Dr Sandra Bell, Head of Resilience Consulting, at Sungard Availability Services on how to build an effective business continuity strategy.
The fundamental aim of any Board is to have an organisation that is competitive regardless of the environment that it finds itself in. Configuring the organisation, both in terms of its strategic aims and the way it operates, to the environment and influencing the environment so that it is more conducive to the organisation is at the heart of corporate strategy. Therefore, Organisational Resilience, as defined by ISO22316 (the international standard for Organisational Resilience) as being “the ability of an organisation to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper” is essentially the Boards “day job”.
However, unless the organisation is very small indeed, much of the configuring of operations and external influencing to enable the absorbing and adapting, will be carried out by teams right across the organisation under the leadership and direction of the Board.
Simple in theory, but frequently beset by conflicting agendas and operational priorities, often leading to a patchy and incoherent situation. Under gradual external stress Corporate Governance works well to hold it all together and prevent fragmentation that could lead to a less than unified response. But, when an organisation experiences an acute stress, such as a massive data loss, fire, flood, pandemic etc., tempers get frayed and what are often just simple misunderstandings of each other’s roles and responsibilities can turn into to full scale battles and lead people to exhibit defensive self-preservation behaviours where the corporate objectives are forgotten.
The rather unlikely answer to this problem can often be the frequently misunderstood discipline of Business Continuity. Most of us thinks of Business Continuity as simply a tool that allows us to continue some element of operations in the face of disaster by means of manual workarounds etc.. A common analogy of Business Continuity is that it is like putting a road traffic accident victim in a coma – you shut down everything apart from those functions that sustain life.
Therefore, how on earth can such a blunt operational tool, that doesn’t even look at everything the organisation does, help forge an understanding right throughout an organisation sufficient to get everyone working toward the corporate goal rather than their local goal either in times of crisis or when they are investing in measures to avert or absorb them?
The answer lies not in the plans and capability required to sustain the life of the organisations operations, but in the processes that were used to work out what was needed:
Agreement on the top level priorities
Before a Business Continuity Manager can work out which operational functions need to be maintained to prevent an operational disruption escalating to a strategic crisis, they must first get the organisation to define and agree the top level priorities of the organisation when disrupted. The health and safety of people and the protection of assets and the environment are clearly primary. But, having agreement on the next three or four business-related priorities will mean that all measures to absorb or adapt that are put in place across the organisation can be implemented with those priorities in mind.
Appreciation of each other’s roles and responsibilities
The Business Continuity process involves identifying the business processes and related dependencies, such as IT applications, suppliers etc., that support the operational functions that need to be maintained to meet the high level priorities and the impact that would ensue if they were lost. This allows the identification of appropriate Business Continuity strategies, such as replication, post incident acquisition or diversification of activity to be designed.
Whilst, such information is useful to the Business Continuity Manager to make the business case for the purchase of capabilities such as alternative Workplaces or IT Disaster Recovery, it also graphically illustrates how disparate roles and responsibilities in an organisation mesh together to create a common output. Such illustrations can be used extremely effectively to cut through corporate politics.
Developing cross-organisational supportive relationships
One of the biggest blockers to resilience at the organisational level is individual people, teams or departments just looking after themselves. For example an IT Department that focusses solely on achieving uptime targets or an operational team concentrating on meeting their output targets when they know that the teams they are delivering to are struggling to keep pace. Business Continuity examines the internal relationships for priority activities in detail and can therefore provide a basis for greater understanding and empathy between people, teams and departments.
Resilient organisations are those that are able to display innovation in the face of adversity. However, the innovation process requires people to have the confidence to innovate together with time to think and experiment. The Business Continuity process not only provides clarity on the priority organisational processes, a set of exemplar responses for anticipated scenarios, but, through training and exercise programmes, a safe environment to experiment and practice innovation under stress.
Therefore next time someone says you need to update your business impact analysis (BIA) or attend a table top exercise don’t think of it as you wasting your time to help the Business Continuity Manager write a plan and tick a compliance box but an opportunity to find out what the business continuity process can do for you.
About the author
Dr Sandra Bell is head of resilience consulting for Sungard Availability Services. She designed and managed the security for Team USA’s High Performance Training Centres during the 2012 Olympics and acted as an advisor to the UK Government on the creation of the National Security Strategy and the National Information Assurance Strategy. She is also Chairman of the British Standards Institute’s committee on Societal Security Management.