Tracey Mayer, CBCV, CPCP, Associate Managing Director, Witt O’Brien’s
A prevailing myth about business continuity planning is that you can develop a plan for one company and then easily replicate it for another via a simple “search and replace.” If only it were that simple. While there are common elements in all business continuity plans, there are organization-specific factors and nuances that must be considered to ensure that a business continuity program is successful at implementation and over time. Below are key considerations for both business continuity planners and the organizations they serve.
Know your organization’s culture
Culture is often overlooked, but it is one of the most critical keys to a business continuity program’s long-term success, especially in industries that do not have defined regulatory requirements. You cannot take a square peg FFIEC Business continuity program and overlay it into a round-hole organization such as a tech company and expect it to fit. Business continuity planners must look at the company’s strategic programs over time to determine how the company’s culture contributed to the program’s success or failure. It is important to look at a cross-section of programs and initiatives rather than merely looking at business continuity programs to get a complete picture.
A business continuity program that aligns with the company’s culture and shared vision of success will also have a much better chance of getting traction in the first year. This is particularly important for companies that have never had a formal program.
Do not boil the ocean
When introducing business continuity to an organization, it is wise to walk before you run. The first business continuity plan will not likely be “the” plan. Business continuity is a living endeavor that will evolve and mature as a partnership between the resiliency team and the broader organization.
Build in program maturity
Business continuity program planners should create a maturity model for the business continuity program and associated plans that defines goals and outlines program evolution and plan resiliency. Successful companies have a 3-5-10 year business plan to define their long-term business goals. Build the business continuity program in the same fashion. Describe how to mature the program from year one to year three through year five and beyond.
Maturity plans will vary depending on the size and type of organization. For example, some organizations have mature Enterprise Risk Management (ERM) programs that identify how the organization views and measures their strategic risk. Leveraging measurable strategic risk factors and aligning them to the development of a business impact analysis (BIA) will mature the program significantly. Organizations that are just developing and maturing their ERM programs will see an evolution in risk methodologies that can impact the BIA and risk factors, leading to measurable understanding of the most strategic areas of the organization over a 3-5-10 year period.
Embrace business continuity as a strategic initiative
Many companies develop business continuity plans to “check the box” in response to a negative audit. Organizations that see business continuity programs as a necessary evil to avoid exposure tend to rush through the process. This mindset does not lend itself to a successful business continuity program implementation. Organizations that provide access to executive leadership, socialize business continuity, and gain support for their business continuity program throughout the organization set themselves up for success.
Business continuity is not a one and done activity. Building a coherent and strategic business continuity program is much more than a matter of search and replace. It is important to understand the industry, regulatory requirements, and more importantly the culture of the organization, to ensure a successful program implementation that will sustain itself for years to come.
About Tracey Mayer
Tracey is a business continuity and crisis leader with more than two decades of industry experience. Tracey began her career at GE Capital, where her understanding of DR/IT backup strategies and interest business led to a career transition to business continuity and crisis management. Over the years, Tracey has supported clients through 9/11, the 2005 Hurricane Season, Hurricane Sandy, as well as various other human-error events. She led the implementation of workplace violence training while at GE Capital, conducted BIAs, and wrote and maintained plans for organizations to meet FFIEC and NFPA certification requirements. While with Witt O’Brien’s, Tracey has been instrumental in establishing policy and procedures related to evaluating external and internal suppliers and their ability to support their clients in the event of an incident. Tracey holds a bachelor’s degree with honors and two distinguished certifications in business continuity.