How to Assess the Maturity and Effectiveness of your Business Continuity Plan
, Partner, Consulting ServicesEmily Hayes
During disruptions in finance and operations, business continuity planning can provide organizations with resources and framework to mitigate negative impacts on normal operations. Also known as BC planning or BCP, business continuity planning can help companies continue to fulfill their key objectives.
To remain prepared for these inevitable disruptive events, regularly assess the current maturity of your BCP program.
What Does Business Continuity Planning Include?
The six core BCP components include:
- Program governance
- Business impact analysis
- Threat and risk assessment
- Resilience and recovery strategy development
- Business continuity plan documentation
- Training and testing
To prepare for an assessment of your program, ideally you should already have a BCP in place. Note that business continuity planning is a distinct discipline from disaster recovery planning.
What’s the Difference Between Business Continuity Planning and Disaster Recovery Planning?
BCP consists of a predefined framework for how an organization will continue to function when coping with and recovering from an emergency or other negative event that disrupts normal operations.
Disaster recovery planning, on the other hand, results in a predefined approach for restoring an organization’s information systems to full functionality after a system failure or compromise, while minimizing impact.
How Do You Assess Business Continuity Program Maturity?
Assess the maturity level of the core components of your BCP program using a framework grounded in a capability maturity model (CMM). This model can help evaluate an organization against a scale of maturity levels specific to the assessed subject area, primarily based on the degree of standardization of those processes.
It helps leadership identify the desired maturity level for the organization, then review and consider recommendations to increase maturity.
Following are ways to assess the six core components of your organization’s business continuity planning program.
How Do You Assess Program Governance as Part of your Business Continuity Planning?
A successful business continuity planning program has the active support and engagement of executive leadership as well as stakeholders across key business functions.
Responsibility resides with the highest level of management to demonstrate a commitment to business continuity planning efforts, which should be an iterative, multidisciplinary process that engages everyone in the organization.
- Do you have the formal elements of a business continuity planning program in place, such as a program charter that establishes its governance structure?
- Have you identified, approved, and documented the program’s key leadership positions, including executive sponsor and program management?
- What measures are in place to ensure program ownership and support organization-wide visibility and accountability?
Have you adequately funded and appropriately staffed your program?
You should clearly define, document, and understand roles and responsibilities across the organization, especially since other strategic and operational planning schedules and incorporates continuity planning activities.
Senior leadership plays an active role through providing regular status updates across the organization, resourcing the program appropriately with dedicated budget and staff and prioritizing the time set aside for participating in exercises and trainings.
How Do You Assess Business Impact Analysis as Part of Your Business Continuity Planning?
Business continuity planning requires many complex activities with different sets of specialized knowledge about varying parts of the organization. While many functions play critical roles in day-to-day operations, not every activity tethers to the delivery of your organization’s core services or keeping the doors open.
A business impact analysis (BIA) can help identify essential functions enterprise wide and within each major department.
What Information Does a Business Impact Analysis Capture?
An effective BIA activity should result in you identifying the following information:
- Essential functions and operations across the organization
- Necessary resources—such as people, processes, and systems—to perform each critical function
- Potential areas of impact a disruption would create and corresponding levels of severity
- Desired recovery timeline for each function
The BIA exercise should include a process to discuss and decide how to measure harm and impact across multiple categories. Disruptions typically impact three major areas for most organizations: property, operations, and people.
All of these can have significant financial, reputational, and compliance implications, both directly and indirectly, and you should assess them in terms of highest areas of risk exposure and severity of impact.
For an essential function like processing payroll to pay employees, the BIA activity would identify the inputs—for example instructions to employees on how to track their time. You should then capture system dependencies such as the timekeeping system, review and approval process, financial system, and the ACH and check-printing process.
Your organization also should know who participates along the way and what they do to keep the process moving.
Then, consider the impact of a disruption, ideally across multiple timeframes such as a day, week, or month. Identify any critical time periods; for example, assess the disruption sending tax statements could have, a crucial event on its own.
How Do You Assess Threat and Risk Assessment as Part of Business Continuity Planning?
Once you identify and understand essential functions, conduct a threat and risk assessment focused on the impact of disruptions to assess chief vulnerabilities of your revenue and operations.
Instead of trying to identify every single possible threat scenario, consider the severity of the impact if resources become unavailable for the long-term. You should attempt to quantify the impact of these risks as much as possible, both in terms of financial effect and time. For example, if the payroll process slows, you may require a measurable amount of rework to manually enter timecard information if the system tracked it outside of the normal process.
You can quantify this rework both as a delay in time, for example two days, but also as the cost in terms of employee hours—cost per hour per employee to re-do the work or manually enter information.
Take time to remember that many of these areas aren’t isolated; there's typically overlap within an organization’s framework.
