“Good is the enemy of great. And that is one of the key reasons why we have so little that becomes great.”
In his book, aptly named “Good to Great,” Collins uses this principle to explain why so many, from schools, government, and businesses, to individual people—squander their potential and stay stuck in mediocrity.
I know this is equally true for a lot of business continuity professionals and their programs.
While I’m not advocating that every business continuity program should strive for greatness (although maybe in my business continuity nerd way I secretly am), I cringe to see so many be content with their rigid and outdated spreadsheets and Word docs approach to business continuity when with a little bit of effort, the right plan, and the right help, they can do so much more.
Still, whatever it is—moving from the L.A. burbs to small-town Tennessee, doing date night at the Thai Table instead of Jolene’s Cafe, or God forbid swapping your Levi’s 505s for 501s—change is scary and in the beginning, often hard.
We also know that this is equally true when standing up or modernizing your organization’s business continuity program. So our aim here is to take some of that scare factor away.
Here, we talk about the key elements of a strong business continuity program, what it takes to get started, and how we work with our clients to ensure long-term business continuity program success.
What’s a business continuity program and why do I need one?
Business continuity is a rapidly evolving discipline, so there’s understandably still a lot of confusion about what a business continuity program really encompasses. Google “what is a business continuity program” and you’ll see what I mean.
Sometimes the best way to understand something is by understanding what it’s not.
And a business continuity program is not:
- A business continuity plan (standing alone)
- An IT disaster recovery plan
- A software subscription
- An insurance policy from your insurer
- Filling out a template and checklist and putting your staff through a one-hour click-it and forget-about-it web-based training module
While these are all important pieces of a business continuity program (although arguably not insert-fork-in-eyes web training), they are not in themselves a comprehensive and effective business continuity program.
So then, what exactly is a business continuity program and what does it take to make sure your’s gets the job done?
Most simply, we think of business continuity planning as the discipline of making your organization more resilient, or able to solve big problems.
A business continuity program is the means by which you embed this discipline into your organization to build your capacity to prevent, withstand, and recover from unplanned disasters and adverse events. In the face of disruption, it ensures that you can continue operations and protect your most important assets, especially your people.
In today’s world—hello climate change, pandemics, and cybercrime—having a good business continuity program is all but negotiable. Here are the key components that yours should include.
The 3 Core Components of a Good Business Continuity Program
Let’s take each in turn.
If a tornado churns through your city or a disgruntled employee launches an assault at your workplace, will your people know what to do?
Whether it’s calling 911, taking evasive measures, or reporting to a safe rally point, your emergency procedures make sure that your people know exactly what to do in the face of a crisis.
Your emergency procedures should include a clear actionable checklist of steps to follow, including contacting emergency services, taking immediate steps to minimize the threat and protect human life, and who to contact within your organization to escalate the incident.
While each checklist is built on the same foundation, some of the steps on your checklists will vary depending on the type of emergency you are responding to. Ideally, you should have emergency procedures designed for each of your locations, events, and meetings, in addition to specific checklists for each type of potential situation, like an active shooter, bloodborne pathogens, fire, fatality, etc.
Even the most excellent emergency procedure is useless if your people don’t know about it or where to find it. After creating emergency procedures for each applicable scenario, you should make sure that each is labeled, organized, and stored in an easy-access location of which all employees are made aware. While a binder of laminated checklists can suffice, we like to provide our clients with a custom pocket guide app available on iOS and Android to ensure that all their employees have quick access to their emergency procedures.
Crisis Management Framework
Aside from not really having a plan, one of the biggest problems we see in crisis management is having too many plans. When companies don’t have a coordinated approach, various organizational components develop their own to fill the void. But taking a siloed approach to crisis management often leads to confusion, frustration, and a less than effective crisis response.
That’s why every organization should have a flexible crisis management framework that provides a unified approach to incident escalation, communication, and decision making. Once an all-hazards crisis management framework is put into place, specific annexes (plans) can be developed that address known risk/threat scenarios specific to your organization, such as active shooter, data breach, or major hurricane.
Business Continuity Plans
A business continuity plan is the tangible culmination of the business continuity planning process–it’s your roadmap to organizational resilience. It’s the core component of an overall business continuity lifecycle that includes elements like the business impact analysis (BIA), training, risk assessment, and exercises.
