Programs, Architecture & Analytics

Introduction to Business Continuity for Middle Management

What is Business ResilienceLet’s start off this conversation assuming we have full Senior Management support for a Business Continuity Program (you already did that). Our Senior Managers have an idea of the logical construct of Business Continuity and the goal of protecting themselves, their employees, customers and investors is fully embraced.

View the Presentation:


 

What Senior Managers will generally not have is a detailed understanding of the level of resources and time required to maintain a Business Continuity Program. In general this level of detail, resource allocation and execution will fall to the Middle Managers of an organization and not to any surprise many of these Middle Managers will already have full workloads and resource constraints.

The challenge for any Business Continuity Manager is to get the Middle Management of an organization engaged in Business Continuity, gain their trust, and demonstrate the value of Business Continuity to have it embraced at their level. Business Continuity is not a project with a start and end date, so it is important that you gain organizational support to maintain the program post implementation.

Q: How do we get Middle Management on our side?
A: As Business Continuity Managers, we provide value and an understanding of their role within Business Continuity.

We provide this value and understanding through communication. To start we must provide Middle Management with a highly level introduction to Business Continuity, communicate the primary benefits and provide some basic scope around the effort. After the initial introduction you can prepare additional in depth training based on the project or role requirements.

The following is a framework that I commonly use as a Middle Management Introduction to Business Continuity. This content can also be viewed as a slideshow or downloaded as a presentation below.

First we will start by providing some definition & context around the concept of Business Continuity. A basic a agenda/presentation introduction has been provided below.

  • Business Continuity Defined
  • Mission & Priorities of Business Continuity
  • The “Need” for Business Continuity
  • Business Continuity Planning
  • The Business Continuity Management Components
  • Middle Management’s Role in Business Continuity
  • Summary

The definition of Business Continuity will be similar across multiple information sources (Google it) so choose a definition that most resonates with your organization. I like the two definitions provided below they focus on the overall objective/idea of Business Continuity not the means of how to the get there.

  • Business Continuity Management (BCM)
    BCM is the act of anticipating incidents which will affect mission/business-critical functions and processes for the organization, and ensuring that it responds to any incident in a planned and rehearsed manner.
  • The objective of BCM is to ensure the uninterrupted availability of all key business functions, processes, and resources required to support essential business activities.

By establishing the idea/objective of Business Continuity, we can then move on to focus on the specifics of what we are trying to protect by having a Business Continuity Program. The priorities should be aligned with the priorities of the organization and the major risks associated with business interruptions. A Business Continuity Program should have a mission statement which can be similar to the one provided below. The mission of your Business Continuity program should be aligned to support the priorities and should be adopted by the Senior Management of your organization.

Mission & Priorities of Business Continuity

  • Business Continuity Management is meant to minimize the impact on the business and prioritize the organization’s objectives.
  • The priorities taken into account are:
    • to protect the health and welfare of individuals and their families
    • to protect our image, reputation, brands and assets
    • to ensure continuity of critical business functions and processes
    • to ensure legal and regulatory requirements are met
    • to protect existing data and information
    • to return to normal operation as soon as possible

The focal point of a Business Continuity Program is the protection of mission/business critical processes and the resources & controls required to protect them. When presenting to the organization it is important to highlight the key functional areas of the business that contain mission/business critical functions. These functions should be aligned with your business and highlight the potential vulnerabilities/risks of failure and/or degradation of operations. The listing below is a general listing of key functional areas/services within an organization usually included within a Business Continuity Program. I recommend you keep it high level at this point and focused on your operations.

  • Key business processes can be vulnerable to interruptions, depending on a number of critical elements:
    • People
    • Infrastructure
    • Logistics
    • Utilities
    • Manufacturing
    • IT
    • Financial resources
  • Vulnerability and interruption depends on how critical these and other elements are to business operations

The next steps is to start to introduce the risks associated with a business interruption. Most Middle Managers will have an understanding of risk but it is important to highlight the scale of the risk for the organization. The impacts below are focused on a traditional risk model where Direct and Indirect impacts are the immediate result of the interruption. These impacts should be be aligned with the business and samples of impacts provided to create and understanding of the criticality of the functions represented by the audience. It is also important to paint a picture of the long-term effects of a business failure and what that can ultimately mean to the audience in terms of the viability of the company.

