For the person responsible for business continuity (BC), getting board-level commitment can be the biggest obstacle to creating a process to manage an ongoing program of business continuity activities.
Even once the initial set of plans are implemented, there can be a lack of understanding about the need to develop business continuity management (BCM) as an ongoing process across all levels of an organization. Involving all users in regular testing can help, but how easy is it to spread the business continuity message and create a culture that ensures that everyone is aware and singing from the same song sheet?
The importance of partnership
BC managers must be aware of their company's strategic development policy and by definition, this requires board-level sponsorship and commitment to future requirements - business continuity cannot be addressed in isolation. When first creating a business continuity plan, managers must be aware of the planned strategic changes expected within a company. It is inadvisable to choose a backup solution, for example, with inadequate capacity for future growth, when a board member may know more about the probable future.
Apart from working with the board in the planning stages, working with external partners, for instance, in a strategic partnership with your BC provider, can assist the manager responsible in obtaining boardroom buy-in to business continuity management and hence company-wide cooperation.
BC suppliers and consultants bring their own contributions to the arrangement, which include experience, proven methodologies, a deeper knowledge of the industry and its direction, knowledge of comparative companies and a skilled pool of resources. All of these resources can help the board realize the value and probable ROI of a business continuity program.
The in-depth knowledge of an organization from its boardroom members down through the functional layers, coupled with the business continuity expertise of the supplier will strengthen the likely success of BCM.
Common pitfalls
Many organizations fall down because their planning does not go beyond the recovery of their IT systems; this is often the case when the IT function is outsourced and no one then picks up the mantle of business recovery. The manager needs to take a holistic view, because in my opinion effective BCM covers a multitude of other issues. These issues include mission-critical processes, business function recovery priorities, people recovery issues, alternative premises, crisis management and the appropriate framework - not only for major incident response but for ensuring a culture of continuity within the business.
An important fact also frequently forgotten is that the program should be accountable and measurable, and working in partnership with the board and the supplier will help the manager create a system which is acceptable to the company and realistic in its requirements.
Business continuity management is, fairly obviously, an ongoing program of managing the business continuity, which overcomes the common mistake that business continuity is a project with a designated start and finish. In reality, it is an ongoing, dynamic and flexible program - by working together, clients and partners can reinforce this by putting a culture in place which positions continuity at the heart of the business from the board of directors down.
I believe that BCM embraces five key stages:
- understanding the business
- continuity strategies
- response development
- establishment of the continuity culture and strategy
- audit, maintenance and testing
All parties - the board members, the manager and the provider - should be involved at some level in these five stages in order to create an all-encompassing BCM plan.
What is the solution?
Continuity managers should seriously consider working with an experienced partner, in order to run an ongoing management program. Organizations and their partners should develop proven management tools and processes that co-ordinate how a company protects critical data, resources and assets based on the organization's basic requirements and potential risks. Such a program will develop as the business strategy and technology within the organization changes over time, and form the basis of the BCM culture.
At SunGard Availability Services, we call this process of establishing a BCM culture into a company, continuity program management (CPM). Its purpose is to establish the process that leads to education and awareness of the company's BC approach, before laying the foundation to ensure business continuity plans remain consistent throughout the organization and that their place in the overall strategy is understood at all levels. It is apparent in many large companies with numerous sites, different departments, disciplines and multi-platform systems, that the left hand often does not know what the right hand is doing! Indeed, a recent survey by the Securities Industry Associations (SIA) showed that although most of the 62 firms surveyed reported having formal or informal awareness programs in place, 16 percent had no program at all and less than 30 percent actually had in-house training programs for BCM.
Gaining boardroom buy-in - the bottom line
A solid BC partnership and innovations such as CPM will overcome many of the pitfalls associated with implementing BCM and BC culture into an organization. It can be used as a mechanism for continuity managers in large companies to ensure a level playing field; everyone has the same understanding, knows where their responsibilities lie and ownership for the success of the BCM process becomes part of business as usual. If this is the case the 'plan' is likely to be much more effective should it need to be invoked and is considerably more than just the BC or IT manager can achieve battling it out alone.
The real benefits of CPM are that the continuance of the business is under control, managed and understood at every level from the boardroom down, as everything and everyone has a place and, more importantly, knows what this is. I believe this is what corporate governance is really about. With a BCM plan in place, the managing director can breathe easily, knowing that his or her company will be complying with regulatory bodies, auditors and other interested parties who need to know how a company is managing the risks to its assets on behalf of customers and clients.
Richard Jones is managing consultant south, SunGard Planning Solutions, SunGard Availability Services (www.sungard.com).