10 rookie mistakes when building a sustainable resilience program


Whether you are starting a program ‘from scratch’ or seeking to re-energize a program that may have lost some of its original focus, there are a few common pitfalls you should be aware of and seek to avoid. The goal is to create a successful business continuity management program that is objective, consistent & repeatable.

Your piece of the ‘resilience program’ may include one, several, or all of the following disciplines: IT disaster recovery, business continuity, emergency management, crisis management, site or operations risk management, and possibly other related activities. 


1. We bought a tool – we’re ready to launch! 

It is so tempting to think that all we need is “the right tool” and all will be fine. Our plan owners will adopt it and the program will move forward and be sustained over years. If only it were that simple. 

Software is powerful, but it only works as well as your overarching continuity management plan & the data you put into it. My philosophy has always been that in order for a program to be sustainable, it must first:

  • build enterprise engagement
  • communicate with data, systems & team
  • gain commitment from senior management

And then, the tool you choose should not only match how you deploy your resilience program today. It should also be easily altered over time to adapt to changing maturity of your program. Note that program maturity will be driven by a number of factors including executive support, organizational change, regulatory change, and systems change.

 

 

2. My boss says we don’t need an executive sponsor. Just get going.  

Do you ‘go it alone’ and accept the responsibility of launching a program without senior leadership support? My advice would be to carefully consider the “career limiting potential” of such a decision. There may be circumstances that mitigate the risk. But I have often advised audiences that if you have made multiple attempts to gain senior leadership support and have not succeeded. It might be time to update your CV and look for a job elsewhere.

Getting senior leadership engaged is a double edged sword. Who would argue that having strong executive participation and sponsorship isn’t a valuable attribute to a sustainable resilience program? However, you may find that those in your management chain leading up to senior leadership are not so enthusiastic about the visibility your program requests.

 

3. This is how we did it at my last company. That’s why they hired me. Let’s go! 

Is it possible that all of the factors that went into the amazing success you had at your last employer will come together at this organization? Sure, why not!  Should you bank your career on that happening?  Hmmm, maybe not.

I have learned over the past 23+ years that each organization has its own unique ‘best fit’ framework for a sustainable resilience program. Here are some of the critical considerations:

  • Program strategy: sponsorship, steering committee, policy
  • Program scope: how big, how wide, how deep
  • Program support: rollout, training, work effort, support model

bcmm_graph.png

4. No need to baseline where we are today.

You’re ready to get underway. Wouldn’t it be helpful to be able to measure where you are and have a clear idea of what the program should look like at a defined point in the future? 

There are many free tools that help get you started and plenty of consultants who are more than willing to help you to begin. No matter which approach you use, the baseline should establish:

  • A clear understanding of where your program is today
  • A goal of where do you want it to be in the future,
  • The tactics that will help you get there.

Feel free to check out our Business Continuity Maturity Model tool as an example.

Free BCMM tool for organizational resilience

 

5. Our organization is new at this. We’ll let each plan owner decide their recovery time.

That might be a very good option under certain circumstances. As example, if you’re not in a regulated industry and you have limited leadership support so you’re launching the program ‘slowly’ to demonstrate its value to the organization.

However, if you are in a regulated sector or if you do have significant executive support, you may want to consider a different approach. We call it the ‘Executive BIA’ or eBIA for short.  Using this approach, you can dramatically reduce the work effort of generating functional or dependency recovery time objectives (RTOs).

At its heart, the eBIA is a methodology to engage executives in a 1-on-1 dialog to quantify their risk appetite in very specific terms. As example, your CFO can provide you with the $ amount that defines his/her tolerance for financial risk due to disruption.  Similarly, your operations executive can provide a synonym for operational disruption.  And so on across the organization.

 

6. This has to be done this year. No time to pilot.

Resist the temptation to simply ‘get ‘er done’. Leave that to the ‘Cable Guy’.  Even when challenged by executives to an arbitrary deadline, make time to pilot the method, the tools, and your support model.  You will invariably learn something(s) that will save time, money, and possibly your job.

clock_green.png

 

7. Yes, I have a Steering Committee. We meet annually.

Yes, getting leadership engaged and meetings on their calendars is never easy. However, don’t agree to less than ‘reasonable’ commitment to participation.  Have a clear charter for your Steering Committee.  Ensure that your executive sponsor has “the juice” to keep his/her peers attention on the importance of supporting your resilience program.

 

8. Yes, I have a Steering Committee. Each executive sends their delegate.

Notice a theme throughout this blog? Yeah, you need executives engaged.  If not, your program is doomed.  Maybe not immediately, but it will die a horrible death with gnashing of teeth.  Or it might simply stop breathing and whimper into silence. Just kidding. You’ll be fine…

Vigilance is your mantra. How do you keep your executives engaged?

  • Step 1: Define Organizational Resilience specific to your industry/organization
  • Step 2:  Determine a baseline
  • Step 3:  Play by the rules! (Know your regulations)
  • Step 4:  Conduct a business impact analysis
  • Step 5:  Money talks! Quantify the financial impact

For a deeper dive, check out this article on Building Executive Engagement

 

9. Let each site (division, business unit) stand up its own program.

Whoa!  That’s exactly how we’ve implemented our resilience program and it has been working terrific for years.  OK.  This isn’t always a mistake.  There are certain cultures and circumstances where this degree of separation thrives and is the most prudent approach.

However, the rookie mistake here might be to choose this path simply because it appears easier than engaging the most senior leadership in the organization in defining an enterprise-wide program with standardized methods, tools, and expert support.

 

10. Bring in the ISO auditors. I’m sure we’re ready.

Undertaking an ISO certification audit is expensive both in terms of people’s time and $$$.  If your organization is seeking certification in any of the resilience disciplines, you may want to consider talking to an outside consultant who may be able to identify critical areas to focus on.  Be sure that you are versed on your corporate competencies such as:

  1. Leadership
  2. Employee awareness
  3. BC program structure
  4. Program pervasiveness
  5. Metrics
  6. Resource commitment
  7. External

CONCLUSION:

I hope this has been helpful in knowing some of the pitfalls of business continuity planning. Even I have experienced some of these at different points in my career. I hope that you can avoid some of these common mistakes and get optimal results from your resiliency plan. If you have questions, or want to learn more about business continuity planning tools or Virtual Corporation, feel free to contact me.

 


 

organizational resilience, business continuity, disaster recovery

Recent Posts

Don't Get Tricked, Beware the Hacker's Playground!

A Hacker's Playground - Public WiFi Hotspots Read More

Ransomware: Will You Be A Victim or Survivor?

Are you prepared for a ransomware attack? Rarely a day goes by that I'm not asked about ransomware or end up in a conversation about ransomware. Questions range from “What is ransomware?” to “How can ... Read More

Meet Virtual Corporation at DRJ Fall in Phoenix!

Virtual Corporation is excited to be a sponsor at DRJ Fall 2019 Sept. 29th-Oct 1. Stop by booth #311/313 to learn about how Virtual Corporation specializes in partnering to develop and sustain repeata... Read More