Guest Post by Patrick Ow (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
When the COVID pandemic stuck in March 2020, many organisations struggled with business continuity. Many were caught out without business continuity strategies or plans to overcome the likely business disruption that was brought about by COVID.
Having worked with organisations on their business continuity planning, the key challenge many organisations face in developing their business continuity strategies and plans is the level of business continuity planning and effort required. Many business continuity consultants have adopted the ISO 22301 Business continuity management systems — Requirements approach and have unfortunately over-engineered the approach as a one-size-fits-all.
Counting the “number of pens and pencils” required for a business outage
Executives tell me that their consultants wanted them to start “counting the number of pens and pencils” their staff needed during an outage as part of their business continuity planning. They were asked by their consultants to quantify the resources required in an event of a business outage.
Conceptually, as part of your business continuity planning, you need to know the resources required during an outage. But to take a bottom-up approach to business continuity planning that identifies the number of pens and pencils required during a business outage misses the point of the planning exercise.
The question is, How long is a piece of string?
To what degree should an organisation plan its business continuity?
On several occasions, I have been asked to ‘make good’ the business continuity work the organisation has done with consultants.
In one organisation that I was involved in, two full-time business continuity consultants have been hired to develop pandemic plans for an 8,000 strong human services workforce. After two years of template filling, their staff refused to document any more “pens and pencils”. The business continuity process used by the consultants has left a bad taste in their mouths.
After two years of work, no pandemic plans were ever tested or approved by management. It only left a scar on the management team. Business continuity and pandemic planning were relegated to the too hard basket, not counting the cost of paying the consultants over this period and the enormous time cost of their staff in wasted time documenting everything they needed.
A strategic approach was born
After hearing of many similar stories of poor outcomes from the implementation of business continuity management programs and working closely with management teams of health services to rectify the situation for them by understanding their needs, I have developed a risk-based strategic approach to organisational-wide business continuity planning, which was been implemented in many hospitals here in Melbourne.
You cannot get any more complex than a hospital because we are dealing with many human lives. Our business continuity planning had to ensure that they were kept safe in the event of a fire or a power outage.
The missing link for business continuity planning is the understanding your employees are experts in their area of operation. They intuitively know what to do what there is an outage. There is no need to document everything down in your business continuity planning, right down to the number of “pens and pencils” required during an outage. Trust them to do their work.
Therefore, the key to developing and implementing an organisational-wide business continuity strategy is to bring and coordinate the efforts of these knowledgeable staff together.
Develop strategies, rather than writing detailed plans for everything. It is easier to remember strategies and detailed step-by-step actions. In a crisis, it is hard to recall every single written step. People react intuitively during a crisis.
Intuitively start with how your staff will respond to a crisis
This learning came through loud and clear when I conducted a tabletop business continuity exercise for an organisation of about 90 staff. Their management team had spent months documenting their business continuity plans in four large folders.
When the scenario was worked through, none of the executives followed what was painstakingly documented in their plans. They deviated from their plans.
Their response was simple. They intuitively reacted to the situation presented and found what was documented impractical!
Therefore, the approach I have taken in developing a top-down organisational-wide business continuity strategy, as opposed to a bottom-up siloed-based business continuity planning, is to start with what your people would intuitively do in a crisis.
The siloed-based business continuity planning only creates volumes of stand-alone plans that do not inter-operate with each other from an organisational-wide perspective. What looks good on paper individually will not translate into a practical whole of organisational response to a crisis!
Always start with what your people would do individually and as a team. Trust them to do the right things, especially for the whole organisation. Document their approach as a collective whole, not as individual actions that only focus on their functions.
In one organisation I worked in, multiple business continuity plans pointed to this one alternate location as a backup site. Unfortunately, no one had talked to the managers of this backup site if they were able to accommodate staff from other locations in their offices. Many people assumed that this backup site was able to accommodate five times the number of staff if all staff showed up during a crisis in another location in following the individual business continuity plans!
Identify a practical planning horizon
Even if you were able to write every detail in your business continuity plans, what is your planning horizon? One year, or two weeks.
Are you going to write business continuity plans for one month or one year of an outage?
Planning for a one-year outage is vastly different from planning for a two-day outage. Yet many organisations have written their business continuity plans for much longer outage periods.
Through experience and from surveys, most outages last for 48 hours. So, why not only plan for a two-day outage, rather than anything longer than that?
Why not rely on your internal experts to continue operating beyond the two days outage?
Granted, you may need to plan for immediate disaster response. But after two days, your team can come together and decide beyond these two days.
As every situation is different, it is very hard to write plans for them. With new technologies and processes being introduced constantly, writing detailed plans will require constant updating and maintenance. This can be problematic when your resources are limited.
Hence, my approach is to develop high-level strategies for the critical two-day period and leave the details to your staff to implement. Rather than identifying the outages maximum tolerable period of disruption (MTPD) bottom-up, fix your MTPD at two days and only worry about those services and systems that fall within these two days. This is a much simpler but effective approach.
And finally, your strategies and plans must interoperate with each other
Without having an over-arching organisational-wide business continuity strategy that takes the top-down approach, it is very hard to ensure that all other operational business continuity plans will interoperate with each other.
Plan dependencies and inter-dependencies are hard to manage if your business continuity plans especially at the operational are developed from the bottom-up, independently from each other.
Unfortunately, many organisational business continuity plans do not inter-operate with each other. Many are tested in isolation from each other. Many are developed as a compliance exercise without any discussion or consultation – so why bother to develop one in the first place when they do not work?
Note: Patrick’s “Practical ISO22301 Business Continuity Management That Works” Udemy course can be found here – https://bit.ly/3rOxmqm.
As a Chartered Accountant with over 25 years of international risk management and corporate governance experience in the private, not-for-profit, and public sectors, Patrick helps individuals and organizations make better decisions to achieve better results as a corporate and personal trainer and coach at Practicalrisktraining.com.
He is also the co-founder of Skillsand.org, an organisation dedicated to helping people acquire in-demand job skills and preparing them for the future of work. Our goal is to create a convenient learning experience that’s as easy as making any other purchase on Amazon.
Patrick has authored several eBooks including Strategic Risk Management Reimagined: How to Improve Performance and Strategy Execution.