So, you’ve just been assigned responsibility of your organization’s business continuity program.
I’m sure many thoughts are running through your head right now, ranging from “What is business continuity?” to “What do I need to do first?” (among others). However, you’re in the right place to find answers to these questions, and many more.
Organizations characterized as “mature” when it comes to business continuity planning have a top management representative, often called a “program sponsor”, as well as a steering committee to drive alignment with organizational strategy and continual improvement.
But, what happens when executive management assigns a new program sponsor, or when program sponsorship changes? The purpose of this article is three-fold:
- Offer a simple, straightforward definition of business continuity and it’s outcomes;
- Summarize the top 15 questions a new program sponsor should ask to get acclimated with the current-state planning effort and/or future-state need; and
- Introduce online resources that can provide additional awareness regarding business continuity planning.
What Is Business Continuity?
Business continuity means working to decrease the likelihood of a disruptive incident and preparing your organization to continue the delivery of its most essential products and services if a disruption were to occur. In other words, in the event of a disruptive incident, business continuity helps ensure that everyone – from response personnel through the general employee population – can answer these three questions:
- Where do I go?
- What should I do? and
- When should I do it?
For a more detailed description, please watch this short video describing business continuity.
Getting Acclimated – 15 Key Questions to Ask
You’ve just inherited responsibility (the role of program sponsor) for business continuity, or perhaps you’re a new member of the organization’s business continuity steering committee.
Here are 15 key questions to ask in order to position yourself as a knowledgeable, value-adding sponsor or management representative, and to help you get stated on the right track. For each question, I’ve added why the question is important and what answer you should expect to hear.
Key Question 1:
How do we define business continuity and what are our capabilities specific to a loss of facilities, equipment, information technology (applications, communications, data), suppliers, or if we experienced high absenteeism?
- Why Ask? This question helps to understand the scope and objectives associated with the current-state preparedness efforts, and highlights if the focus is limited to select resources.
- Expected Answer: Business continuity planning should be focused on all resources necessary to support the delivery of the organization’s most important products and services, including people, facilities, equipment, information technology and third parties.
Key Question 2:
Is the way in which we currently plan for disruptive incidents ad hoc or is it repeatable?
- Why Ask? This question helps determine if the organization has, historically, treated business continuity planning as a recurring process or as ad hoc projects.
- Expected Answer: The optimal answer is that business continuity planning is a set of repeatable, evergreen activities designed to ensure alignment between organizational strategy and business continuity strategy.
Key Question 3:
Are we subject to any business continuity-related legal, regulatory, or contractual obligations?
- Why Ask? In many industries, as well as part of business-to-business relationships, regulatory or contractual requirements exist that influence the way in which organizations plan for business continuity, or the outcomes themselves.
- Expected Answer: Hopefully, the organization formally assessed – and continues to assess – legal, regulatory, and contractual requirements that may influence business continuity and a summary exists for your review.
Key Question 4:
What do our customers expect – realistically – if we experience a disruptive incident? Are they asking us about business continuity planning?
- Why Ask? Customer expectations are one of the top business continuity planning drivers. Failing to meet their expectations could impact future business, or potentially result in a breach if formally documented in a contract.
- Expected Answer: It depends, but hopefully those involved in business continuity planning have a good understanding of formal and informal customer expectations and summary of contractual requirements.
Key Question 5:
What are our competitors doing when it comes to business continuity planning? Do they market this capability?
- Why Ask? Business continuity planning has become a competitive differentiator in some industries due to recent, high profile disasters and disruptions. Understanding the competition may influence your time and resource investment, as well as business continuity requirements.
- Expected Answer: Expect those involved in business continuity planning to understand what the organization’s competitors are doing and what they’re marketing as a business continuity capability.
Key Question 6:
What in our environment – or what is it about the way we operate – that would increase the likelihood of a disruption or make it more difficult to recover?
- Why Ask? The purpose of asking this question is to understand the outcomes of previous risk assessments. For example, you may learn that the organization has or continues to create single points of failure (vulnerabilities), as well as specific threats that the organization is particularly susceptible to based on how it operates or the existence of single points of failure.
- Expected Answer: Organizations that have previously performed effective risk assessments understand vulnerabilities, control deficiencies, control enhancement opportunities, as well as the threats that could lead to a disruptive incident.
Key Question 7:
If we did nothing more, what could we expect in terms of product/service downtime if we experienced an event impacting the availability of any of our key resources?
- Why Ask? This is an incredibly important question that helps you understand the scope of the program and its current capabilities for ensuring the continued delivery of products and services to your customers.
