Implementing a company-wide business system is never easy, and business continuity planning is no exception. Ensuring that all the needs of the business are fully understood, its requirements met, and its assumptions validated is no mean feat. Adopting a definite framework for best practice, as specified within the British Standard BS25999-2:2007 business continuity management, may appear to hold all the answers - but is it enough?
In reality, implementing the standard is only part of the process, albeit a vital one if a business continuity management system (BCMS) is to be independently certified. Having worked with a variety of organisations to help them implement a BCMS, I have learnt that there are five fundamental rules that should be followed to ensure its success:
1. Understand the business requirement
It is vital to understand and agree the business requirement for business continuity at an early stage in the process. If this is overlooked or poorly defined considerable effort can be spent developing BCM strategies that then have to be revised as the business need is re-defined.
2. Commit time and effort from across the business
Implementing an effective BCMS requires time, effort and commitment from all parts of an organisation. It’s not just the function of the IT department, and as such all business decision-makers must understand the business need for continuity and be involved in developing meaningful impact analyses, risk assessments and continuity plans.
3. Internal communication is critical
Two aspects of communication are pivotal to success:
- Communicating the progress of the BCMS project in order to gain and maintain engagement; and
- Taking the time to develop a sound BCM communication plan - probably the most important document in any real crisis.
4. The documentation should match the organisation
No two organisations are the same. This is particularly true of BCM where the structure of the documentation needs to match the organisational structure and the business requirements for BCM. Any implementation needs to take into account the individual requirements and peculiarities of the business whilst drawing on best practice and maintaining compliance.
5. Put the plan to the test
Testing or exercising business continuity plans is without doubt the most cost-effective way to ensure that they meet the organisation’s needs. In addition it ensures full engagement from all parts of the organisation and provides the opportunity to ‘shake out’ mistakes or incorrect assumptions allowing the plans to be improved to make sure they are genuinely fit for purpose.
Time spent testing is not time wasted. It also raises awareness of business continuity planning throughout the organisation and provides a valuable training opportunity for the key staff involved in crisis management, business continuity and recovery.
So, by adopting a few simple rules, based on real-life experience when implementing BS 25999, businesses can be confident that they have a genuine plan in the event of a potential disaster and not merely a set of manuals collecting dust on an IT manager’s shelves.