- What primary threats to your organizational resources will most likely disrupt essential functions?
- What forms can these threats take that could negatively impact your essential functions?
- How do you prioritize each essential function based on the risk assessment?
- Where do you need to focus your attention and energy on developing resilience and recovery strategies?
An effective business continuity program engages department and functional leaders in the threat and risk assessment process. Their participation not only provides vital input to the risk assessment process, but also the combination of results helps create a document of the operational landscape of the organization.
Continuing the example of payroll, the threats to this essential function are broader than simply the technology systems used during the process.
Other risks often include problems with vendors, such as the financial institution that processes ACH, or supply chain breakdowns—such as an unfixable or unreplaceable broken check printer. Additionally, regulatory or legal changes that could negatively impact the payroll process always remain a risk.
How Do You Assess Resilience and Recovery Strategy Development as Part of Business Continuity Planning?
An effective business continuity program should leverage the results of the BIA and threat assessment to develop and document resilience and recovery strategies. An emergency can impact every area of operations, from productivity to core financial transactions.
An effective business continuity program should include a process to analyze the organization’s financial position—in terms of liquidity, revenue forecasts, investments, and availability of financing—to quantify the minimum cash requirements which can sustain operations for a defined period.
Determine the priorities for cash and payments, and consider the necessary financial transactions in unusual circumstances. For example, emergencies often heavily impact purchasing, affecting both purchasers and their products.
Establishing clear strategies and procedures for controlling costs, reporting information to appropriate groups, and budgeting for and tracking expenditures during a large-scale disruption can have a significant impact on the likelihood of the organization emerging on a positive track.
- Who gets paid to keep the lights on?
- What potential mitigation efforts might reduce or eliminate the risks or similar consequences?
- What effective recovery strategies best meet your recovery timelines?
For example, if you expect a severe disruption to utilities, assess if a backup generator could mitigate the risks power loss poses; the value of preventing a disruption may significantly outweigh the initial cost of an investment.
If you have key supply chain dependencies for critical equipment and supplies, investigate ways to diversify your sources in the event of vendor disruption. This is also when to review your insurance coverage and determine if you have the appropriate coverage for your greatest areas of risk.
How Do You Assess Documentation as Part of Business Continuity Planning?
Business continuity plans should be understandable, actionable, testable, and maintained on a regular schedule. An effective plan should include action steps or flexible alternatives based on different emergency scenarios.
Best practice encourages senior leadership, at any size organization, to periodically engage in a high-level discussion to confirm the alignment of the BCP with business priorities and each person’s assumptions.
There’s a common misconception that employees will know what to do in the event of an emergency; but in a crisis, there’s no business as usual. An emergency’s impact on staff, board members, and leadership can be far-reaching and unpredictable.
Organizations struggling to redefine normal operations following the COVID-19 pandemic make effective continuity planning and risk mitigation efforts more important than ever.
Documentation should be easy to understand with clear and simple information to detail activities, staff, sequence, and locations.
You can establish payroll activity protocols about who handles different functions, as well as their trained backup.
How Do You Assess Training and Testing as Part of Your Business Continuity Planning?
To keep BCPs current and executable, consider training and testing exercises, which many commonly believe to be the most effective solution. Many types of exercises may focus on parts of the plan or its entirety.
You should perform several aspects of a training program at regular intervals to identify areas for improvement and areas of strength, allowing the leadership to better prioritize and address continuity needs and gaps. The following exercises can add value to the company and simultaneously serve as training opportunities.
Training and Testing Exercises
- Plan review workshops
- Focus drills on one specific scenario and recovery procedure
- Discussion-based tabletop exercises
- Cross-functional training and testing involving the activation of all personnel and teams identified in the BCP
Cross-functional training and testing exercises can break down organizational silos while streamlining the process of keeping the plans and documents up to date.
These sessions can increase dialog between leadership and functional teams, speed the identification of emerging issues, and strengthen the overall effectiveness of the program.
Your program defines and documents the training schedule and dedicates resources for covering educational advancement for program managers, as well as for conducting training exercises of the right size and scale.
Influence of COVID-19 on Business Continuity Plans
The COVID-19 pandemic presented a unique suite of compounding challenges to organizations across all sectors and industries, presenting novel stresses and pressures on information technology, operations, customer service, and supply chain functions.
The related disruption demonstrated the value of having an effective business continuity plan in place to limit the impact of negative events and mitigate the risks to essential functions and services.
Plentiful real-world opportunities allowed all kinds of organizations to assess, respond to, and manage myriad challenges.
We’re Here to Help
To learn more about how to initiate a business continuity plan or next steps, contact your Moss Adams professional.
You can also learn more about our Disaster Recovery and Business Continuity Planning Services and additional topics.