In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser asks how you can know if your business continuity program is ready for the next disruption?
In other words, how can you evaluate your current business continuity program and tell if you’re ready for what’s next?
Topics discussed in this episode include industry standards such as ISO 22301, business continuity program evaluations, business continuity maturity models, and more.
Related Episodes & Blog Posts
- Blog Post: Evaluating Business Continuity Programs: Is your Business Continuity Program ready for the next Disruption?
- Blog Post: ISO 27031: Looking at ISO’s Disaster Recovery Standard
- Episode #91: Roles and Responsibilities in a Business Continuity Program
- Episode #93: Crisis Management Plans – What your executives really want
- Episode #96: Crisis leadership in the time of Coronavirus
Hello, and welcome to the Managing Uncertainty Podcast this is Bryan Strawser, principal and chief executive here at Bryghtpath. And in today’s episode, I want to start off by setting the stage for the discussion that we’re going to have about understanding if your business continuity program, your crisis management program, is truly ready for the next disruption. So, I want to take you back to August and September of 2017, the beginning of the most recent run of crisis situations of business disruptions around the world. We had a series of hurricanes that tore through the Caribbean and the southeastern United States. We had Hurricane Harvey, Hurricane Irma and Hurricane Maria, three of the strongest hurricanes in recent memories. They took hundreds of lives and inflicted $210 billion in combined damage between the three storms, between the Caribbean and the southeastern United States. We fast-forward just two years later as we’re still recovering, in some cases, economically from the impact of those three hurricanes and even, logistically, still challenges in Puerto Rico and other parts of the Caribbean.
And now, we’re faced with the COVID-19 pandemic, March 2020. March 11th, 2020, the National Basketball Association postpones its season with no clear idea if or when that it could resume. And then within days, companies across the country and truly around the world, sent their employees home, many of them with no clear plan of how to do their job remotely, all of this due to COVID-19 and the pandemic that we’ve all been faced with the last 15 years. And that hurricane season in 2017 and the pandemic of the last year and a half are just two of many recent examples of crisis events that have drastically disrupted business operations. So the question is, in the event of a disaster, how will you respond? And nobody enjoys thinking about crisis management or disaster recovery, outside of those of us that work in this space and do it because we enjoy the work, but nobody really wants to sit and think about these things, certainly not at all your senior executives.
But the questions that business leaders often ask sound similar. They sound like, what can we do to prepare our company to survive the next disruption? And that answer is business continuity planning. And we probably all know what business continuity planning means, but put simply, a business continuity plan is a written set of instructions to follow in response to a disruption of your business. It’s the investment you’ve made in thinking through the challenges you’ll be faced with and the information that you need and creating a plan around that. Now, here at Bryghtpath, we often use the ISO 22301 standard. It’s a widely accepted industry standard for organizational resilience and it describes the focus of a business continuity management system or a business continuity program in this way. A business continuity management system emphasizes the importance of understanding the organization’s needs and the necessity for establishing business continuity policies and objectives.
It’s about operating and maintaining processes, capabilities, and response structure for ensuring the organization will survive the disruption. It’s monitoring and reviewing the performance and effectiveness of the business continuity management system and it is about continual improvement based upon quantitative and qualitative measurements. So when you think about continuity and disaster recovery planning, the standard, the ISO 22301 standard is a blueprint. It’s a starting place, but it’s not a step-by-step instruction manual that’s been specifically tailored to your business. So what kind of events should you plan for? Well, business disruption is really any incident that disrupts your business’s normal operating procedures, temporarily or permanently.
Examples of disruptions, and we talked about this at the kickoff to this episode, it could be natural disasters, hurricanes, tornadoes, earthquakes, floods. It could be infrastructure disruptions, power outages, cyber-attacks, data breaches, data center disruptions, telecom, and internet downtime. It could be conflict or violence-driven, an active shooter incident, a terrorist attack, a riot, or other civil unrest. And it could be personnel events. It could be the loss of key employees to a pandemic. It could be executive malfeasance. It could be a liquidity challenge, but continuity planning is that intentional, ongoing process of planning how you’ll respond to disruptions of all kinds, including, but not limited to, the ones that we just talked about.
Events like this can be temporary and be resolved quickly. Others require an extended change in business processes, such as we’ve experienced during the pandemic. Events like this will test your organization’s resilience, but they’ll also reveal the strengths and weaknesses of your continuity program in real-life situations. There’s a story that we tell in emergency management about the fact that you need to build relationships prior to the disaster. In fact, the United States Northern Command Private Sector Office used to give out a challenge coin, and around the rim of the challenge coin it said, “When you need a friend, it’s too late to make one.” Well, plans are the same way.
We need to have the plans in place. We need to have thought through these challenges prior to the disruption happening. Now, nobody can plan for every possible disruption, but a strong business continuity program will guide your company’s response when you experience a disruption. So, how do you know you have a good program? Well, that gets to the crux of this episode. How do we evaluate a business continuity program? Now, here at Bryghtpath, we’re often engaged to evaluate business continuity programs, to look at the risks faced by companies, and help improve the long-term resiliency of an organization. The process we’ve developed can be used to evaluate continuity programs in businesses of any size, from a small consulting firm to a multi-billion dollar technology or utility firm. A full review usually takes between five and 10 weeks. But in every case, the process begins by defining what exactly your organization needs from a continuity program.
