Every organization faces risks – and some of those risks may result in disruptions or other ‘incidents’. An effective response to an incident requires many things. We’ve combined them into a 5-part “Incident Horizon”: Planning, Preparedness, Initial Response, Planned Response and Extended Response. In this blog we look at the composition of one of those phases of the Incident Horizon.
You’ve done the analyses, gathered the intelligence and used that output to create actionable, viable Business Continuity and Disaster Recovery plans. You heave a sigh of relief, put the 3-ring binder on the shelf and enjoy the knowledge that your organization is ready. After all you’ve got a Plan; and a solid Plan at that.
We should all recognize that this is not where Business Continuity Management ends. At a surprising number of organizations though, it does. Recent studies have shown that the majority of businesses don’t test their BC and DR plans. Plan tests and exercises aren’t goals in themselves either; they are part of elevating the Preparedness level of the organization – of constantly improving Incident Readiness.
Create BCM “muscle memory”
Athletes and craftsmen practice repeatedly to improve their performance. An organization should apply the same approach to Business Continuity Management.
If we expect employees to act and react according to a Plan, those employees first need to be made aware of the Plan. But true awareness starts even sooner. The entire organization needs to understand that BCM is important, and (at least in a broad sense) what the organization plans to do if day-to-day operations are disrupted for any reason.
Even those with no role in executing a Plan should understand what to expect – even if that means staying home and waiting for a notification to return to their work location.
Every Plan should be exercised. Response and Recovery Teams – as well as Incident Commanders and Crisis Managers – need to rehearse their roles under a variety of simulated circumstances. They need to build the ‘muscle memory’ that will allow them to react and act effectively – whatever the real-life disruption.
Only through Awareness and Training (simulations, exercises and test) can an organization’s people attain the necessary level of Preparedness that an Incident Ready organization requires.
Know When to Act
Not all business disruptions are predictable. But those which aren’t don’t have to come as a complete surprise. Diligent and methodical tracking of Threats (physical, operational, meteorological, technological, human, etc.) will raise awareness of potential disruptions.
Keeping an eye on external factors – Situational Awareness – will assure that the organization is never blind-sided by something it should have anticipated, but never saw coming. Security, Facilities, Risk Management, HR – many parts of the organization can play a role in maintaining Situational Awareness – but the effort must be centrally coordinated to be effective.
Determine How to Act
Once a disruptive event occurs, there must be a predetermined means of analysis, decision-making and escalation (if the event requires more than monitoring). Without a Plan to analyze the impacts of an event, decisions regarding disaster declaration or Business Continuity Plan implementation will not be smooth. And when normal business operations are disrupted, time is the organization’s most precious commodity.
Know how to determine the next step shouldn’t be a haphazard decision. Those protocols should be planned and the players trained to assume their decision-making roles.
Be Ready to take the first Action
All the Planning and Preparedness in the world won’t produce much good unless the organization is able to alert its key decision makers and responder teams when something adverse happens. That should be obvious, but a surprising number of organizations still maintain manual Call Trees (and most update them annually –at best). That high-performance vehicle in your garage may be powerful – but it’s just a hunk of metal unless the engine starts.
Preparedness is the second step on the path to Incident Readiness – but a crucial one if the organization is going to be able to react, respond and recover from potential disruptions of its day-to-day operations.
About the Author
eBRP Thoughts, eBRP’s Blog voice, represents 50 + years of cumulative BCM knowledge gained through experience in corporate BCM program management, consulting & program implementations. We've worked hand-in-hand with governments and private enterprises to develop viable BCM programs. eBRP is an active participant on LinkedIn and Twitter. The opinions expressed in our eBRP.net blog are ours and are intended to engage resiliency planners in conversations about the BCM industry, its standards and its future.