How to start a business continuity program

So you've been asked to formalize a business continuity program. Here are 9 tips from the experts.

Sometimes you pull the short straw.

That's how one CSO felt when his former employer asked him to create a formal business continuity (BC) program for a few years ago.

"It's hard, right?" says the CSO, who worked for a technology company at the time and asked to remain anonymous. "Any division could fall down, plants could fall down. Some divisions were good and some weren't. The top brass cared about the 20 percent that made 80 percent of the money and making sure that would continue if something happened."

[Also in this special report on BC/DR: 4 critical trends in IT business continuity | Disaster recovery is a success just waiting to happen]

One division in particular that kept him up at night was the company's 10,000-employee Philippine operations. As the CSO saw it, this locale was highly vulnerable to at least four different kinds of potential disruptions: volcanoes, earthquakes, tsunamis and political unrest. And that's just for starters—it's ignoring the frequent outages and supply interruptions that characterize business in any less-developed country.

This CSO quickly realized that the heart of business continuity is ensuring that the company can keep making money after a disaster. So he identified the functions critical to that ability and planned out how to keep them going after a spectrum of possible interruptions. Then he did something that many might envy: He handed off the business continuity function to a talented underling.

If you can't do what he did—offload the task entirely—you can at least benefit from the lessons learned by those who've been in the BC trenches. Business continuity is a broad discipline, encompassing both disaster recovery for data and the activities that ensure business will carry on (or be restored quickly) in the case of an adverse or catastrophic event. Therefore, BC cuts across divisions and incorporates people, processes and technology.

Keep in mind that virtually every company approaches business continuity differently, so any one lesson may not apply to you. Still, it's worthwhile to examine the common mistakes, erroneous mind-sets and instructive anecdotes of those who have already wrestled with formulating a business continuity program.

Here are the top nine BC lessons from CSOs and experts:

Lesson 1: Business continuity is its own discipline; treat it that way.

Companies commonly view business continuity as synonymous with another discipline, which is one reason this task not infrequently gets dropped on security leaders. But this is a mistake, because this kind of thinking leads to inadequate planning, according to Denis Goulet, a certified BC consultant and trainer and a principal at ContinuityLink. "Business continuity is not security, it's not emergency management, it's not risk management," says Goulet.

[Get CSO's Ultimate Guide to Business Continuity and Disaster Recovery - 11pp PDF (free CSO Insider registration required)]

In fact, professionals can earn a growing number of business continuity certifications from organizations including DRI International, BCM Institute, Business Continuity Institute, Business Resilience Certification Consortium International, the Institute for Business Continuity Training and the National Institute for Business Continuity Management.

To distinguish between business continuity and risk management, think of risk management as identifying the probability or cause of an adverse event and business continuity as considering the impact of the event, Goulet says. "We're interested in business interruption—the ability to do business is not there anymore—so what will it take to get back up and running so you don't lose your reputation, customers or revenue?"

Put another way, business continuity takes over where risk management leaves off, Goulet says. So, let's say you assume under risk management that the probability of an earthquake leveling your Manhattan office building is near zero. Under risk management, then, you decide not to spend the money it would take to put in place another office location as backup. Business continuity says, "The worst has happened, despite its low probability; now what are we doing to do about it?" And the solution there could be something as simple as having employees work at home.

"There is always residual risk left over from risk management," says Goulet. BC steps in to fill that gap.

Lesson 2: The process is collaborative, but ultimately the CEO owns it.

One problematic mind-set is that many companies cling to is that the CSO can be the owner of business continuity planning and testing. The fact is, BC is by its nature a collaborative effort, and the CEO is its ultimate owner.

Are you a master of disaster? Learn more

"As a practical matter, it's a variety of disciplines—IT, security, HR, line of business—that can be tasked with creating a formal BC program," says Edward Brown, president and CEO of BC consultancy KetchConsulting.

The CEO heads the business, therefore it is his or her duty to ensure it will continue, come what may. Working on BC planning with senior management underlines its importance to the organization, says Goulet.

"I've trained people who were more technical, less technical, more senior, less senior. There is no predefined path. Business continuity has grown out of different places in the company, for better or worse," he says.

The key things to remember: Get iron-clad executive support and collaborate with other departments.

Lesson 3: Be thorough in your business impact analysis.

Veterans of business continuity planning have learned the hard way that the cornerstone of BC planning (and therefore one of the first things that needs to be done when formalizing a BC program) is a business impact analysis (BIA).

In this exercise, you sit down with a cross-disciplinary team, examine everything your company does, and identify your critical business activities. The essential question is: How much time could this function be suspended for before we would go out of business?

"Some functions can stop for one week, some for one hour, some for one month," says Goulet. From there, you will define a solution (which may be both technical and non-technical) that will restart the function within the period you've decided on. That is called your recovery-time objective, or RTO. A business impact analysis will identify the RTO for each business function in your organization.

Sometimes the results of the BIA can be surprising. For example, a whiskey maker's most critical function might turn out to be distribution, ensuring the product gets onto store shelves, as opposed to production, which could cease for quite a long time before the customers or marketplace would know anything was wrong.

The key lesson here is not to try to take a shortcut through the process. Many executives think they have a gut feeling for what is most important without examining everything. That's not right, says Goulet. "You don't start by identifying the top three activities with senior management. You might leave out essential parts of the business that are not easily visible from the top."

