Business Continuity Policy & Programme Management – so much more than audit evidence
In the next instalment in this series in which Resilience professionals take an in-depth look at the Good Practice Guidelines, Katherine Bosworth, Business Continuity Manager at Marks and Spencer, discusses BC "first dates" and how to turn these into supportive stakeholder relationships.
All too often have I mentioned Business Continuity in conversation and seen people roll their eyes and say “oh I get emails about it, but I don’t read them” or “I’m doing things that are really bringing value to a business, I don’t have time to plan for a tsunami that destroys the office” (stated a friend who works in Birmingham). It leaves me with a heavy heart as I feel Business Continuity can be an incredibly valuable, relevant and engaging part of any business if the programme is created and implemented in the right way. The BCI’s Good Practice Guidelines (GPG) states that the BCM programme needs to have 3 different levels – strategic, tactical and operational - so decisions and policy is determined, operations managed and activities undertaken, the same as any area of any business. Although Business Continuity may not be seen as the heart of a business in the way central operations are, there is no reason why it should operate any differently; there are customers and BC needs to understand their needs and deliver the goods to be sustainable.
Documenting the Business Continuity policy is an excellent opportunity to review and develop on the previous year. If you are setting up a new programme it is the perfect opportunity to talk through with stakeholders in the business or if it is a review of a current policy then a gap analysis can really expose opportunities that can be worked on. The policy needs to be circulated to senior management who will have roles and responsibilities within it which means this document needs to be concise with clear reasons why this is being implemented to support stakeholders and keep eyerolling to a minimum.
For me the review and circulation of the policy is a great time to identify further opportunities as to how BC can support the business further - review what is good and what can be better through a SWOT, PESTLE and bench marking against other programmes. All the methods we use to support the policy update we put into a deck along with the strategy for the next 3 years and circulate to senior stakeholders to gain a stronger buy-in and understanding of the vision we have and how it will support the business and ultimately support their role too.
It always comes as a shock to me to hear so much about ‘audit fear’ when it comes to BC and how people feel the need to complete so much documentation that is shared with no one and not seen as relevant - but at least it’s there in case of an audit. This kind of mentality I fear is causing the eye rolling from other colleagues and decreasing the perceived value of the function. Having been on the receiving end of a very thorough audit I can understand some nerves of the unknown, but it transpires that if you have evidence of a well-governed, relevant programme that senior stakeholders are involved in and support, then you will come out unscathed. In describing the policy, the GPG states “it provides the context in which the required capabilities will be implemented and identifies the principles to which an organisation aspires and against which its performance can be audited” which is a very powerful statement to accept and to build on. Governance is the glue that holds this function together, but I have found that if you follow the key stages and really think about how to make this relevant to your challenges it is absolutely an enabler rather than something to hold back progress. My experience of our governance framework that closely follows the GPG guidance (in a highly flexible way that supports the way we work) and audit is that the evidence they are looking for is how it is used, tested and engaged - not just do you have a document in the filing cabinet.
Business Continuity and engagement. A perfect match even though some areas of the business relentlessly try and swipe left on you. It’s difficult sometimes to not feel deterred by this rejection especially when you know you can ultimately add so much value to them. When you feel this happening repeatedly it’s time to think about changing your profile picture and the tired chat up line in your bio and making sure you use your first date to show them what you can offer them.
As I mentioned previously, all the plans in the world don’t count for anything if you haven’t got engagement and buy-in from stakeholders. It’s a really difficult thing to stay on top of (I find) because the business is so busy in its day to day running and you need to strike a balance of getting what you need to stay on track with the programme and also fitting into stakeholders' diaries, especially as you often need to bring several busy stakeholders together for document sign-off or exercising.
The GPG states “the organisation needs to ensure that top management demonstrate positive leadership with respect to BC”. We make sure we reach out to stakeholders consistently through the year, not just when we need them and time is put in every new senior stakeholder's diary when they join so we can talk them through the programme with an “exec deck” pack, how we can support them and what to expect if they are involved in an incident. We have found that should they have concerns about things not going to plan or simple questions they aren’t sure who to ask they will pick up the phone and ask the BC team.
In our annual review of the programme we check we are aligned to the business values and objectives; how can we improve on that and what areas of the business can we be more engaged with. We hold quarterly committees with the plan owners of each business unit to talk about what we have done and propose new ideas and encourage feedback on what would work best for them. Taking stakeholder engagement from first dates to a relationship takes a lot of work with compromise and frustration along the way, but if you give the time to supporting them day to day (need someone last minute to come and speak at a huddle - no problem we’ll be there, had a phishing email and not sure what to do – it’s not in our remit but let me put you in touch with the right person) life becomes so much easier and you can achieve so much more.
About the author
Business Continuity Manager