From a management systems perspective, the process of assembling business continuity and crisis management programs should flow from the strategic to the tactical. Ideally, a high-level, interdisciplinary steering committee will confirm planning strategies and provide its blessing at key lifecycle milestones. Goals should be clear. Resulting operational plans should be monitored and adjusted over time to ensure they produce the desired effects. If the planning team suspects that a component of the business continuity program is not having the desired impact, the team should take quick action to fix it (not wait until the end of the year).
When setting criteria for monitoring program effectiveness, the executive sponsor should strive to ask tough questions, including “How well have we protected corporate reputation this year?” and “What have we saved the business in terms of operational losses?” Simple dashboards and status report cards can be a gateway to bureaucratic inertia and frequently say little about the overall relevance of the business continuity or crisis management program to corporate aims.
People and Technology
In the radically relevant business continuity program, compensation becomes a powerful tool for influencing key behaviors. Executive managers should think very carefully about the compensation structure for resilience professionals. Is there a way to tie a portion of salary to demonstrable reductions in annualized loss, enhanced reputation or measurable support to other strategic goals? Ultimately, compensation can (and should) encourage managers to maintain a near real-time appreciation for business risks as they arise each day — rather than sleepwalking through a year-long program of maintenance and testing activities. The key difference here is whether a resilience professional is viewed as an essential strategic advisor to the business or a target for cost-saving cutbacks.
Recent events also remind us to critically examine the best use of technology in our business continuity and crisis management programs. Technology should enable communication, empower people and reduce complexity. There are endless creative applications for technology in resilience programs, such as: communicating strategies, gaining feedback, modeling scenarios, highlighting variances, enabling investigations, forecasting trends, summarizing data, correlating performance with objectives and more. However, many firms become trapped by the very tools acquired to simplify business continuity and crisis management planning.
At the risk of speaking heresy, executive managers seeking radical relevance should seriously re-evaluate the current role of technology in supporting what is, at its core, an inherently qualitative management activity. Are spreadsheets driving your firm’s planning methodologies? If so, it may be time to get back to basics!
Brian Kaye is National Practice Leader, Business Continuity, for Control Risks North America, a global business risk consultant. He is responsible for developing, implementing and managing business continuity solutions for Control Risks’ client base, including Fortune 100 companies. He also chairs the company’s International Business Continuity Working Group. Before joining Control Risks, Brian served as an Intelligence Analyst with the Central Intelligence Agency (CIA), specializing in terrorism.