Getting help for business continuity management

The answer to the first part of this question can be found in the definition of business continuity management (BCM), which is:
An holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

NOTE   Business continuity management involves managing the recovery or continuation of business activities in the event of a business disruption, and management of the overall programme through training, exercises and reviews, to ensure the business continuity plan(s) stay current and up-to-date.

The key to the need for external help is the word “holistic”; effective BCM entails a large number of different management disciplines that many organizations find difficult to martial into one programme execution team. 

External assistance to support business continuity initiatives
An organization that is serious about defending itself against potential threats must look at these threats, and their potential impact on business operations, through a wide-angled lens; threats do not conveniently manifest themselves against one function or activity.  To be well prepared for disruptions to information and telecommunications systems is laudable, but the threats that will uniquely affect these systems are in a minority; most will also impact key business processes, availability of staff or physical infrastructure and may cause long-term damage to company reputation and brand image.

A BCM programme needs to address all of these issues in a logical, structured fashion.  This does not imply a need to attempt to boil the ocean but it does require a process that scopes across all business functions and then focuses on the business impacts that could severely damage the organization’s medium to long term viability.

Normally, an enterprise that has only recently realised the importance of business continuity (and there are many that have not yet reached even this stage of BCM maturity) will require external help both to import BCM expertise and to provide initial appropriately-skilled resources to help run the programme.  So what should it look for from those that it engages as business continuity partners?

What to look for from consultancy support
An organization needs to be satisfied that the BCM specialists it engages meet a number of general and specific requirements. Ensuring this will greatly increase the likelihood of a successful partnership in business continuity management.

An external specialist organization that offers BCM-related services should employ staff who can demonstrate in-depth knowledge of the subject, relevant experience and commitment.

Subject knowledge
The process of developing and maintaining a business continuity capability is at least as complex as, say, re-engineering an organization’s business processes.  The principles and methodology themselves are now relatively mature and well documented by organizations such as the Business Continuity Institute (BCI).  However, access to documentation does not in itself represent knowledge and a business continuity specialist should be expected to be well versed in all aspects of the method.  This capability can be assessed from the specialists’ CVs but a more assured method is to look for membership of the BCI in one or more members in the team.

The engaged team should also contain a thorough knowledge of project management techniques as certain aspects of a business continuity programme need good project visibility and firm project control.

Experience
Business continuity is a hands-on activity that cannot be sprinkled onto an organization but needs to permeate through the key business processes.  To achieve this, business continuity practitioners need real-life business experience as well as experience in applying business continuity development methods.

In many ways, the end-to-end BCM development process is similar to military planning: setting objectives; understanding your own and the enemy’s strengths, weaknesses and dispositions; developing plans to counter possible enemy assaults and testing the plans through field exercises – with or without troops.  In a BCM context “the enemy” may be a terrorist group but is equally likely to be the weather, the electricity grid or a pandemic.  Whatever or whoever the enemy – the risk – the BCM process to develop appropriate responses is akin to military planning, albeit with cost-benefit analysis playing a greater part than in military operations.

This does not imply that BCM development can only be undertaken by ex-military or similar people (such as ex members of the police and emergency services).  However, those that have been involved in military operational planning are most likely to have the mindset that will think through all aspects of response options whilst focusing on the important issues for business continuity.  They will also be most comfortable with the concept of testing plans and training staff through the medium of exercises.

Commitment
Business continuity management cannot be sustained solely by reference to a few well-crafted reports – business continuity plans (BCPs) in this case – left by a team of external specialists.  BCPs must be regularly reviewed, tested, exercised and updated and may, of course, have to be invoked to respond to a real-life incident.

The main purpose of engaging external BCM specialists may be to get help in developing a business continuity capability – possibly from scratch – but the specialists should be able and willing to provide more when required: to mentor and train the client’s staff, to help run the first few BCP exercises and reviews and, in the extreme, to support the execution of a BCP invoked to respond to a real continuity crisis.

Clients should look for this level of commitment from their external business continuity specialists, particularly if their operations are conducted in uncomfortable conditions or potentially hostile environments.  Apart from the whole-life support that such commitment provides, it is good to know that plans have been developed by people willing to test them in real life.