To counteract this, increasing numbers of organizations are adopting a management systems approach to resilience planning — and standards-setting committees, including ASIS Intl., are following suit. By breaking down silos and tying all planning efforts to a set of core business objectives, the management systems approach is the best solution for achieving “radical relevance” in business continuity and crisis management planning.
Nearly all businesses maintain a set of agreed, overarching strategic objectives. Usually five to ten in number, these objectives may include growth targets, quality milestones, control of new markets or the realization of envisioned products or services. The first challenge confronting the manager responsible for business continuity and crisis management is to understand the risks jeopardizing realization of these business objectives. Risk awareness — as revealed through rigorous and timely risk assessment — is essential for building relevant business continuity and crisis management programs that count for something.
Considering the immense value an enterprise risk assessment can provide, it is surprising to see how lifeless and devoid of creativity the process can become in many organizations. The executive sponsor must apply considerable energy keeping the widest set of stakeholders involved. And for the most successful organizations, risk assessment is an ongoing, living process. Just as our competitors make moves without regard for our annual strategic planning cycle, new business risks will arrive at all hours and from many directions.
Armed with a clearer understanding of business risks that threaten corporate goals, the executive sponsor must carefully scope the business continuity and crisis management planning efforts. As risk treatment activities, business continuity and crisis management fall squarely in the category of mitigating controls and stand shoulder-to-shoulder with insurance, risk acceptance and other risk management approaches. Ultimately, business continuity and crisis management scope has direct implications for relevance. Clearly, these programs should be scoped as tightly as possible to ensure maximum real preparedness per dollar spent.
Some leaders have found it useful to prepare a business resilience “strategy map” that charts key risks to corporate objectives at the highest level, mitigating business resilience programs at the middle level, and specific actions at the operational level. Maps like these are incredibly useful for demonstrating relevance — especially during budgeting — since they show a clear connection between resource allocation, action planning, and ultimately, corporate strategic aims.
Scope in hand, it is time to build (or refocus) the business continuity and crisis management programs themselves. This is where the current crop of standards, and BS2599 in particular, really shine for business continuity management. All the major continuity standards embrace a “lifecycle” approach for constructing a business continuity program, and most contain useful guidelines for practical implementation as well. Although there are subtle differences between standards in the number of steps and how they are titled, the core elements of technical best practice are unquestionably well-documented. Crisis management planning is arguably underserved in the world of standards (an oversight that is rapidly coming to an end), but has a longer history in common practice.
The build phase of any planning effort can be tackled many ways — using in-house resources, external consultants or a combination of the two. In coming months, it is likely that we may see increased demand for external vendors, given the recent cuts in in-house capacity. Quite a few newly-unemployed sole practitioners have entered the market as consultants, as well. Firms should take care to carefully vet prospective service providers to ensure they have the requisite skills, experience and business-first perspectives, as well as sufficient labor resources available to complete key tasks within agreed timeframes.