Using the Good Practice Guidelines
In the first in a new series in which Resilience professionals take an in-depth look at the Good Practice Guidelines, Catherine Dolle-Samuel, Business Continuity and Resilience Specialist at the University of New South Wales, examines the GPG and its place within a resilient organization.
The GPG is invaluable when you first work in business continuity. It really guides and informs your knowledge, thinking and in my experience, an organisation’s program. In fact, when I first worked in the sector, I used it in tandem with the relevant financial services regulations that our organisation was bound by.
The Good Practice Guidelines are also important for the executive in your organisation. Sure, organisations usually want to make sure they are being guided by ISO standards or regulations in particular industries or sectors, but the GPG is the practical component that they can relate to and understand. From my perspective, the GPG is essential in tandem with other regulations and standards to inform and guide in a more practical way.
At the moment, I am using the GPG as an integral part in training in business continuity & resilience at the University of New South Wales. We have a large and diverse group of people with some small (or larger) portion of their role having business continuity responsibilities. Our program is developing in maturity and is not yet at the embedded stage. The GPG provides a great support to the training and guidance I provide to those people. Given we operate in an academic context, the GPG also works well for those that love following a clear and documented process or understanding the intellectual context for the program we are running.
In this regard, the GPG reinforces our own program in that aspects of our BIA, risk assessment, etc are mirrored in the approaches recommended in the GPG. This provides reassurance to the executive and business continuity champions that our program reflects good practices and is aligned with something bigger than my own plan!
For me, the GPG alone does not relate to embedding resilience though. Resilience is a bigger concept, more strategic, operating across multiple parts of the organisation. It may help our business continuity program improve the University of New South Wales' resilience by making improvements at post BIA analysis, or by having workable BCPs that are exercised, but not the organisation’s resilience. In that regard, I usually refer to the Australian Attorney-General’s department guides, or the metric tool the 20/20 Think Tank on Organisational Resilience developed (and of which I was a part).
This doesn’t detract from the Good Practice Guidelines though – while the BCI should continue to provide thought leadership and work towards organisation resilience, the real value of the GPG is in its practical, how-to approach implementing a business continuity program.
Lastly, but not least important, the GPG has loads of nifty little graphics that I use as examples and images within our organisation’s own documentation.
About the author
Business Continuity & Resilience Specialist, University of New South Wales (UNSW)