In the event of a significant disruption to your organization, how will your company respond?
But this much is certain: your business will face unexpected disruptions.
Understanding how your program and capabilities stack up is the first step to being able to mature your program – even if you don’t have a formal business continuity & crisis management program today.
In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser shares our Resiliency Diagnosis process – our approach to helping you understand where your program stands through a thorough standards-based program evaluation.
Related Episodes & Blog Posts
- Our Resiliency Diagnosis process
- Case Study: Transforming a Major Utility Crisis Management & Continuity Strategy
- Article: Evaluating Business Continuity Programs – Is your Business Continuity Program ready for the next Disruption?
- Episode # 121: Metrics for Success in your Business Continuity Program
- Episode #123: Plan Do Check Act and your BC Program
- Episode #: 125 – What is resilience?
Hello and Welcome to the Managing Uncertainty Podcast. This is Bryan Strawser, Principal and Chief Executive here at Bryghtpath. And in this week’s episode, I want to ask, at your company, when you’re facing a disruption to your organization, how do you know how your company will respond? I don’t think anybody enjoys thinking about business continuity, disaster recovery, crisis management, or reputation management, other than people like me. But I am certain that your business will face unexpected disruptions at some point.
And at that point when that happens, understanding how your program and capabilities stack up is the first step to being able to mature and grow your program. Even if you don’t have a formal business continuity and crisis management program today. Even if you don’t have a program, you probably at least have some capabilities related to this, even though you may not realize that.
So, we have an offering here at Bryghtpath, the resiliency diagnosis. And we think that’s the perfect way to advance your business continuity crisis management or disaster recovery program. It’s a thorough standard based review that culminates in a full evaluation report, maturity model scoring, and very clear recommendations for improvements for your program. You come out of this, knowing exactly where you stand and how to go about rapidly improving the current state of resiliency in your organization.
We use a proprietary assessment process that follows the ISO 22301 security and resilience standard for business continuity, along with the several related ISO standards that are in that category at ISO. And if you’re not familiar with them, the ISO standards are the most wildly accepted global standards for business continuity and crisis management.
How does this work? Well, the resiliency diagnosis is typically a four to eight week process and we have a very defined approach and methodology. It starts with alignment, which is a 60 to 90 minute discussion, takes one day, one calendar day, 60 to 90 minutes of time, where we have a brief call with you and your stakeholders and your decision makers, and we align and scope out the details and the engagement based upon on our approach.
We also give you a detailed list of documents that we’re going to want to review as a part of our pre-work. We then take a week on our end for pre-work. We do an in-depth review of your current program, strategies, policies, plans, and other documents that you’ve provided to us to understand your organization’s current capabilities, needs, and challenges. From there, we take two to four weeks to complete discovery. In this phase, we’re meeting with your key executives and stakeholders to understand their view of risk, your current program and capabilities, and your organization’s needs. We then dive more deeply into your current program and capabilities to see exactly what makes things tick in your organization.
These discussions often lead us to request additional documents to review or meetings with other stakeholders to gain deeper insights. We typically do these discovery meetings virtually, but in person options are also available. And the length of this phase really depends on the complexity, the size of your organization, and your scheduling efficiency for discovery meetings.
We’ll do discovery meetings back to back to back as often as we can, but that will really depend on your organization’s ability to schedule meetings in that way. From there, we take about two weeks to draft our diagnosis report. We begin crafting and iterating the resiliency diagnosis report and during that time, we check in weekly and check in with reviews with the project team. And we often find here that there may be other documents or artifacts that we want to look at, and occasionally may want to conduct some discovery conversations with stakeholders, leaders, and partners to clarify our observations.
We then enter a week of iteration and review with you. Once we’ve completed all discovery iteration activities, we meet with you and your team to present an initial overview of our observations and recommendations. Our review’s conducted in an open and iterative manner. Our intent is to strengthen the report to align with your organizational expectations and strategic business objectives. We then take some time to create a final version of the resiliency diagnosis report based on the outputs of those review conversations.
And then we’re at the end. We take a day to present our diagnosis. We’ll present a set of virtual or onsite presentations to as many different audiences as are needed to help you move your strategy forward. A lot of the times, our audience is your CEO, their direct reports, and members of the board of directors. We’ll work with you to define the audiences that make the most sense as a part of finalizing and aligning the scope of the engagement.
