time, or money. However, organizations that implement business continuity planning in a haphazard attempt to meet a customer requirement, pass an audit, or simply don’t take the time up front to ensure that the proper resources and approach are in place, are setting themselves up to do just that.
This article explores the common business continuity-related mistakes and pitfalls that lead to wasting time, money, and effort, and provides solutions focused on performing business continuity planning as an integrated aspect of your organization that will mature and improve risk mitigation and response/recoverability efforts, as well as deliver long-term value. Continue reading
Following a business impact analysis (BIA) and risk assessment, best practices indicate that an organization should identify business continuity strategies that allow the organization to treat risks and recover business activities in accordance with management-approved requirements. This seems like a simple task on paper; however, in practice, many organizations struggle to do this, and instead jump straight to documenting business continuity plans. In doing so, these plans fail to include the resources and strategies already in place, or the organization fails to acknowledge and address coverage gaps. This leads to a lost opportunity to identify new risk treatments or recovery strategies, ultimately resulting in plans with no real capability to respond and recover. Continue reading