Advertisement
 
Articles
Advertisement

Building A Stronger, More Strategic BCM Program

Tue, 02/18/2014 - 11:01am
Patrick Potter, GRC Strategist, Business Continuity & Audit, RSA

It is critical for the Business Continuity Management (BCM) program to become more strategic across the organization than it has ever been in the past. In days gone by, BCM has typically been a “check the box” compliance activity. However, current trends, including those prompted by the new ISO 22301 resiliency standard, suggest the BCM program must become much more of a strategic enabler and partner.

In light of many factors that quickly place an organization at the forefront of the public view, regulators and investors, BCM needs to transform itself from a reactive, isolated activity to an integrated, solution-driven team that adds foresight and suggests proactive approaches that create resiliency within the fabric of the organization. This is important for at least two reasons. First, to ensure the organization is better prepared for business disruptions of all types, instead of focusing on recovering from them. Second, and just as important, is increasing the reliance and trust executive management places on the BCM program. As this occurs, the BCM program will be viewed more as a strategic partner, their goals will be included in the organization’s strategic objectives, and a higher priority will be placed on their initiatives resulting in their being approved and funded. This article discusses ways BCM leaders and programs can begin to make more of an impact.

ESTABLISH THE VISION

The BCM program has a vision, typically of the ability to be able to respond effectively to any disruption that comes along, or perhaps making the organization more resilient. Whatever that vision is, it needs to be formalized and communicated to the rest of the organization, starting with key leaders. Having a vision means more than just a wish list of activities or goals. It is a well thought out view of where your resiliency program needs to be in three to five years as well as the plan to get there. There’s a very important parallel here — your company also has a vision and it’s most likely documented in the form of a strategic plan. Your BCM program vision and plan need to fit together with your company’s strategic plan. The main reason is to ensure your program is in synch with where the company is going and what the company’s chief priorities are.

Let me give you an example. As a consultant, one of the organizations I worked with was a utility company. Every year, the company’s strategic plan included initiatives for BCM. The BCM program’s plans for the year in turn aligned with and supported the company’s strategic plan. Their plans were measured alongside and as a part of the company’s plans, creating great synergies and consistencies. As BCM rises on the radar of most organizations, this scenario becomes more of a reality. Here are a few considerations to help you get there.

First of all, you must understand your company’s vision and plan, and then identify any conflicts or gaps with your BCM program vision and plan. You should also identify components of the company’s plan your BCM program can drive. For example, through your intimate knowledge of a key recovery vendor or supplier and their strengths, you might recommend an alternative use for or relationship with that vendor that might mitigate a risk or drive a revenue opportunity, such as being introduced into a new industry or market. This type of innovative thinking is critical to your success — by proactively highlighting and then demonstrating how your goals are aligned with the company’s goals, not just as they are confined by, but how they relate to BCM.


As the graphic shows, communication is also very critical. In establishing your program vision and plan, you will need to vet the plan with others outside of your program. As you do, it’s important to understand that you will be speaking with (and “selling to”) people with less knowledge, background and interest in BCM and resiliency. It’s important to them too — they just may not know it yet! So, you have to lead them (and the company) down the path to your strategic plan and vision.

Finally, there are important considerations that include understanding your audience and their maturity level in regards to BCM and your vision. What education needs to occur to help them? Who are the key participants that can help you sell your message? What are the obstacles in the way of achieving your plan? What are the steps you need to take month by month and year by year? These are all key considerations in establishing and executing on your strategic plan.

FOCUS ON KEY RISKS & REWARDS

As part of your day-to-day activities, your BCM program is identifying, evaluating and managing risk.  However, you must ensure that you focus on key risks that are most important to the company — not just BCM. This seems obvious but is becoming more critical than ever because of drivers including ISO 22301, business objectives, regulators and others that require the need for organizational resilience versus recovery. There will always be a place for recovery, but building a resilient company means so much more. A key to developing resiliency includes understanding the business levers and risks that impact them. It’s also important to know that management may be focused on risks you are not.  Recalling the importance of alignment of vision and plans — it is as important to focus on the same risks that management is most concerned about as it is to focus the concerns of the BCM program. Granted, the BCM program may not care as much about areas like liquidity risk or fraud risk, but if these are top of the list for management, the BCM program needs to determine how, within their purview, they can help.

In your analysis of key risks, you also need to consider concepts such as risk/reward, Return on Investment (ROI) and business innovation.

Let me give you a scenario that may stir some thought. To mitigate a certain risk, a company may develop an arrangement with an outsourced provider to serve as a backup or alternate. What is the ROI on this investment? What’s the payback period? Or, does this new partner, with its resources, workforce or market knowledge offer new opportunities to expand our business, enter new markets, or drive better recovery alternatives?  Asking and answering these types of questions is critical to demonstrating to management that the BCM program understands the business and what’s important to management.

BE A PARTNER

The evolving role of BCM programs means better understanding where they fit into the changing organizational ecosystem and the role they play. No one operates in a vaccuum any longer, especially BCM programs in this new world of resiliency and the related visibility BCM programs are gaining. The question now becomes, what other functions inside your company should your BCM program be working with or at least aware of? A great example is other “risk management” groups in your company. Your BCM program is a risk management activity, but others are also assessing, evaluating and managing risks. For example, functions such as Operational Risk, Enterprise Risk, Internal Audit, Fraud, Financial Control and other risk groups may have critical information for your program to understand and use. This knowledge may give you insights into where you could embed a recovery measure to mitigate a risk that equates to building resiliency into that process. For example, Internal Audit may have identified a finding as part of an audit that highlights a gap that a resiliency or recovery strategy may address.

Another important function to be aware of and be involved with is “process improvement or reengineering,” sometimes performed using Six Sigma. These groups are typically involved in driving savings throughout the company by reengineering internal processes, reorganizations, IT demand management and other related activities. It is important to know who they are and what their focus is.  These are positive initiatives, but their activities could significantly impact your BCM vision, plans, activities and program. It’s critical to understand how their goals and activities might conflict or complement what your BCM program is trying to accomplish. Once understood, determine how your BCM program can leverage these activities to further your goals to build resiliency into the organization.

There are many other functions that could either inhibit or enable your BCM vision and plan. The point is to venture out, find these groups and understand their charter, and determine how to work together and not only leverage them but help them acheive their objectives as well. 

It’s critical to become a vital piece in your company’s puzzle and you don’t do that by being secluded or hard to work with when those opportunities present themselves. A final note is to focus on your strengths because other groups, like yours, are looking for experts to leverage and learn from that also help them accomplish their goals.

LOOK FORWARD TO DRIVE RESILIENCY

We’ve discussed some strategic topics today that BCM programs need to consider. To tie the concepts together, a wise person once said, “Learn from the past but look to the future.” Company leaders, boards of directors and others at the helm face more and increasingly difficult challenges. They need the insight from specialist advisors, such as your BCM program, to help them understand the risks and uncover the potential rewards. Today’s business environment demands efficiency, thus the need to understand how your BCM program fits into and helps drive the strategic vision of the organization. 

BCM programs have a primary role to strengthen the resiliency of the organization through a combination of building proactive measures and reactive recovery capabilities. Driving resiliency into the fabric of a company occurs by implementing processes and measures, by communicating and training, by measuring and managing, and by improving in increments.

 

Advertisement

Share This Story

X
You may login with either your assigned username or your e-mail address.
The password field is case sensitive.
Loading