We find these presentations are most effective when our experts present the resiliency diagnosis report directly to your stakeholders and executives. Because we are most familiar with our methodology, our observations and our recommendations, and we’re able to respond to questions and challenges through the extent experience that we’ve gained in this space.
We then take a data wrap up. We turn over all work product in written and electronic form, including our meeting notes, our documents, and our other evaluation materials. So, what do you get in a resiliency diagnosis? You get five things. You get a comprehensive written resiliency diagnosis report that covers our observations and recommendations. You get an executive summary that is suitable for sharing with senior executives and boards of directors. You get a proprietary ISO 22301 based maturity model that shows your overall program maturity across multiple factors. You have a presentation slide deck that highlights our resiliency diagnosis report, observations, and recommendations, and you get our Bryghtpath led presentation sessions for your stakeholders, executives, and other leaders.
We want to limit those to about six hours, but that’s typically the amount of time that we spend in those sessions. As we go through the resiliency diagnosis together, we’re working together. We’re having weekly engagement status calls. We have access to a shared channel in Slack with regular business hours access to our team. You have 24/7 access to monday.com, which is where we manage and track all the details of the project, and we give you immediate access to our interview notes through Notion, our cloud-based collaborative note taking tool that lets you see the questions we ask, the notes we took, the documents we received and even be able to review a transcript and a recording of the call.
Now after the diagnosis, we’ve obviously given you some recommendations and we can work with you on implementing those recommendations from our diagnosis, if you choose to do so. It’s not a requirement. Now we’d obviously love to work with you on further maturing and improving your program. Following the wrap up of our effort, we’ll provide you with a straightforward proposal to help you implement our recommendations. That follow on work though, as I said, is optional. Most of our resiliency diagnosis clients though engage with our team to then implement those recommendations and further mature the program.
There are situations where this is the right choice for you, where this kind of resiliency diagnosis can be most effective. And it’s when companies fit these four statements. You’re a mid to large size complex organization. Nonprofit, privately held, publicly traded. The important part is that you’re committed to rapidly establishing or maturing your crisis management business continuity and crisis communications program. That you’re willing to allow our team unfettered access to your existing documentation, the right stakeholders and executives to accurately diagnose the current state of resiliency across your organization and suggest the best solutions that can lead to real change.
You should be a company that’s willing to be strongly engaged from the very beginning. Listening and reading with intense focus and jumping into action after our report is delivered. And lastly that you’re a company and a group of leaders that is open to a different perspective. One that comes from experienced deep subject matter experts, and that you will allow that perspective to be presented to your executives and your stakeholders directly by our team.
That is when this resiliency diagnosis is the most effective for a company. There are other options that we can talk about from a resiliency diagnosis perspective. Sometimes companies will have us include a criticality and impact analysis. This is a lightweight business impact analysis, where we build out a review of functions across the organization to determine a list of critical functions or processes or capabilities and we measure the impact of a disruption to those processes. We do this at a department or team level and we do it through a survey tool with some discovery conversation.
The second option that is sometimes chosen is when you have a newer leader for business continuity and crisis management, and you want to get them some help in terms of private coaching. Where we want to help them be better at influencing and improving their performance of the program, get the program unstuck and moving forward. I personally do the private coaching with those leaders. We do this on a quarterly, bi-annual, and annual basis. And then lastly, in some cases we work with clients on a revisory retainer, meaning that you secure ongoing access to our experts to assist with strategy and improving your program maturity on the monthly, quarterly, or annual basis. We’re a gut check to help keep your organization focused on the target.
I should point out that this is advisory work only. It’s strategic work. We’re answering questions. We’re providing advice. We’re not doing any hands on work in those situations. But those are three common options that our clients look at when it comes to the resiliency diagnosis. If this is something you’re interested in, we make this as easy as possible. It takes about 30 minutes to have a brief conversation and scope through what an engagement like this could look like. We use that time to understand your current situation, if we’re a good fit together, and how we can help you. And then within a day, we give you a very straightforward proposal to execute on this. We can often get started within a week or two, and we flat fee these engagements.
We just need to have that initial conversation to really get things started. If you’re interested in learning more, or this sounds like something you’d like to do, check out our website at bryghtpath.com/resiliencydiagnosis, all one more, or you can find this on our navigation menu under our business continuity services. That’s it for this edition of the Managing Uncertainty Podcast, we’ll be back next week with another new episode. Be well.