Common components of a business continuity plan include:
- Mission and objectives
- Roles and responsibilities and contact information for the business continuity team and other important business continuity stakeholders
- Plans, procedures, and appendices that detail the actual crisis response
- Training, testing, and an after-action process to capture insights about lessons learned
If I can emphasize just one thing about the business continuity plan, it’s that it should be thought of as a process – part of an overall business continuity lifecycle, not as an inanimate and fixed binder of spreadsheets and checklists that sits on a dusty shelf until the “boom” actually hits. Operations and environments change, people come and go, and threats continue to evolve. So just like any good road map, your business continuity plan should be tested, evaluated, and modified over time so that you get to your destination in the safest and most efficient way.
In creating a business continuity plan for our clients, we embed the business continuity lifecycle into the annual activities of the organization to ensure that it evolves and matures over time to address newly emerging threats, changes to your organization, and your increased capabilities as you continue to exercise and hone your organization’s resiliency muscles.
Here’s a snapshot of how we think about business continuity planning as a process, rather than a discrete endpoint:
How do I start a business continuity program for my business or nonprofit?
Your business continuity program is your roadmap to resiliency. If you want to safely land in resilience town, you need to know where you’re starting from.
We begin every business continuity planning engagement with a baseline assessment using our Resiliency Diagnosis process to determine:
- What are your organization’s mission, vision, and culture around business continuity planning?
- What are your current capabilities?
- How does your organization currently collaborate and make decisions in critical moments?
- What important strategic initiatives and critical functions does your business continuity program need to support?
- How long can critical functions be disrupted before impact is unacceptable to core operations?
- What are your dependencies on technology, third-party services, facilities, workforce, and other internal teams?
We use the information and observations from this assessment to create our specific recommendations for program build-out and to create a roadmap for implementing the business continuity program.
The “build” phase of your program should start by outlining and assigning key roles and responsibilities, including your steering committee and program sponsors, determining what industry standards you want to align with, like ISO 22301, and creating your foundational business continuity policies and procedures.
With these foundations in place, you can then begin to build out each of the capabilities that we described in more detail above—emergency procedures, crisis management framework, and business continuity plans.
Each organization, depending on size, structure, and experience, will have a different capacity to build and implement new business continuity capabilities. Some are able to build the crisis management components of their plan alongside the business continuity lifecycle components at the same time. But smaller organizations may struggle to do this all at once. In this case, you might want to focus on first building out your crisis management framework and then building the business continuity program elements that support that crisis management framework in a phased approach.
In assessing the right approach for your organization, these are some of the key things involved in building out both the crisis management and business continuity components of your program:
Crisis Management Components:
- Develop your crisis management framework, plans, templates, checklists, and other necessary documentation
- Train team members on the new crisis management framework/plan
- Conduct a crisis management tabletop exercise to build confidence and muscle memory in the new process
Business Continuity Program Components:
- Develop all necessary programmatic documentation, including policies, framework, standards, how-to guides, business continuity program lifecycle documentation, etc.
- Develop and document all strategies for business impact analysis and business continuity program planning, training, and exercises
- Facilitate business continuity lifecycle activities for all identified critical functions, including the business impact analysis, business continuity plans, individual training, and group tabletop exercises.
As much as I love helping my clients ace their business continuity objectives, I do someday look forward to retiring or at least having the option to if I so choose. So I make regular deposits into my 401K and other investments and adjust these periodically to ensure I am on target to reach my savings and retirement goals.
Your business continuity program is no different. If you want to get the most out of your investment in business continuity planning, you need to make continuous investments into your program and also have a system in place to ensure that you review, evaluate, and improve it.
To help our clients do this, Brygthpath uses industry best practices aligned with the ISO 22301 Standard to embed a closed-loop cycle of process improvement into every business continuity plan that we design. This ensures that your program will evolve and mature to respond effectively to changes in your operations and the threat environment.
In maturing and improving your business continuity program, you should have a process and methodology to ensure you do all of the below on an annual, if not more frequent, basis:
- Review the criticality of specific functions across the organization because of changes to operations, structure, or new strategic initiatives
- Update your business impact analysis (BIA)
- Update business continuity plans or create new ones, if needed
- Conduct training and exercises to validate new and existing plans
- Understand and address identified gaps in crisis management and business continuity plans
Your next best step to business continuity program success
Are you ready to move your business continuity program from good to great?
Bryghtpath can help.
Our Resiliency Diagnosis process gleans the best of our collective 50 years of experience helping Fortune 500 companies and large nonprofits successfully build and mature their business continuity and crisis management capabilities to respond to emergent crises and threats.
With customized help from our tight-knit team of business continuity experts, we can help you ditch the “scare factor” in modernizing your continuity capabilities so you can face your next crisis (or board meeting) with confidence.
Learn more about our approach and thought process around business continuity in our Ultimate Guide to Business Continuity.
Contact us today for a discussion about how we might be able to work together.