Evaluating Business Continuity Programs: Is your Business Continuity Program ready for the next Disruption?

Is Your Business Continuity Program Ready for the Next Disruption?

A series of hurricanes tore through the Caribbean and the U.S. southern states in August and September of 2017.

Harvey, Irma, and Maria took hundreds of lives and inflicted $210 billion in damage.

On March 11, 2020, the National Basketball Association postponed its season with no clear idea of if or when it would resume.

Within days, companies across the country sent employees home — many of them with no clear plan for how to do their jobs remotely.

The reason?

COVID-19.

The 2017 hurricane season and the global pandemic are just two of many recent examples of crisis events that drastically disrupted business operations.

Preparing for Disruption

In the event of a disaster, how will you respond?

No one enjoys thinking about crisis management or disaster recovery. But this much is certain: your business will face unexpected disruptions.

As experts in business continuity, we often get calls after crisis events. The questions business leaders often ask sound similar. They sound like this:

• What can we do to prepare our company to survive the next disruption?

The answer?

Business continuity planning.

What Is Business Continuity Planning?

Put simply, a business continuity plan is a written set of instructions to follow in response to a disruption of your business.

For formal standards, we use ISO 22301, a widely accepted industry standard for organizational resilience. It describes the focus of a business continuity management system (BCMS) as follows:

A BCMS emphasizes the importance of:

• understanding the organization’s needs and the necessity for establishing business continuity policies and objectives;

• operating and maintaining processes, capabilities, and response structures for ensuring the organization will survive disruptions;

• monitoring and reviewing the performance and effectiveness of the BCMS;

• continual improvement based on qualitative and quantitative measures.

When you think about continuity and disaster recovery planning, the ISO 22301 standard is a blueprint. It’s a starting place, not a step-by-step instruction manual specific to your business.

What Kinds of Events Should I Plan For?

A business disruption is any incident disrupts your business’ normal operating procedures — either temporarily or permanently.

Examples of disruptions from recent years include:

• Natural disasters (examples: hurricanes, tornados, earthquakes, floods, severe winter storms)
• Infrastructure disruptions (examples: power outages, cyber-attacks, data security breach, data center disruptions, telecom and internet downtime)
• Conflict and violence (examples: active shooter, terrorist attacks, riots)
• Personnel events (examples: absence of key employees, executive misconduct)

Continuity planning is the intentional, ongoing process of planning how you will respond to disruptions of all kinds, including — but not limited to — the ones listed above.

Some incidents are temporary and can be resolved quickly. Others require an extended change in business processes (for example, the COVID-19 pandemic).

Events like these will test your company’s resilience — and they’ll reveal the strengths and weaknesses of your continuity program in real-life situations.

No one can plan for every possible disruption, but a strong business continuity program will guide your company’s response when it experiences a disruption.

How to Evaluate a Business Continuity Program

We are often engaged to evaluate business continuity programs, evaluate the risk faced by companies, and help improve the long-term resiliency of an organization.

The process we’ve developed can be used to evaluate continuity programs in businesses of any size — from small consulting firms to multi-billion-dollar utility companies.

We call our proprietary process the Resiliency Diagnosis.

A full review takes between four and eight weeks, but in every case, the process begins by defining what — exactly — your organization needs from its continuity program.

Here’s the process we follow:

1. Define What You Need from the Program

Sometimes a company executive will say: “We want a world-class continuity program.”

In most cases, “world-class” is beyond the company’s actual needs.

For this reason, we always start by reviewing the organization’s strategic goals and objectives, and we ask how a business continuity program should support those goals.

To do this, we ask questions such as:

• What are your organization’s mission and vision?
• Are there particular values for the organization as a whole?
• What are the organization’s strategic goals and objectives?
• How would you define your internal culture? In other words, what are the written and unwritten rules for operating internally?
• What is the perception of the current business continuity program and team?
• How does the business continuity program support the organization’s strategic objectives?

I have received calls from chief executive officers, chief security officers, and chief information security officers responding to directions from the board of directors or a board-appointed audit committee to implement a business continuity program.