For example, you might think that sales would be one of the most critical functions at any company, since no one can survive without selling things. But it turns out that's probably not the case, at least from a business continuity standpoint. "The sales force gets the money in. They create growth by selling to new customers. One thing you don't want to deal with [immediately] after a disaster is a new customer. For a while, you want to focus on keeping the existing customers instead," says Goulet.

Lesson 4: Focus on business value, not assets or functions.

Karen Avery's perspective on business continuity has changed quite a bit since her time as CISO for GE Capital. At the time, she made decisions based on what it would take to keep a particular asset (like a building) or function (like accounting) up and running. Now, as managing director at consultancy Marsh Business Resiliency Solutions, she takes a value-based approach to determining BC priorities. With the old approach, she would start her planning by looking at a building or technology asset or a function in, for example, marketing or finance. But it's much more effective, she says, to start with how the organization creates value in the marketplace.

"Go from a revenue perspective, and then look at the value chains that support that revenue. The functions will align to it, helping you quickly identify vulnerability throughout the value chain," Avery says.

Lesson 5: Don't go it alone.

Dennis Dayman can sum up the best lesson he has learned about business continuity in one sentence: Self-assessments are worthless. As part of his company's annual review of its BC plans, he often had the uncomfortable feeling that the company was missing something.

"No one wants to talk about their own faults and vulnerabilities," says Dayman, CSO of Eloqua, a software-as-a-service vendor.

"Now we have a third party, TRUSTe, come in and say what we missed." As a volunteer firefighter who responds to dozens of emergency calls in his town every year, Dayman knows all too well that disasters happen and can ruin companies—not to mention lives. As he learned, the best way to avoid myopia in your BC planning is to get third parties involved. (Also see How to evaluate BCDR consultants.)

Lesson 6: Beware the ROI trap.

Another commonly held belief is that business continuity is an investment like any other and can be cost-justified just like all other investments. But Goulet argues that enterprises need to let go of this damaging idea. BC should be viewed as an expense and a cost of doing business.

In his view, that is one glaring distinction between BC and its sister discipline, risk management, which mitigates risk based on the cost of the solution in light of the probable damage. Risk management weighs those choices, while business continuity says, "We know it's remote, but we need to plan for the worst-case scenario."

"ROI is a trap," says Goulet. "Everyone struggles to find something to say to the finance people, but that's a trap. Business continuity is part of the cost of doing business. We won't throw millions at this if we don't have to, but if we have to, we will."

But BC is not about unlimited spending on an unlikely outcome. It is about spending whatever is necessary—and only what is necessary—to allow the company to survive after an adverse event. "If you want a cheap solution, don't do anything," Goulet says.

Ignoring ROI can be a hard pill to swallow for management, especially if they're rooted in the risk management world, where everything is probability- and return-based. If you are stuck with this mind-set, Avery advises that you use modeling to quantify the value of the function. "Companies get stuck because they go through a process, and they have all these solutions at all these price points and they can't justify the investment," she says.

"If you take the value-based approach and embed some analytics, you can model the exposure versus the return on risk investment. Then you can justify the expense to your CEO." First, though, do your best to convince management that BC is a cost of doing business.

Lesson 7: Build in some flexibility.

While it makes sense to standardize BC plans as much as possible, it's just as important to allow for some flexibility for local distinctions, according to John South, CSO for Heartland Payment Systems.

"We look at business continuity as a distributed function, with responsibilities shared by regional operations managers," he says. Heartland issues a standard format for business continuity that it expects all its assorted business units to adopt when developing their business continuity plans, but it knows that those units also need the flexibility to define their plans within the parameters of their local operation, South explains.

To give one example, when a local operation owns its own facilities, it might be facing a different set of BC concerns than a unit that leases its building, even though they're part of the same company.

Lesson 8: Show clients your plans.

CSOs must realize that business continuity is expanding beyond the four walls of the enterprise. Increasingly, clients and supply chain partners want to know about your business continuity plans.

This makes sense, as a company is only as strong as the weakest link in its supply chain. Exchanging BC plans is becoming part of doing business and can make a competitive difference.

Becker and Poliakoff, a law firm, has over a dozen offices in Florida and several more in other states, plus one in Europe. Ari Solomon, director of IT, finds that clients can help with BC planning by delineating their priorities. "They want to know how they will get in touch with the attorneys if there is an outage," he says. In a disaster, "they really don't care so much about getting documents out, as long as they can communicate with their attorney."

And given that the firm's main office is located in southern Florida, outages are not uncommon. "What other people call a disaster event, I call a weekday," Solomon says. "Hurricanes always come here; it's like we're just sitting here waiting for them to happen. I don't plan for disaster, I plan for the normal reality of life."

Lesson 9: Make sure everyone knows what to do.

A quick, no-cost way of determining whether your business continuity discussions are gaining traction is to have someone ask your CEO where employees would go if their office were reduced to rubble.

"If they say, 'I would probably work from home,' that's a bad sign," says Brown. "You need to say, 'According to my plan, everyone would work from home.' If they say 'probably' or 'maybe,' it isn't written down, and it doesn't exist."

Maybe you have not yet been asked to head up business continuity planning, but once you've gotten the call, it's imperative to have a foundation in place to do a creditable job. Your company's future may be at stake.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)