- Expected Answer: Based on business continuity requirements and strategies for the resources that support the delivery of key products and services (people, facilities, equipment, information technology and suppliers), expect to better understand the organization’s current state capability to recover in terms of downtime, capacity and quality.
Key Question 8:
What is our worst-case scenario?
- Why Ask? This simple question helps to uncover key concerns or vulnerabilities when it comes to response and recovery.
- Expected Answer: Expect to hear about a specific resource loss scenario that could result in an impact that exceeds the organization’s risk appetite due to a lack of preparedness or a specific risk that remains untreated.
Key Question 9:
How ready are we to communicate internally and externally? Do we know who would coordinate our messaging, do we know our audiences, and have we identified the best ways to communicate?
- Why Ask? Crisis communications capability is a key success factor when faced with a disruptive incident. Effective communications can not only speed the response and recovery effort, it can preserve relationships by sharing current response and recovery status.
- Expected Answer: Optimally, the organization has identified key internal and external audiences requiring communications during a disruptive incident, as well as the best methods of communications delivery, timing, and message content.
Key Question 10:
Are our employees ready to respond and recover? Are there clear roles and responsibilities?
- Why Ask? The purpose of this question is to understand past employee training and awareness efforts, and how effective they were in clarifying roles and responsibilities during a disruptive incident.
- Expected Answer: Hope to hear that program-level roles and responsibilities are documented and socialized, competencies for each are known, and training and awareness efforts are in place that contribute to building competencies and awareness, as required.
Key Question 11:
What have we proven in terms of response and recovery capability?
- Why Ask? This question helps to understand the results of past tests and exercises, as well as the results from actual response and recovery efforts.
- Expected Answer: Hopefully the organization regularly tests and exercises its response and recovery efforts for all key, in-scope resources. Also, these tests and exercises should compare business continuity requirements to actual proven capabilities, as well as how these capabilities effect product/service recoverability.
Key Question 12:
How do we compare to other organizations in our industry or of a similar size?
- Why Ask? Similar to the question regarding competitive landscape, this question helps to understand if, directionally, your organization is performing the most appropriate planning activities and achieving the right results.
- Expected Answer: Don’t have an expectation! Each organization views risk and its obligations differently, and therefore business continuity investment differently. Expect similar outcomes, but don’t expect similar investment or business continuity requirements. The word “directional” is key.
Key Question 13:
What are our top three continual improvement opportunities?
- Why Ask? This question helps determine if the organization is tracking and prioritizing ways to improve rather than simply executing methodology and documenting plans.
- Expected Answer: Expect to learn about gaps in the preparedness effort and outstanding recommendations to close preparedness gaps. Optimally, these continual improvement opportunities are a mix of strategic and tactical issues, prioritized based on the impact to product/service recoverability.
Key Question 14:
Are there any standards influencing how organizations perform business continuity planning?
- Why Ask? Standards are a form of benchmarking, developed in a consensus manner based on country or industry. Standards are a great source of best practices and can help a program sponsor quickly learn about business continuity expectations.
- Expected Answer: Expect to learn about industry-specific regulatory requirements (for some industries), as well as country and international standards (a new family of ISO standards were introduced over the past few years, in particular ISO 22301).
Key Question 15:
What’s expected of me as a business continuity program sponsor?
- Why Ask? This simple question often highlights where issues remain in preparedness and what you can do to help eliminate roadblocks.
- Expected Answer: Expect to hear about the need to get other executives involved, or the resources needed to appropriately prepare. Be ready to push back and ask why the recommendation is important and the implications of not taking action based on product/service recoverability.
Additional Business Continuity Awareness Resources
Driven by customer requirements, a complex, global operating environment, and an increasing threat landscape, more and more organizations are investing time and resources in business continuity planning. Although pretty straightforward from a conceptual perspective, business continuity planning requires some introduction and a review of best practices in order to achieve effective and efficient outcomes. Avalution recently released a series of short on-line videos to address common questions and introduce the key concepts of business continuity planning (resources 1and 2 below). I’ve also included additional business continuity-related resources for your review.
Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help.
Please contact us today to get started. We look forward to hearing from you!
- Business Continuity 101: Common Questions
Answers to the six, most common business continuity-related questions we receive.
- Business Continuity 101: Key Activities and Outcomes
Examine the six the key business continuity planning activities that drive success.
- Business Continuity Blog
Our blog is solely focused on business continuity and IT disaster recovery– insights, advice, trends, best practices, and common issues and solutions.
- Business Continuity Standards and Regulations
A summary of the leading regulatory requirements and standards related to business continuity and IT disaster recovery.
- Business Continuity Industry Resources
Information on the industry’s leading associations, certification bodies, and publications.
Avalution Consulting: Business Continuity Consulting