July 19, 2018

The BCP Evolution: From Dusty Documents to Real Resiliency

Glenn Jones

A few years ago, I was assigned responsibility for maturing a business continuity program (BCP). During the program’s creation, I had the opportunity to meet a number of business continuity leaders, many of whom had developed world-class systems for business continuity management.

As part of the discovery process for my program, I asked many questions, some of which were similar to those listed below, and addressed the very basics of the BCP discipline:

  • What were the first steps taken in your organization’s business continuity journey?
  • What key items did you classify as “must-haves” in the program?
  • What standard did you establish as the basis for your program?
Of course, there were many more questions besides these and indeed, I received a wealth of input from various silos across a large number of companies.  Certainly, it was enough to highlight the many considerations for establishing an organizational BCP-expansion roadmap.

Open in Case of Emergency

My research revealed that many companies started with very similar stories. They tended to adopt an internal focus, looking primarily at their corporate office. They channeled their energy into creating documents that would address customer inquiries and fulfill ISO or other regulatory requirements.

This practice of documenting continuity plans was then expanded to include manufacturing plants. At the end of the “exercise,” the company could, if nothing else, state equivocally that they had business continuity plans in place, should anyone ask the question.

Once compiled, the documents would typically be placed in binders and put on a shelf, to await the day when they might be needed. It’s not unlike the way we might stow a fire extinguisher behind a glass door. In fact, all it would take to complete the similarity, would be a notice on the binder saying, “Open in case of emergency.” Of course, this scenario was typical back then, when few companies had mature BCPs and many had not even begun to formulate the first vestiges of a program.

The BCP Takes on a New Lease of Life

Fortunately—given the globalization of business and the ever-increasing range of variables to be accounted for—the documents in binders are now but relics of simpler times. Still, progress has not come courtesy of a quantum leap, but rather an evolutionary period, during which plenty of organizations had to encounter disruptions as harbingers of a cold, hard truth—that business continuity means more than retrieving a dusty binder in times of crisis.

As programs matured, some organizations took an evolutionary step forward, realizing that although BCP documents are better than nothing, they become more meaningful and effective when regularly reviewed and updated. The awareness also dawned that a BCP is worth more when it has a purpose beyond reinforcing a positive answer to the question “Do you have a business continuity plan?”

Programs Become Proactive

Over time, more companies began to see their business continuity documentation as something that should be reviewed whenever processes change, or better still, following simulation of the scenarios they are designed to cover.

Others eventually sensed that a more proactive approach would help them identify future planning needs that extend beyond manufacturing, into the logistics and procurement elements of their supply chain. Again though, inertia often existed and it typically took a disaster or failure somewhere in the supply chain to drive BCP initiatives forward.

Fast Forward to 2018

The BCP concept has evolved considerably since the time when my story began. It is no longer (and to be perfectly honest, never had been) enough to simply prepare a document for internal use only and place it in a cabinet like an ornament.

Companies began to develop policies providing guidance for business continuity across multiple sites. Then they began to identify vulnerabilities and gaps in areas outside of their direct control. While the application of BCP to critical processes—and its extension to include internally managed supply chain functions—was by now considered best practice, it became clear that to be effective, it must also extend to suppliers and supply chain partners.

After all, a business continuity program should protect the sustainability and reputation of the company, which it can only do if it encompasses the extended supply chain. So why wouldn’t companies include their most critical partners (suppliers) as a part of the plan?

The answer is partly because of the tendency to assign small groups to the management of risk-driven initiatives, and these little enclaves are seldom rich in time and resources. Moreover, risk management and BCP are often a mere subset of a team’s total collection of roles and responsibilities.

A Big Ask for a Small Team

For a small, under-resourced team of professionals, in which each member has a day job to take care of, BCP expansion can be challenging, and perhaps even a bit overwhelming. There is only so much that a small team can manage, and the tasks required for expansion need support from the wider organization. For example, BCP imperatives include…

  • The development of governance models;
  • Expansion of policies across the organization;
  • Coordination between multiple groups both within the company and externally

As if the internal challenges are not enough, these small management teams can struggle to identify and mitigate the full range of possible supply chain failures, let alone review what may amount to hundreds or even thousands of suppliers.

Even if they can review a subset of their suppliers, critical dependencies doubtless exist within the other supply chain tiers, and without sufficient resources to identify them, they remain unknown until an incident thrusts them into the limelight—and it’s almost always a lack of resource rather than resolve that prevents an appropriate level of diligence.

For instance, homegrown tools and the ubiquitous Excel spreadsheet abound in corporate business continuity programs. Dedicated project teams struggle to review suppliers and record results with these woefully inadequate and unscalable solutions. The inefficient processes necessitated by these half measures serve only to compound the effort required for review activity.

For a Better BCP, Say Sayonara to Spreadsheets

As a technologist who loves to improve efficiencies, I have never been able to resist steering business-continuity discussions in a way that helps me understand the systems that companies use and the processes that those systems support. It never fails to surprise me that despite advances in business continuity technology, companies all too often neglect to evaluate solution options before embarking on their BCP journey.

When a fitting, scalable system is implemented to aid planning, an organization can get the very best from experienced business continuity practitioners, leveraging their expertise to develop effective governance models and policies, and to accelerate program expansion.

With the technology available today, no company needs to create a binder full of documents or struggle along with unwieldy spreadsheets. A well-evaluated and carefully chosen BCP management platform can be the difference between a program that is ineffective, and one that ensures resiliency not just throughout the company, but also across the entire network of partners and suppliers upon which its success depends.

Topics: business continuity, resiliency