We do a business impact analysis. We identify risks. We put in place a business continuity management program. Presto chango, we achieve comprehensive business resiliency.
To put it baldly, “Yeah. Right.”
That may have been true in the days when the risks we contended with were statistically predictable, quantifiable, and insurable. Things like fires, hurricanes, earthquakes, floods, and power failures. But today, the risk landscape is highly ambiguous and amorphous. How do you even begin to quantify:
- Cybercrime, terrorist, and denial of service attacks?
- Wireless device security loopholes?
- Global supply chain and business partner connectivity concerns?
- Public cloud infrastructure risks?
- Human capital dependencies?
I have news for you: if our risk landscape has changed, then our business continuity management approach had better change right along with it. Otherwise, resiliency is nothing more than a pipe dream.
The demand for business continuity management program transformation
Business continuity management historically has focused on protection: protect your people, protect your assets, protect your information, protect your revenue. Essentially, dig in and prepare for a siege.
But in today’s world, protecting what you have isn’t going to get you where you need to be. In every area of business, companies are being forced to proactively meet customer and business demands in new and innovative ways. In marketing, that has involved a shift from huge mass-market campaigns to micro-personalized outreach. In software development, it often requires leaving behind sequential waterfall design methodologies and embracing incremental agile approaches. What about for business continuity management?
For IT and business continuity management, transformation in the 21st century means stepping outside of the traditional risk-averse mindset to take on a deeply proactive approach that extends across the entire business. Such an approach recognizes that business resiliency – the ultimate goal – means much more than keeping the lights on or even keeping the data flowing. To the new CIO in this changing and somewhat threatening world, resiliency seeks the enhancement and protection of human resources, current revenue streams, and future revenue growth potential by allowing business and operational decisions to be informed by advanced risk intelligence and proactive business continuity awareness.
The new business continuity management model
Let me be clear here. The demand for transformation does not mean that we throw out everything we have learned about business continuity management in previous decades. Not at all. The principles we know and practice are tested, tried, and proven. They simply do not go far enough for today’s needs.
Likewise, transformation does not mean firing your business continuity management team and hiring a new one. Far from it. If you are in business continuity management today, you are part of the solution – not part of the problem. In fact, you are the leaders of the new solution, uniquely qualified by your years of experience and the depth of your knowledge.
Here’s what does need to change to bring about a new business continuity management model:
- Adopt a business-wide perspective. Business continuity folk (both IT and business) tend to live in a bubble. They talk to their team and they talk to their internal customers – the different lines of business, operations, vendors, etc. They don’t tend to talk to the consumer. But to truly leverage technology and business continuity to build a resilient business, we need to think about the business as a whole, and that means engaging with the consumer (thinking like the consumer, enhancing the consumer’s experience, anticipating the consumer’s next demand). It means being able to align the business continuity program with the goals and objectives of the business. It’s time to get out of our bubble.
- Challenge your business continuity management methodology. As you think about your business as a whole and engage with your consumers, ask yourself: what do we need to do to align our business continuity management methodology with our desired business outcomes? How do we become more agile and responsive? How do we leverage technology to boost the business?
- Reconsider your business impact analysis (BIA) process. Chances are, you are bringing new business processes and applications into the fold all the time. Can you really afford to wait until your next annual BIA to study the risks associated with these new items and carefully work them into your business continuity plan? No. You need a new way to safely onboard new processes, new products, and new applications – before these things even make their way into the production environment.
- Reinvent intelligent plans. There is only so much that a static or traditionally-built business continuity plan can do for you, considering the ambiguous nature of today’s threats. What you really need is a foundation you can then build on during an actual event, because you can’t possibly predict all the details of a business interruption ahead of time. This is intelligent planning: a plan that takes into account changing situations that unfold very rapidly; a plan that combines a base outline with accurate data and incident management to become a targeted weapon to combat any interruption, attack, or disaster.
- Promote collaboration and communication. For intelligent planning to become a reality, collaboration and communication need to be vastly increased to provide situational awareness during an incident. What’s happening? What is the impact to the business? To our employees? To our customers? Such communication is essential to support the decision making that needs to take place rapidly and accurately to address an incident.
- Drive resiliency roadmap innovation. In many ways, we end where we began: with a focus on the business. As you challenge your business continuity management program and shake things up, you also need to drive the creation of a new resiliency roadmap: a roadmap that is aligned with your organization’s goals and objectives, and that has resiliency processes embedded into the culture and daily operations of the company. For example, if Procurement is looking at a new vendor, you need to be a part of that process for business continuity reasons, asking questions about the vendor’s resiliency strategy and disaster recovery tests. With Human Resources, you need to part of the onboarding of new employees, training them in company security policies and procedures.
The past decade has seen more changes to business and technology than can possibly be quantified. Everything has been flipped upside down from what we knew before. The only way to keep business continuity management aligned with this new topsy-turvy world is to turn it on its head as well!
Related Service: Business Continuity
This article was originally posted on Forbes BrandVoice.