Standard Operating Procedures: Program Documentation That Helps Drive Repeatable Results

SOPDesigning a governance structure and describing its intended performance in the form of program documentation is the first step to ensure your business continuity program produces repeatable results that align to stakeholder expectations.

According to the Business Continuity Institute’s Good Practice Guidelines’ first professional practice, governance provides the foundation for a repeatable and scalable business continuity program.

But what exactly is “governance”? Governance is typically the combination of documented policies and procedures, supported by senior/executive-level management, that define the scope, objectives, approaches, and outcomes associated with a business continuity program. Continue reading

How-To: Effectively Scope Your Business Continuity Program

Program_ScopeEarly on in the development of a business continuity program, careful, pragmatic scoping can be the difference between quick and appropriate wins and a never-ending planning effort with little capability.  Organizations typically build programs due to customer and/or regulatory requirements; however, instead of taking the time to carefully scope and prioritize the business continuity effort (and provide resources accordingly), organizations often take an “all or nothing” approach to planning – plan for every “box on the org chart”, every facility, every application, and every resource.  Many organizations do not realize that business continuity can, and often should, initially address an organization’s most critical/time-sensitive products and services, expanding to other parts of the organization overtime.  Continue reading

Rethinking Business Continuity Metrics

Rethinking_MetricsOne of the most challenging management system activities that business continuity professionals need to execute (outside of coordinating actual recovery following a disruptive incident) is developing meaningful business continuity program metrics. ISO 22301 does not tell practitioners how to craft meaningful metrics, only that we need to have and share them with management for feedback.

Many business continuity professionals experience challenges with their programs: Continue reading

Treating the Causes of Bad Management Reviews

Faults & Fixes: Bad Management Reviews

Senior management engagement is critical to business continuity success, so it’s becoming more and more common for organizations to involve management when designing and implementing business continuity programs.  However, after the initial implementation project wraps up, it is much less common for organizations to regularly engage management on program direction, capability, and maturation, via what the management system concept calls a “management review”.  While the concept of management reviews is relatively new to the business continuity profession, when fully implemented and combined with appropriate messaging, management reviews are the best way to get management to participate actively and stay engaged, as well as close program gaps and improve performance.  Continue reading

Treating the Causes of Bad Business Continuity Plans

Faults & Fixes: Bad Plans

Developing strong business continuity plans characterized as actionable, relevant, and simple to execute can be a very difficult task for many organizations. In other articles, Avalution examined the different types of business continuity plans, what information should be included, and how organizations can focus on the basics to develop effective plans. One trend that our consultants see across industries is that as business continuity programs mature, planning approaches inevitably change, often (and unfortunately) becoming more complicated and burdensome over time. As plans become overburdened with complex requirements, simplicity, quality, and effectiveness suffer.

This perspective examines the six typical symptoms of “bad plans” and their common root causes, and provides suggestions on how organizations can develop plans described as actionable, relevant, and simple.  Continue reading

How, When, and If to Implement Business Continuity Software

Business continuity planning software can add significant value if it complements a strong program that has management support, competent personnel, and the information necessary to establish requirements, identify strategies, and document plans. While software will not “do business continuity planning for an organization”, it can provide an already-built and structured approach that automates what could otherwise be a manual internal process, freeing practitioners to focus on program maturation.  That said, not all software is right for every organization, so it is important to ensure any selected software is a right fit BEFORE trying to implement it.  Many organizations approach software selection anticipating that the software vendor will show them what they need or tell them what features best fit their program; however, without first understanding the program’s current state, needs, and capabilities, odds increase that organizations will select software that does not align to the current state program and could thus require significant additional customization or result in ineffective use.

This article discusses common business continuity software myths and selection issues and provides recommendations on factors to consider before deciding to pursue, select, and implement a business continuity planning software solution, so that you can get the most value from whatever option you select. Continue reading

Program Roles & Responsibilities in a Business Continuity Management System

Part of Avalution’s Conforming to ISO 22301 Series

This perspective is the seventh in a series to discuss key elements of the ISO 22301 business continuity management system, including value-adding elements of the standard or requirements that could “trip up” an organization during the certification process. Continue reading

Supporting IT Disaster Recovery Planning – A CMDB versus Traditional Business Continuity Software

Recently, a question was raised by a client regarding whether it would be better to create a method to manage technical information in support of the IT disaster recovery planning effort, acquire and implement a commercial Configuration Management Database (CMDB) solution, or customize its existing business continuity software solution. The short answer is, “it depends”. This perspective discusses this commonly asked question, which by the way, is very important given the need to understand the relationship between IT infrastructure, applications, data, and business continuity requirements. Continue reading

Challenges in Implementing a Successful Business Continuity Program

Congratulations! You’ve started your business continuity planning effort—sometimes, that’s the hardest part. Now, you’re working diligently on your organization’s business continuity program, but it’s not delivering the results you had hoped. You’re performing a business impact analysis (BIA) and risk assessment, documenting plans, and socializing the next steps for your program, but it’s not progressing like you would expect or maybe it doesn’t have the capability your organization needs. So, what can you do?

This perspective outlines the common challenges organizations face when implementing a business continuity program that meets response and recovery expectations, and offers solutions that business continuity managers can pursue to address these challenges. Continue reading

Using Lessons Learned in the Evaluation of Business Continuity Procedures

Part of Avalution’s Conforming to ISO 22301 Series

The management system approach to business continuity requires a culture of continual improvement in business continuity programs.  One of the key steps in facilitating continual improvement is to regularly evaluate existing business continuity procedures.  This perspective takes a closer look at Clause 9.1.2, ISO 22301’s requirement for evaluation of business continuity procedures.  Continue reading