As your company’s newly assigned head of global security, you’ve just been informed that running your organization’s business continuity program falls squarely within your role. But what is business continuity?
Sure, you’re a battle-tested veteran in managing security for large-scale enterprises. Business continuity? Not so much. The revelation leaves you feeling a lot like that time you signed your kid up for pee-wee soccer and somehow ended up as the team coach. But now the stakes are astronomically higher.
You need to quickly move on from “how did we get here” to “now what?”
If you’re a newly minted business continuity program owner who doesn’t know the first thing about business continuity and is wondering, “where should I start,” you’re far from alone in your experience. Here, we unpack the basics so you can take the reins of your organization’s business continuity program with clarity and confidence.
What is Business Continuity, and Why Does it Matter?
There are many misconceptions out there about what makes up business continuity—a software subscription, an IT disaster recovery plan, checking the boxes on an off-the-shelf template. While these are all inarguably important parts of a business continuity program, these exercises will do little to build your organization’s resilience in isolation.
That’s because organizational resilience is the sum of many pieces, parts, people, and processes that are continually evolving and changing. Those pieces and parts require coordination, refinement, and improvement over time. That’s why we like to think of business continuity as the discipline of making your organization more resilient or able to solve big problems—and your business continuity program as the means by which you embed this discipline into your organization to build your capacity to prevent, withstand, and recover from unplanned disasters and adverse events.
Your business continuity program ensures that in the face of today’s inevitable disruptions, you can continue operations and protect your most important assets, especially your people. Importantly, organizational resilience isn’t just about surviving but building a competitive advantage in the ability to quickly pivot and respond to the unplanned.
These strategies are part of the approach that we use in our 5-Day Business Continuity Accelerator course where we aim to improve the perception of your business continuity program within your organization.
We offer our 5-Day Business Continuity Accelerator quarterly.
The Key Pillars of Business Continuity
While resilience means something different for every organization—every business has different experiences, threats, and resources—there are a few key pillars that we consider essential to every business continuity program. We take each in turn below.
1. Business Continuity
A strong business continuity program is the backbone of every organization’s resilience efforts.
We think of business continuity as the process of planning for a disruption to a critical business team or capability, such as human resources, contact centers, manufacturing facilities, or the like.
As part of this process, your business needs to assess the most likely potential disruptions and their impacts, create business continuity plans to guide your response to those specific disruptions, and then train, exercise, and improve upon those plans over time. Potential disruptions can range from cyberattacks, fires, natural disasters, or power outages to terrorism and active shooter threats.
2. Crisis Management
Where business continuity is the discipline of planning for disruptions, crisis management is devoted to developing the processes for actually managing those disruptions when they occur—who does what, at what time, and in what order. It includes a diverse range of pre-planned strategies that help an organization deal with an unexpected adverse event that might otherwise cause significant damage.
Sometimes because of the way companies have structured things, they might think of crisis management as a component of their business continuity program, while others think of business continuity as a component of a crisis management program. It doesn’t really matter so long as the capabilities for both planning (what we call business continuity) and actually managing a disruption (what we call crisis management) are in place.
3. IT Disaster Recovery
The last key pillar of business continuity is IT disaster recovery—the plans, strategies, and solutions that ensure your critical technology platforms are available to your business teams. This includes having an understanding of critical system requirements, such as availability, maximum acceptable downtime or recovery time objectives (RTO), and recovery point objectives (RPO), and ensuring that you have a plan to meet those objectives in the event of an IT disaster incident. Ideally, IT will own the IT disaster recovery process, but with coordination and input from the organization’s business continuity and crisis management program.
Business Continuity Roles and Responsibilities
Good business continuity governance—i.e., having the right people, policies, and practices in place to direct and control your business continuity and crisis management program—is critical to business continuity program success on many fronts. Not only is it an ISO 22301 compliance requirement, but it also helps build visibility and awareness for your program, builds accountability, and assists in identifying and closing program gaps.
Good governance starts with carefully defining program roles and responsibilities and ensuring you have the right people in each role. These are some of the fundamental roles and responsibilities typical in most organizations.
