It seems that every week, there’s a story in the news about a catastrophic disaster happening somewhere in the world. The last five to ten years have seen what appears to be unprecedented numbers of global natural disasters, leaving some to wonder if the whole 2012 end of days conspiracy theorists are perhaps onto something. While it might seem like the world is ending, overacting to these events or trying to plan for every worst case scenario is not productive and could DAMAGE your business continuity program. This article will discuss why focusing on these types of outlier events do not generate value or management interest, as well as discuss ways you CAN tweak your risk assessment and planning to ultimately gain more value without trying to tackle impossible planning standards. Continue reading
A critical and foundational element of business continuity planning is a clear understanding of the business environment, together with the critical products and services and processes that contribute to the creation of business value. To recover successfully, an organization must connect its critical products and services to the key elements that produce them. In addition to facilities, equipment, people, technology and data, these elements include suppliers and the goods they supply, the internal process stream (or streams that transform the resources and input), and the consumers of the output. Overall, a business continuity professional must have a clear understanding of day-to-day business processes and resources in order to be successful in planning for disruptive incidents.
The question then becomes how to develop a repeatable process that provides this clear understanding without making it an end unto itself and creating unsustainable overhead. Even better, how can the business continuity professional leverage tools and methodologies in use by other disciplines to improve performance throughout the organization? Continue reading
Executives love metrics and dashboards. Always time-constrained, they ask for metrics that can be reviewed at a glance to understand performance quickly and determine if an investment is paying off. Not unlike other disciplines, business continuity practitioners commonly find themselves developing metrics to communicate readiness and justify investment, as well as seeking feedback to prioritize continual improvement and remediation activities. But to be most effective, they must be Quality metrics. But, what do we mean by “Quality” metrics? In this perspective, we’ll not only describe attributes of Quality metrics, but we hope to make the case that business continuity professionals should be reporting on much more than the planning activities that they perform or manage – they must also compare the end results of the planning processes (strategies and solutions) to management’s approved recovery objectives. Continue reading
PART II: IMPLEMENTING A CULTURE OF CONTINUITY
In part one of this series we defined a culture of continuity as “an organizational state of being in which all personnel inherently work to minimize the likelihood of downtime and improve responsiveness and recoverability as they perform day-to-day activities”. That’s a pretty high bar for most organizations to meet!
As such, it’s important to take a moment to truly assess the need for such an undertaking and the true value that it will add to your organization. Much like any other initiative throughout an organization, it’s important for business continuity efforts to directly align to key organizational objectives, goals and priorities. In doing so, you’ll be better prepared to gain buy-in and commitment from senior leadership as you will be working to add value to the entire organization, not just push a business continuity “agenda”. Continue reading
PART I: DEFINING A CULTURE OF CONTINUITY
“Culture of continuity”…it sounds beautiful, doesn’t it? It flows off the tongue so naturally as we describe the quintessential business continuity program – a program embedded into an organization so well that personnel fully commit to business continuity and consider it in every decision they make. An environment where executive management considers the organization’s ability to recover from disruption during strategic planning discussions, and thinks about minimizing downtime and maximizing recovery during project development (as opposed to after-the-fact implementations). But, what does that phrase really mean? In part one of this series, we’ll define “culture of continuity” and dive into its importance and fit into every organization. Continue reading
The introduction of ISO 22301 (Societal security – Requirements – Business continuity management system) more closely aligns business continuity to the broader risk management discipline. A major contributor to this alignment is the standard’s requirement to understand the organization’s “risk appetite” (a term not used in BS 25999). Continue reading
Avalution’s March 2012 hospital perspective (Hospital Preparedness: The Intersection of HICS, Business Continuity and IT Disaster Recovery) discussed how hospitals can integrate siloed preparedness activities into a single, unified preparedness program. Since the article’s publication, Avalution received a number of questions regarding how those involved in preparedness (emergency management, business continuity, and IT disaster recovery) should interact during a response and recovery effort, and who is responsible for responding to each type of event. This article aims to answer these questions. Continue reading
Many business continuity professionals face shrinking budgets and, because of an expanding business continuity program scope and aggressive recovery objectives, lack the time necessary to “touch” all areas of the organization and optimally prepare for disruptive events. As a result, practitioners need a way to create repeatable processes to execute recurring planning activities in a decentralized manner while making efficient use of the organization’s personnel to comply with management’s expectations. One approach we often find useful in rolling out a standardized, thorough, efficient and repeatable process for business continuity activities is the creation of a business continuity program toolkit. A business continuity toolkit typically contains a set of instructional narratives, as well as templates, tools and examples to help dispersed personnel appropriately execute business continuity planning activities consistent with organizational standards. Continue reading
Though many business continuity standards emphasize the importance of tracking corrective actions to address identified issues, the recently published ISO 22301 (and previously BS 25999-2) also requires conducting a root cause analysis – looking not just at an issue, but its cause and how it can be prevented in the future. Root cause analysis (RCA) is an approach that seeks to proactively prevent reoccurrences of the same adverse event or systems failure by tracing causal relationships of a failure to its most likely impactful origin, then putting measures in place to mitigate underlying causes to ultimately help prevent recurrence of the adverse event in the future. While common in disciplines that deal with extreme precision and protection of life (e.g. quality and environmental health and safety), there’s no reason the business continuity discipline cannot benefit from a similar approach, particularly for practitioners looking to fully implement ISO 22301. This article explains root cause analysis and identifies how organizations can benefit from implementing the concept in a business continuity context. Continue reading
Your organization has spent considerable resources preparing for disruptive events, and now a crisis is looming. Plans are in place, detailing assigned roles and responsibilities that involve crisis leadership, as well as response and recovery procedural execution. But, will your Crisis Management Team Leader be effective? Will your response be successful? Often, one of the most significant key success factors is the choice of crisis leadership. Continue reading