Michael Porter once famously said “the essence of strategy is choosing what not to do”. While I am sure that Mr. Porter was not necessarily thinking of business continuity when making this statement, it is absolutely applicable to the implementation of a successful business continuity program. There is no better way to ensure business continuity program failure then to improperly scope the program by ignoring the organization’s overall business strategy. This perspective aims to provide clarification on what exactly strategy connected business continuity means, as well as why it is important to all organizations considering the implementation of a successful, focused business continuity program. Additionally, we will explore conversation topics designed to “crystalize” the organization’s business strategy in a way that helps inform the scope and objectives of the business continuity program. Continue reading
In many ways, this “top five” list is aspirational – that being my hopes for our profession as we solve some entrenched challenges and work to add more value to the organizations we serve. Continue reading
As I reflect on my first year as a business continuity professional, I contemplate what has made me successful to date. In my previous role of being an officer in the U.S. Army, I lived and breathed risk assessments and contingency planning (addressing a loss of resources). When I first started in the military, my focus was very tactical, ensuring that there was always a plan to replenish our basic supplies (e.g., bullets, food, gas, and water). These plans were very basic and more reactionary than anything else, but I always knew that as long as I had these resources, I could continue the mission. Continue reading
As published in the Summer 2016 Issue of the Disaster Recovery Journal – Volume 29, Number 3.
One of the latest threats to organizations is something termed “ransomware”. Commonly defined as a type of malware that blocks access to an application and its data until the victim pays a predetermined amount of money. You may have read about two recent attacks, one targeting the Hollywood Presbyterian Medical Center and the other targeting MedStar. If you haven’t heard about these two attacks, perhaps you can pause for a minute and do a quick Google search to learn more. And, after you do, I have a question for you to consider:
If your organization hasn’t already prepared for this type of threat (ransomware or malware in general), who owns planning for it or preparing contingencies addressing the affected resources?
This article discusses some of the threats and risks that are currently top-of-mind for executive managers and why resilience-related thinking is so important, as well as the different roles that the business continuity professional can perform to add value. Continue reading
Risks to critical business operations due to systems outages have been, and will always be, a concern for most organizations. As a result, IT disaster recovery planning is critical to help reduce the likelihood of a system disruption, or reduce downtime if (when) a disruption does occur. So, if you’re looking for an introduction to IT disaster recovery planning, you’re in the right place!
This perspective presents how IT disaster recovery planning fits into the overall organizational Business Continuity Program; discusses common goals in developing Business Continuity and Disaster Recovery plans; and explores unique activities that must be considered when developing an IT Disaster Recovery Plan. Continue reading
Designing a governance structure and describing its intended performance in the form of program documentation is the first step to ensure your business continuity program produces repeatable results that align to stakeholder expectations.
According to the Business Continuity Institute’s Good Practice Guidelines’ first professional practice, governance provides the foundation for a repeatable and scalable business continuity program.
But what exactly is “governance”? Governance is typically the combination of documented policies and procedures, supported by senior/executive-level management, that define the scope, objectives, approaches, and outcomes associated with a business continuity program. Continue reading
Early on in the development of a business continuity program, careful, pragmatic scoping can be the difference between quick and appropriate wins and a never-ending planning effort with little capability. Organizations typically build programs due to customer and/or regulatory requirements; however, instead of taking the time to carefully scope and prioritize the business continuity effort (and provide resources accordingly), organizations often take an “all or nothing” approach to planning – plan for every “box on the org chart”, every facility, every application, and every resource. Many organizations do not realize that business continuity can, and often should, initially address an organization’s most critical/time-sensitive products and services, expanding to other parts of the organization overtime. Continue reading
One of the most challenging management system activities that business continuity professionals need to execute (outside of coordinating actual recovery following a disruptive incident) is developing meaningful business continuity program metrics. ISO 22301 does not tell practitioners how to craft meaningful metrics, only that we need to have and share them with management for feedback.
Many business continuity professionals experience challenges with their programs: Continue reading
Senior management engagement is critical to business continuity success, so it’s becoming more and more common for organizations to involve management when designing and implementing business continuity programs. However, after the initial implementation project wraps up, it is much less common for organizations to regularly engage management on program direction, capability, and maturation, via what the management system concept calls a “management review”. While the concept of management reviews is relatively new to the business continuity profession, when fully implemented and combined with appropriate messaging, management reviews are the best way to get management to participate actively and stay engaged, as well as close program gaps and improve performance. Continue reading
Developing strong business continuity plans characterized as actionable, relevant, and simple to execute can be a very difficult task for many organizations. In other articles, Avalution examined the different types of business continuity plans, what information should be included, and how organizations can focus on the basics to develop effective plans. One trend that our consultants see across industries is that as business continuity programs mature, planning approaches inevitably change, often (and unfortunately) becoming more complicated and burdensome over time. As plans become overburdened with complex requirements, simplicity, quality, and effectiveness suffer.
This perspective examines the six typical symptoms of “bad plans” and their common root causes, and provides suggestions on how organizations can develop plans described as actionable, relevant, and simple. Continue reading