Here’s the process we follow, and you can use this internally as well. First, define what you need from the program. Well, sometimes companies will come to us and say, “Our executives tell us we need a world-class, we want a world-class continuity program.” In most cases, world-class is just beyond your actual needs. For this reason, we always start by reviewing the organization’s strategic goals and objectives. And we ask how a business continuity program can support these goals. We ask questions like, what is your organization’s mission and vision? Do you have particular values for the organization as a whole? What are your strategic goals and objectives? How would you define your internal culture? What are the written and unwritten rules for operating internally? What is the perception of the current business continuity program and team? And how does the business continuity program support the organization’s strategic objectives?
And I’ve talked to everyone from CEOs to chief security officers to chief information security officers, who are responding to direction from their board or the audit committee or risk committee of their board, to implement a business continuity program. But I’ve also been in meetings where the CEO is championing this initiative after an emergency management official has asked about, “Tell me about business continuity and crisis management at your company.” And the CEO didn’t know how to respond. So, once you’ve answered these questions and perhaps others that are raised as you work through those questions, the second step is to look at the documentation. As with any business plan, if things are not in writing, it doesn’t really exist. Hopefully, you already have documented processes that describe how your continuity program operates, along with defined crisis management processes for how you make decisions, how you communicate, and how you escalate situations.
But you should also go beyond your business continuity documentation and review other major business documentation too, mission, vision, and values, investor reports, SEC filing, strategic plans, your employee handbook, and documentation. You want to look, as well, at existing documentation for people or human resources and for information technology. We’re looking for information about high availability strategies, backups and recovery strategies in IT, plans for HR-driven disruptions, supply chain continuity and recovery, documentation about potential threats or risks, and key business objectives. That review will show you where you are today and give you a good foundation for a business continuity strategy that’s tied to your existing culture and strategic objectives.
The third step is to actually talk with the people involved in the program. That can include talking with program team members, stakeholders, and the leaders of critical business functions. We think of this as kind of… It’s almost like doing the business impact analysis in an interview fashion. You’re going to go out and talk with these stakeholders, with the program team, with folks who work in crisis management, with the leaders of critical business functions. These are people that we’ll also include in the evaluation process as you work to improve your organizational resilience. These interviews usually are full of open-ended questions. We’re looking for first-person accounts of how the business continuity team and others respond to business disruption.
For example, we’ve recently been asking questions like this. You’ve just spent the last 15 months dealing with COVID-19. What decisions did you and your team have to make in response to this disruption in your business? What process did you use to collaborate and make these decisions? Have there been other disruptions that you’ve been a part of managing during your time at the company? Tell us a bit about those. What plans or processes did you use during those previous disruptions? How did they help or hinder? What risks or issues keep you up at night, in terms of disruptions or crisis situations? How well prepared do you think your company is against those disruptions and crises? These interviews, as a whole, provide specific concrete examples of how your program is perceived within the company. They also illustrate how previous disruptions have been managed. That gives you valuable insights that complement what we’ve already learned from reviewing documentation.
Our fourth step is to complete a maturity model. So, once you’ve reviewed the documentation and you’ve talked with employees, you have a clear view of the continuity program at your company. Now, you can compare what you’ve learned against what the standard calls for, what the ISO 22301 standard calls for, and see how the maturity of your program stacks up. Using a maturity model as a part of your evaluation can help you compare your current business continuity program against the industry standard and spot areas of both strength and opportunity. When we’re working with a company to conduct an evaluation like this, we provide a detailed view from a maturity standpoint, using a proprietary maturity model that we’ve developed. We provide a maturity score across 98 different factors, score roll-ups across the core themes of the ISO standard, and then an overall maturity score. From there, we work to build out a roadmap, based upon your specific industry for where you should be in a year, two years, and three years forward from here. Those are, of course, our projected goals that require investment and continued maturity to achieve.
Our fifth step is to make a plan for improvement. Every continuity program evaluation that we do ends with a comprehensive report that summarizes key findings, strengths, opportunities, and recommendations for improvement. Specifically, the report has three major sections. First, observations. What are the facts we observed about the program supported by artifacts, documentation and interviews? Second, what’s the maturity model scoring? A detailed look at how the continuity program stacks up, how it scores against the ISO 22301 standard, along with strengths and opportunities. And then, third, recommendations. What are the specific concrete recommendations for actions your company could take to improve operational resilience during a business disruption?
The observations of the maturity model, together, provide context to explain the current state of the program. The recommendations give you a roadmap with concrete and measurable steps on maturing the program over time. Taking together those three steps, those three elements, rather, provide a thorough evaluation report that you can use to influence executives and stakeholders towards the investments that you need to mature your continuity program and improve your organization’s resilience.
The challenge for business continuity is that you never know when a disruption is going to happen. For that reason, we believe strongly that business continuity programs should be evaluated annually and improved, and revised to reflect new business challenges and changes to the broader business landscape. As your company’s strategy evolves, your program should evolve to ensure it continues to support your organization’s overall strategic goals and objectives.
Nobody saw the COVID-19 pandemic coming, for example, but we all had to adjust to the challenges it brought to the workplace. A strong continuity program can’t take away the risk of a disruption, but it can position your organization to react swiftly and efficiently when a disruption hits, but only if you make those investments in advance. If we can help you in any way in evaluating your business continuity program, we work with the world’s leading brands, public sector agencies, and complex nonprofit organizations to strategically navigate uncertainty and disruption. You can learn more about Bryghtpath’s capabilities and contact us at bryghtpath.com/contact. That’s it for this episode of the Managing Uncertainty Podcast. We’ll be back next week with another new episode. Be well.