I’ve also been in meetings where the CEO is championing the initiative after an emergency management official asked about business continuity and crisis management — and the CEO wasn’t sure how to respond.

2. Review Company Documentation and Artifacts

Step two is to review your documentation.

As with any business plan, if it’s not in writing, it doesn’t really exist. Hopefully, you already have documented processes that describe how your business continuity program operates, along with crisis management processes for decision making, communication, and escalation.

You should also go beyond your business continuity documentation and review any major business documentation, including:

• Mission, vision, and values

• Investor reports
• Strategic plans
• Employee handbooks and documentation

Look at your existing documentation for people as well as information technology. We look for:

• Information about high-availability, backup, and recovery strategies in IT
• Plans for human resources disruptions
• Supply chain continuity and recovery strategies
• Documentation of potential threats
• Key business objectives.

This review will show you where you are today, creating the foundation for a business continuity strategy tied to the company’s existing culture and strategic objectives.

3. Talk with Everyone on the Team

Step three is to talk with the people involved in the business continuity program, including program team members, stakeholders, and leaders of critical business functions. These are the people we’ll include in our evaluation process as you work to improve your organizational resilience.

These interviews tend to be full of open-ended questions. You want to hear first-person accounts of how your team responds to business disruptions.

For example, we’ve recently been asking questions such as:

• You just spent 15 months dealing with COVID-19. What decisions did you and your team have to make to respond to the disruption in your business? What process did you use to make these decisions?
• Have there been other disruptions that you’ve been a part of managing during your time at the company? Tell us a bit about those.
• What plans or processes did you use during those previous disruptions? How did they help?
• What risks or issues keep you up at night in terms of disruptions or crisis situations?

These interviews provide specific, concrete examples of how the program is perceived within the company. They also illustrate how previous disruptions have been managed, providing valuable insights that complement what we’ve already learned reviewing documentation.

4. Complete the Maturity Model

Once you’ve reviewed your documentation and talked to employees, you’ll have a clear view of the business continuity program at your company.

Now you can compare what you’ve learned about your current program against the ISO 22301 standard and see how the maturity of your program stacks up.

Using a maturity model as a part of your evaluation can help you easily compare your current business continuity program against the industry standard in ISO 22301 to spot areas of strength and opportunity.

When we’re working with a company to conduct an evaluation of its program, we provide a detailed view from a maturity standpoint using a proprietary maturity model we’ve developed.  We provide a maturity score across 98 factors, score roll ups across the core themes of ISO 22301, and an overall maturity score.

From there, we provide a roadmap, based on your specific industry, for where you should be in the next year, two years from now, three years from now, and so on.

5. Make a Plan for Improvement

Every continuity program evaluation ends with a comprehensive Resiliency Diagnosis report including key findings, strengths, opportunities, and recommendations for improvement.

Specifically, the report contains three major sections:

1. Observations: The facts you observed about the program, supported by artifacts, documentation, and interviews
2. Maturity model score and overview: A detailed look at how your continuity program scored against the ISO 22301 standard — along with strengths and opportunities
3. Recommendations: Specific, concrete recommendations for actions your company could take to improve operational resilience during a business disruption.

The observations and maturity model scoring provide context for the current state of your business continuity program.

The recommendations then provide a roadmap with concrete and measurable steps on maturing the program over time.

Taken together, these three elements provide a thorough Resiliency Diagnosis evaluation report to influence executives and stakeholders towards the investments needed to mature your business continuity program and improve your organization’s resilience.

The Business Impact of a Strong Continuity Program

The challenge with business continuity is that you never know when a disruption will happen.

For that reason, we believe strongly that business continuity programs should be evaluated annually and improved and revised to reflect new business challenges and changes to the broader business landscape. You can learn more about our approach to Business Continuity in our Ultimate Guide to Business Continuity.

No one saw the COVID-19 pandemic coming, but everyone had to adjust.

A strong continuity program can’t take away the risk of disruption, but it can position your company to react swiftly and efficiently when a disruption hits.

Learn more about our proprietary Resiliency Diagnosis process and setup an initial call today.