Building organizational resilience

  • 10 Sep 2019

For several years now I have been delivering Business Continuity (BC) training and consultancy to practitioners and senior managers. If I may quote Alan Partridge from BBC’s ‘Knowing Me, Knowing you’ comedy radio show, I have “the ability to make the essentially complex, inordinately simplistic!” The joke is Alan took this comment as a compliment! However, I think there is a real challenge to make BC assessible to people who don’t live and breath the topic and I offer the table below as a handy guide to help explain the BC lifecycle.

Stage of the BC lifecycle

Official definition

In plain English

 

Policy and Programme Management

 

Policy is the intention and direction of an organization as formally expressed by its Top Management. It is the key document that sets out the scope and governance of the Business Continuity Management (BCM) Programme and reflects the reasons why it is being implemented. Sources: ISO 22301

 

Programme is the on-going management and governance process supported by Top Management and appropriately resourced to implement and maintain BCM. Source: ISO 22301

 

Who’s in charge and where’s the money!

 

Get your governance arrangements in place and capture this in the BC Policy.

 

The BC policy sets out your journey with defined, roles and responsibilities, what is and is not in scope, and how will you know you get there (performance metrics).

 

Embedding

Defines how to embed BC into business as usual activities and organisational culture

 

Activities include raising awareness, encouraging buy-in, ensuring the required skills and competencies are in place, providing training and learning opportunities

 

“Values, attitudes and behaviour of an organisation that contribute to the unique social and psychological environment in which it operates” (ISO 22316:2017)

 

Show me evidence that BC is part of the way things are done in this organisation.

 

Embed the arrangements through training and awareness programmes.

 

BC is part of the induction process, appraisal objectives, recorded in job descriptions, agenda items on management meetings, etc.

 

Analysis

“A process for analysing the consequences of a disruptive incident on the organization.  The outcome is a statement and justification of business continuity requirements.” (Source: ISO 22317:2015)

 

Establish a recovery time objective (RTO), a maximum tolerable period of disruption (MTPD) and a minimum business continuity objective (MBCO)

 

 

Get your team together and ask…If we didn’t do our job, who would notice and how quickly would they notice?

 

Identify your prioritised/urgent activities (what you must carry on doing and what can wait).

 

Your need a consistent approach to measure impacts so that you can compare “apples with apples” across the organisation.

 

RTO – how quickly should you be up and running

MTPD – how quickly must you be up and running

MBCO – what level of service you need to recover to.

 

Design

The design stage of the BC lifecycle identifies the solutions to be developed that will enable the prioritised activities to be maintained and recovered within the recovery time objectives determined in the analysis stage.

 

 

What solutions do you have for the loss of staff, premises, ICT, equipment or suppliers?

 

These solutions must fit with the RTO, MBCO and MTPD (above).

 

 

Implementation

Defined in ISO 22301:2012 as “Documented procedures that guide organizations to respond, recover, resume and restore to a pre-defined level of operation following disruption.”

 

 

Where are your BC arrangements documented?

 

 

When writing your BC plans keep in mind who is it for and when is it for?

 

Document your arrangements business continuity plans (what you will do) and incident management plans (who is in charge)

 

A BC plan is a collection of documents to enable you to maintain prioritised services at a pre-determined level.

 

Validation

This stage of the BCM lifecycle requires you to develop a programme to review your arrangements and exercise your plans. The review process includes auditing and undertaking a Management Review at least annually to ensure your Business Continuity Management system is effectivity maintained. A key component of this is developing an exercising programme.

 

 

How do you know your BC arrangements work?

 

Validate the plan through exercising and your BCM system by reviewing its performance again set targets, e.g. all plan owners attend a BC briefing once a year.

 

Complete a Management Review of the business continuity management system to review its performance and scope and update the policy at least annually.

The BCI talk of the ‘art and science’ of business continuity management. The table above attempts to describe implementing the BC lifecycle in a logical, step-by-step process. It is an iterative process and perhaps should be considered as following a spiral rather than endlessly going around a circle; each iteration builds upon the experience of the previous one. To use the BC cliché, it is a journey, not a destination.

It has been said, “if you don’t know where you are going you may end up somewhere else!” Building organisational is complex because human beings are involved and the organisation, and the environment in which it operates keeps changing. So, business continuity doesn’t provide you with a definitive ‘answer’, but it does provide the framework a conversation and help build organisational resilience. Have a safe journey!

 

Martin W Fenlon FBCI

More on