Good Practice Guidelines 7.0: Building an understanding of business continuity
This month, we are releasing a series of articles highlighting the updates to the upcoming Good Practice Guidelines (GPG) Edition 7.0, ahead of its launch on 1st November 2023.
The GPG Edition 7.0 marks the start of a new journey where the document will be reviewed every year. This means that the GPG can better reflect the changing practices of the business continuity and resilience industry as they happen.
The new GPG consists of six professional practices, split into two management practices and four technical practices. These provide a structure to be used in the development of a Business Continuity Management System. In this article, we will be focusing on the revisions to Professional Practice Two — Embracing Business Continuity.
This professional practice is one of the first encountered in the GPG because before you can start to introduce the technical practices of the Business Continuity Management System such as the business impact analysis (BIA), it is important to first consider how the mindset of an organization can influence the quality and sustainability of the organization’s resilience.
Professional Practice Two (PP2) — Embracing Business Continuity
As those familiar with the GPG 2018 Edition will notice, the title of the professional practice has been revised from Embedding Business Continuity to Embracing Business Continuity which reflects an overall change in approach to this practice.
In the GPG Edition 7.0, the focus of PP2 is to enable an organization to improve its business continuity culture. This pursuit is an intentional move away from mandating and enforcing compliance with a policy through the process of embedding business continuity into an organization.
Embracing Business Continuity supports a process of education and awareness of what is at stake and who will be impacted should a disruption strike. It reminds all staff (not just those involved in the Business Continuity Management System) and reinforces why the organization exists – what is its purpose and how people rely or depend on its products and services. Once this is consciously accepted, the organization becomes proactive and self-reliant in ensuring its business continuity capabilities, procedures, and competencies are fit for purpose. This allows the policy and audits to be tools for measuring recognition, not sticks for inflicting directives and change.
In support of this, the group leader for PP2 states that, before you can begin to change minds within the organization, you first need to understand where your business continuity culture is currently. “Is it a progressive organization? Is it collegiate and cohesive or siloed and politically territorial? Is it open to change? Is it flexible or not?”
When the professional understands where the organization currently is, they can work on how to improve its business continuity culture and in doing so, influence the organizational culture. Indeed, the assessment of business continuity culture can also provide insights into the organization’s approach to other resilience disciplines, such as cyber and risk. We can then use the understanding of the existing business continuity culture to help implement similar approaches to help the organization embrace other management disciplines, adds the leader.
To further explain the changed approach in PP2, the group leader refers to the process required for embedding business continuity. That is, setting a policy, getting leadership approval, introducing it into the organization, and then mandating participation in the programme. However, the group leader notes that this process does not necessarily make business continuity a priority within an organization. Indeed, as personnel may not be committed to the process, this lack of support or interest in good business continuity practices throughout the organization could result in the programme lacking quality.
“For me, this is because there's no emotional investment in business continuity. Personnel may not understand the real reason an organization needs to protect itself,” says the professional practice leader.
In contrast, Embracing Business Continuity is a process where the organization voluntarily invests in the programme in a manner that goes beyond meeting mandated requirements. The overall vision for this refreshed Professional Practice Two is to change the organizational mindset regarding business continuity. “Performing business continuity practices because you’re required to doesn't necessarily make it a more resilient organization, and so the principle is to change the mindset and become more resilient by ensuring that everyone understands and believes why the organization must have protection from disruption.”
Through this, we can improve the quality of business continuity programmes and better protect our organizations. For instance, an outcome of Embracing Business Continuity would be an awareness of the role of business continuity in an organization to such a level that staff proactively seek out and engage with the business continuity team to share information about upcoming organizational changes, and how the team can help them prepare for any potential disruption stemming from those changes.
A change in structure
To assist with the change in focus for this professional practice, it has been necessary to redesign the structure and layout of this essential aspect of the Business Continuity Management System within the GPG. One of the reasons for this is that implementing changes to adapt the culture of the organization requires a different approach to the other Professional Practices in the document, where it is more appropriate to be strategically prescriptive. Therefore, in the GPG Edition 7.0, there will be subheadings in PP2 that refer to understanding and measuring the business continuity culture within an organization, for example.
“Cultural change takes time. It might take a few cycles through the Business Continuity Management System before the organization shows signs of embracing business continuity. For that reason, the style of Professional Practice Two was intentionally written differently and sequenced before the technical practices” says the group leader.
The next article
The next article in this series will explore some of the revisions within Professional Practice Three (PP3).
Download the Good Practice Guidelines Edition 7.0
More on
About the author
Kieran Matthews
Content Creator, The BCI
