Business Continuity: The Importance of Thinking Both Strategically and Tactically

thinking-both-strategically-and-tacticallyAs I reflect on my first year as a business continuity professional, I contemplate what has made me successful to date. In my previous role of being an officer in the U.S. Army, I lived and breathed risk assessments and contingency planning (addressing a loss of resources). When I first started in the military, my focus was very tactical, ensuring that there was always a plan to replenish our basic supplies (e.g., bullets, food, gas, and water). These plans were very basic and more reactionary than anything else, but I always knew that as long as I had these resources, I could continue the mission. Continue reading

Business Continuity Plans: Resource Loss-based vs Scenario-based

Resource LossFor some reason, bad ideas often attempt to make a comeback – typically, after enough time has passed and the very reason they were discarded or abandoned in the first place is forgotten.

Bad ideas certainly are not exclusive to popular culture; in fact, articles and case studies litter the internet documenting both public and private organizations attempting to resurrect failed models and strategies in hopes that new capabilities or use cases will finally make a particular idea just as good in practice as it was in theory or on paper.

In the wake of several high-profile, unpredictable, catastrophic incidents (“Black Swan Events”) in 2012, Avalution received a number of requests to develop highly-specific, scenario-based plans from our clients. Planning for Every Scenario is “For the Birds” explains that Black Swan Events cannot be predicted, and advises that organizations that implement flexible strategies, applicable in almost any type of scenario to manage response and recovery, enjoy the highest levels of success when faced with a disruptive incident.

However, the demand for scenario-based plans seems to be back.

We understand why organizations may think scenario-based plans are a good idea; however, their appropriateness, utility, and long-term value is limited – much like line dances, vampire romance movies, and mullets.

Instead, in this perspective we’re going to use a case study to make the argument for a resource loss-based plan development approach. Continue reading

Effective Business Continuity: Program vs Plan

TJMany organizations think that effective business continuity planning is synonymous with great plan documentation.

It’s not.

Yes, plan documentation is extremely important. BUT… many organizations fail to recognize that effective business continuity plans – and truly prepared and resilient organizations – are the result of a larger business continuity planning lifecycle that begins with requirements setting and ends with practice (and of course, the process recycles on a continuous basis).

Bottom line – plans are just one key ingredient in the development of an effective business continuity program.

This perspective provides an outline for what Avalution promotes as effective business continuity planning. Please explore the links provided within this document for more in-depth explanations of each step of the planning process. Continue reading

Standard Operating Procedures: Program Documentation That Helps Drive Repeatable Results

SOPDesigning a governance structure and describing its intended performance in the form of program documentation is the first step to ensure your business continuity program produces repeatable results that align to stakeholder expectations.

According to the Business Continuity Institute’s Good Practice Guidelines’ first professional practice, governance provides the foundation for a repeatable and scalable business continuity program.

But what exactly is “governance”? Governance is typically the combination of documented policies and procedures, supported by senior/executive-level management, that define the scope, objectives, approaches, and outcomes associated with a business continuity program. Continue reading

We Just Did a BIA and Gap Analysis… Now What?

Sketch successful businessman concept, idea light bulbHow to Perform an Effective Business Continuity Strategy Identification and Selection Effort

Reader Note: This article is a continuation from Avalution’s November 2014 article titled: We just did a BIA and Risk Assessment … Now What? How to Perform an Effective Business Continuity Gap AnalysisIf your organization just finished a business impact analysis (BIA) and risk assessment, but has not yet performed a gap analysis, it may be helpful to read about performing an effective gap analysis before continuing on to this article.

Once an organization understands gaps between business continuity requirements (as defined in the business impact and risk assessment) and current capabilities, management can determine which gaps they wish to address through strategy selection – either through risk mitigation or resource-specific recovery methods.  Determining methods to decrease the likelihood of a disruptive incident reduces the potential that a risk will materialize, while identifying methods to respond to and recover from a disruptive incident decreases downtime and protects the organizations’ brand and financial position (among other assets). Continue reading

How-To: Effectively Scope Your Business Continuity Program

Program_ScopeEarly on in the development of a business continuity program, careful, pragmatic scoping can be the difference between quick and appropriate wins and a never-ending planning effort with little capability.  Organizations typically build programs due to customer and/or regulatory requirements; however, instead of taking the time to carefully scope and prioritize the business continuity effort (and provide resources accordingly), organizations often take an “all or nothing” approach to planning – plan for every “box on the org chart”, every facility, every application, and every resource.  Many organizations do not realize that business continuity can, and often should, initially address an organization’s most critical/time-sensitive products and services, expanding to other parts of the organization overtime.  Continue reading

Rethinking Business Continuity Metrics

Rethinking_MetricsOne of the most challenging management system activities that business continuity professionals need to execute (outside of coordinating actual recovery following a disruptive incident) is developing meaningful business continuity program metrics. ISO 22301 does not tell practitioners how to craft meaningful metrics, only that we need to have and share them with management for feedback.

Many business continuity professionals experience challenges with their programs: Continue reading

Don’t Waste Your Time or Money on Business Continuity Planning

Waste_Time_on_BCNo one enjoys wasting resources in any form – effort, time, or money. However, organizations that implement business continuity planning in a haphazard attempt to meet a customer requirement, pass an audit, or simply don’t take the time up front to ensure that the proper resources and approach are in place, are setting themselves up to do just that.

This article explores the common business continuity-related mistakes and pitfalls that lead to wasting time, money, and effort, and provides solutions focused on performing business continuity planning as an integrated aspect of your organization that will mature and improve risk mitigation and response/recoverability efforts, as well as deliver long-term value. Continue reading

We Just Did a BIA and Risk Assessment… Now What?

How to Perform an Effective Business Continuity Gap Analysis

Following a business impact analysis (BIA) and risk assessment, best practices indicate that an organization should identify business continuity strategies that allow the organization to treat risks and recover business activities in accordance with management-approved requirements. This seems like a simple task on paper; however, in practice, many organizations struggle to do this, and instead jump straight to documenting business continuity plans. In doing so, these plans fail to include the resources and strategies already in place, or the organization fails to acknowledge and address coverage gaps. This leads to a lost opportunity to identify new risk treatments or recovery strategies, ultimately resulting in plans with no real capability to respond and recoverContinue reading

I’ve Been Assigned Executive Responsibility for Business Continuity – Now What?

15 Key Questions Executives Should Ask to Better Understand the Program’s Current-State and Next Steps

So, you’ve just been assigned responsibility of your organization’s business continuity program.

I’m sure many thoughts are running through your head right now, ranging from “What is business continuity?” to “What do I need to do first?” (among others). However, you’re in the right place to find answers to these questions, and many more. Continue reading