Business Continuity in a Nutshell
Seven simple principles to make your business more resilient
I wrote this on a beautiful sunny morning last week, sitting on the Isle of Skye, enjoying the sun washing over the mountains with a fresh coffee and a copy of business continuity principles.
Different day, different highland view, but you get the idea
OK, so I enjoyed the sunrise, mountains, and coffee a little more than the business continuity guide, but it was nice to refamiliarize myself with business continuity management (BCM) again.
Unfortunately, just like all standards, the language and concepts are sometimes a bit twisted and hard to digest: the last thing an already busy team needs to deal with. So I'm working on a set of simple BCM principles for CrisisDojo, avoiding words like 'actioanlize' and 'robustify'.
Here are seven core principles that you can use to build resilience in your organization.
Prioritize People, Systems, and Processes
No one likes being told that they're 'non-essential', but when things go wrong, you need to know who or what needs to be back online first. Some parts of the business - audit and governance, for example - might be optional for weeks or months, but your core system and management are needed immediately.
Like the 'rule of threes' for survival (three minutes for air, three days for water, and three weeks for food), think about what's required within hours, days, and weeks. (The formal name for this process is a Business Impact Assessment or BIA)
But to do this effectively, you need to be strict, and your teams need to be honest: otherwise, non-critical systems will take time, attention, and resources away from essential services, and the business will suffer.
Eliminate Single Points of Failure
It's OK for most folks to only have one wrench in their house, but if someone's a mechanic, that becomes a single point of failure: no wrench, no mechanic. Similar to the prioritization you conduct for people, systems, and processes, think about your business functions and identify any single points of failure.
That could be using Slack for all communications, keeping your backups on the same server as your working files, or relying on a single supplier for critical components. Any time you rely on a single person, process, or system, it's a potential failure point.
Also, remember that your suppliers could be creating single points of failure. For example, if you run on AWS and your backup service also uses Amazon, AWS becomes your single point of failure.
Relying on a single person is a particular type of single point of failure, called key-person risk. Train understudies or alternates for any essential personnel to overcome this danger.
Documenting individual and institutional knowledge and maintaining a clear record of where this information is stored is also essential. And schedule regular reviews to update this information to reflect changes in personnel, systems, or processes.
Don't wait until the day the power goes out to read the manual for your backup generator. Learn how to use your backup systems and train staff in the alternate processes before disaster strikes. Drills and exercises can effectively develop these skills, and you could easily add a business continuity element to a planned crisis exercise.
Again, make sure instructions are documented and readily accessible.
Build Relationships Beforehand
The day your supply chain fails is too late to start looking for new suppliers. Similarly, if you want to move into a shared office, you might need an existing subscription to build on. Remember, you might not be the only company looking for new office space if something goes wrong.
So do your homework and build relationships before things go wrong. Maintain an updated list of alternative suppliers and emergency contacts as part of your contingency plan.
Differentiate Between Continuity and Recovery
Continuity is limping along as best you can using your fall-back system, whereas recovery is getting back to business as usual, even if your new normal looks a little different. Each requires a different approach and a separate plan.
Start From a Solid Foundation
Finally, business continuity management can't make up for inefficient day-to-day operations, and a backup of poorly written documentation is still poorly written. So spend some time spring cleaning before you build your business continuity plan.
Your BIA and risk assessments are good ways to identify any weaknesses, as well as regular audits and operational reviews.
Informal (but Highly Effective)
Remember, these are not ‘official’ business continuity management terms or principles, and you will need to follow something like the Professional Practices in the Business Continuity Institute's Good Practice Guidelines for formal certification.
However, I hope that by wading through the jargon in the PPs from the BCI GPG, I've saved you some time and given you some simple principles you start implementing ASAP.
These will put the foundations of a resilient system in place quickly, and these all align with the elements of the BCI materials, so when you want to formalize your system, many of the essential elements will already be in place. Most importantly, your organization will be better able to withstand an interruption, get services back online, and get back to serving your clients.
Oh, and if you were wondering how this falls under the ‘crisis’ umbrella, it’s because any crisis is going to cause some kind of disruption and I thought it was silly to treat crisis management and business continuity management completely separately. So the contingency plans in CrisisDojo will also include a business continuity section.
(And don’t worry if you’ve already built your crisis management plan, I’ll be sending you a simple form where you can add the necessary details to build the business continuity management section as soon as this is released.)
Learn more as crisisdojo.ai or click the log below to create a free app account and the scenario generator