For many businesses, right-sizing their Business Continuity (BC) is near impossible to get right. Many organisations diligently allocate budget to BC, but most of the time these resources are under allocated, misunderstood or charged to the wrong person to carry out.
In my opinion, businesses usually:
- Under-protect all areas of their business, as they aren’t sure exactly what they are protecting;
- Under-allocate enough time and/or resources to discovering the full extent of what needs to be protected, or planned for;
- Over-protect IT due to overzealous technology vendors; and
- Incorrectly focus on desired capability instead of impact to be avoided.
Technically, right-sizing is not achievable when organisations don’t invest enough time, money or capability to get it right.
Time – It takes quality-time to understand the magnitude of loss over time as a result of operational disruption. Rather than considering the impact to the organisation if products or services are disrupted, organisations only allocate enough time to guesstimate the impact if the technology failed. That then drives the Information Technology Disaster Recovery (ITDR) plan. This is a problem because business continuity becomes technology-driven instead of business-driven. Many organisations limit their planning to IT because it is conceptually easier and conceptually obvious.
Having invested in ITDR doesn’t mean that the remaining resources of the business (such as skilled staff, machinery, facilities, etc.) should be unheeded. Right-sizing your business capability means covering off all your resources and potential disruption causes.
Money – Financial allocations for BC set by Executive Management may not reflect a true understanding of the magnitude of impact when business activities stop for a period of time. The challenge is that Executive Management tend to be driven from the Risk Assessment point of view – one that requires them to consider various threat scenarios and the likelihood (or probability) of those threats striking. This type of thinking is risky because it is limited by the assessor’s experience in knowing all the threats and assumes likelihood is a precise science. This falsely reinforces their belief system that it won’t happen to them and they don’t need to spend much on BCM. So, do they recognise the long-term damage restricting budgets will have on adequately preparing their business to respond to disruption? No, they don’t! One of the biggest mistakes Executive Management make is to deprive proper planning of business continuity. Should something go wrong, many businesses never recover.
Capability – Equally as important are the capabilities of the team or person tasked with managing your BC process. The person or team should be very clear about BCM philosophies including the All Hazards Approach and when to separate this from Risk Management. They need to be experienced and capable of undertaking a defensible Business Impact Analysis (BIA) and tag each business activity with a Recovery Time Objective (RTO); identify critical resources; and be able to assess the actual time taken to restore each critical resource. Without a thorough understanding of the scale of business continuity planning, businesses rarely get the accuracy of right-sizing correct.
Right-sizing your business continuity capability is a juggling act between allocating enough resources to plan, to respond and recover effectively when your business is struck by disaster.
Do you have adequate, time, money and resources reserved for your BC planning?
At Linus we are wholly committed to making it as easy as possible for you to right-size the BC investment of your organisation. If you’re curious about how you can ensure your organised BC investment is right-sized, click here to learn how our award-winning Linus Revive software can make this possible.