  • Business interruptions can have consequences that lead to direct, indirect or long term business impacts.
    • Direct impact
      • Unavailability of infrastructure or resources
      • Loss of information
    • Indirect impact (Rippling Effects)
      • Interruption of one business critical process can extend to other processes
    • Long term impact
      • Loss of customers
      • Weakened financial position
      • Loss of market share
      • Loss of investor confidence
      • Liabilities
      • Eroded public image

By establishing the priorities and impacts of business interruptions we are opening the door to establishing the fundamental justification for Business Continuity and advocating for “buy”-in from Middle Management to implement a program that is “in-line” with the requirements of the organization. To summarize this approach, the following three ideas can be used to tie the conversation together. At this point we are also establishing the second part of the conversation which should be focused on Middle Management’s role in the implementation, support and management of the Business Continuity Program.

  • Business Continuity Planning should be implemented within all levels of the organization (e.g. Functions, Departments, Business Units etc.) where the disruption of their business critical processes could directly or indirectly meet or exceed the risk tolerance defined by the organization.
  • All organizations are equally at risk from the effects of an event, disaster or business disruption that can interrupt mission/business critical operations.
  • A successfully implemented and maintained Business Continuity Program can minimize interruptions and facilitate a successful resumption of the business.

Business Continuity is a management system. For organizations in the regulatory or process oriented industries a structured management system such as an ISO standard will be an easy sell as a program blueprint. Business Continuity does have an ISO standard 22301, which can be implemented in whole, in part or used as guidance. I would recommend using ISO 22301 in some capacity and referencing the Plan, Do, Check, Act (PDCA) model as part of the project scoping process. That being said, the following section is the core concept of a management system framework. It must be communicated that to be effective each component of the management system must be defined and managed within the scope of the program.

  • BCM is a management system and requires the following key components to be effective:
    • Policy/Guidelines/Standard Operating Procedures
    • Resources with defined Roles & Responsibilities
    • Planning
    • Implementation and Operation
    • Performance Assessment
    • Management Review
    • Continuous Improvement

ThinkGRC_BCM is a Management System

In the following section we want to introduce the key components of a Business Continuity Program. Each component will require a potential level of involvement from Middle Management to execute and manage on an ongoing basis.

  • BCM must continuously adapt and change as organizations and their operating environments change.
  • BCM Program Key Components:
    • Policy/Guidelines/Standard Operating Procedures
    • Risk Assessment
    • Business Impact Analysis
    • Business Continuity Plans
    • Exercising/Testing
    • Program Review
    • Maintenance & Improvement
  • The BCM only works if these components are updated on an continuous basis.

ThinkGRC_BCM Program Components

The point of this presentation is to get Middle Management support so we want to provide a high-level description of their engagement in the Business Continuity Program. The following listing is to give insight into Middle Management’s role. The listing is meant to be easily adopted and should instill a sense of personal responsibility. The objective is to gain consensus and that moving forward they will support the details of the implementation.

  • Middle Management’s Role in Business Continuity
    • Support and promote Business Continuity
    • Ensure the proper Business Continuity planning is in place for their organization
    • Be prepared to enact their Business Continuity plans in the event of an emergency or disaster
    • Allocate the required resources to:
      • Participate in and execute the Business Continuity Program Components

Lastly, I would recommend doing a recap on the presentation to drive home some of the critical points and establish some next steps.

  • Business Continuity Management is integral to maintaining business operations
  • Business Continuity Management is focused on mission/business critical processes
    • Advanced planning and preparations are necessary to:
    • Identify the impact of potential losses
    • Formulate and implement recovery strategies
    • Develop continuity and recovery plans
    • Administer a comprehensive training, testing and maintenance program
  • BCM is not just a one-time event, it requires:
    • Permanent management commitment
    • The assignment of accountability
    • The provision of adequate resources

Remember this is only the introduction/onboarding process. The details of the Business Continuity program may be heavily challenged in the future due to organizational restructuring or resource constraints so creating the vision, mission and stressing the overall importance of the Business Continuity Program to the business will be a critical success factor.

Have fun and good luck!

Download the Presentation

Download
Print Friendly, PDF & Email

Sharing

Facebooktwittergoogle_plusredditpinterestlinkedinmail