Board of Directors: Your board has a fiduciary duty to exercise strategic-level visibility and oversight over business continuity and crisis management. They can also be instrumental in helping to promote a culture of resilience. Specific board oversight and strategic level visibility are typically delegated to the board’s Risk or Audit Committee.
Executive Management: Each member of the executive team retains ultimate oversight and responsibility for crisis management & business continuity planning in their specific area of operations. One or two people at this level should also act as an Executive Sponsor, with direct oversight of and advocacy on behalf of the crisis management & business continuity program.
Steering Committee Members: The steering committee—usually an interdisciplinary team of six to eight people—meets quarterly or annually to ensure the program is aligned with corporate strategy and objectives and is maturing and making forward progress towards annual goals.
Business Continuity & Crisis Management Program Manager: The program manager has direct oversight and responsibility for business continuity & crisis management program operations, reporting, and execution. The program manager exercises direct oversight over.
Business Continuity Team Members who conduct the day-to-day business continuity and crisis management activities.
Business Continuity Plan Owners: Each business unit is responsible for creating and exercising responsibility over their respective business continuity plan under the guidance of the program manager.
The roles and responsibilities in your program will vary somewhat depending on your size and organizational structure. At the very least, having competent executive sponsorship, a facile program manager, and engaged business continuity team members are non-negotiables.
The Business Continuity Lifecycle
One of the biggest mistakes we see businesses make with their business continuity program is thinking that it is just a one-and-done event. They put in a lot of work conducting their initial business impact analysis, identifying resilience gaps, creating plans, policies, lists, and procedures, and distributing these throughout the organization. Then they consider their “business continuity” box “checked” and move on.
In the meantime, data becomes stale. Technology evolves. Vendors and other third-party relationships come and go. Business objectives change. Consequently, business continuity plans become outdated and leave you ill-prepared to handle the evolving threats that will inevitably occur and disrupt your business.=
Every business continuity program should have a lifecycle that is designed to grow and mature your program over time. The key steps of the business continuity lifecycle include:
- Assessing your business environment and potential disruptions with a Business Impact Analysis.
- Creating Business Continuity Plans that detail the procedural tasks and guidance for preserving and recovering critical business processes in response to a disruption.
- Exercising your plans with exercises and simulations to build confidence, muscle memory, and validate and diagnose gaps in your existing plans.
- Maturing and improving your program continuously over time with the insights gained from exercises and real-life implementation of your business continuity and crisis management plans.
We’ve illustrated each part of the business continuity lifecycle in more detail below.
Building a Culture of Resilience by Raising Awareness
Along with embracing a lifecycle approach to building resilience, one of the single most determining factors for the success of your business continuity and crisis management program is instilling a culture of resilience within your organization.
We think of a resilience culture as a way of thinking, acting, and planning within your organization that helps your organization better respond to change, disruption, and crisis.
One of the best ways to develop a resilience culture is to take the time to listen and understand the needs of all of your organization’s stakeholders.
- What are their strategic objectives?
- What initiatives are important to them right now?
- What external drivers influence their respective areas of operations?
- How will a disruption impact their specific function?
Armed with this input, you can better align your business continuity program against the needs of your stakeholders and develop effective messaging that communicates the value of business continuity in terms that they will understand. National events like National Cybersecurity Awareness Month and National Preparedness Month are also great ways to start driving engagement and awareness around resilience topics.
Want to work with us or learn more about Business Continuity?
- Our proprietary Resiliency Diagnosis process is the perfect way to advance your business continuity program. Our thorough standards-based review culminates in a full report, maturity model scoring, and a clear set of recommendations for improvement.
- Our Business Continuity services help you rapidly grow and mature your program to ensure your organization is prepared for the storms that lie ahead.
- Our Ultimate Guide to Business Continuity contains everything you need to know about Business Continuity.
- Our free Business Continuity 101 Introductory Course may help you with an introduction to the world of business continuity – and help prepare your organization for your next disruption.
- Learn about our Free Resources, including articles, a resource library, white papers, reports, free introductory courses, webinars, and more.
- Set up an initial call with us to chat further about how we might be able to work together.