This blog article talks about a step in the Business Continuity Planning (BCP) Methodology that I think is missing – and, I happen to think it is a pretty important step.
One of the greatest challenges in the BCP methodology is in establishing the program’s recovery objectives. Whether you label them as Maximum Acceptable Downtime (MAD); Recovery Time and Recovery Point Objectives (RTO & RPO); or some other creative anagram unique to your process, these program benchmarks are usually arrived at through a Business Impact Analysis (BIA) process or, at least, through some survey/interview with business managers and subject matter experts to establish what the critical business processes are; what timeframes they must be recovered; and what resources must be available in certain timeframes to enable our continuity or recovery of those processes. Does this sound familiar? I’m I right, so far?
But – you knew there was going to be a but – to achieve what end? I mean, we do a great job defining business continuity objectives, but do we do so against established business objectives?
I always thought that the savvy business manager, when asked to complete a BIA questionnaire would ask the question, “What is Senior Management expecting me to achieve during the business interruption period?” Sometimes, I think, we get close. Many times I hear business continuity planning professionals say that the objective is to “survive” the disaster or “keep the company solvent”. But do we ever define what that means – in business objective terms?
So, forget about operating in disaster situations for a second. Just think about business as usual objectives. Most every company and most every department within each company has established business or performance objectives. There are defined revenue targets, income objectives, margin targets, production objectives, etc. There are expected number of widgets to produce per week; sales targets; number of calls handled per hour; items sold; and so on and so on.
What I would want to know, if I were the business manager being asked what my critical processes are and how long can we go without performing those processes, is: What adjustments are being made to my performance objectives during this incident you are asking me to plan for? Am I expected to still achieve my revenue target, sales target, income target, margin targets? Am I still being measured against growth? How many widgets per day am I expected to still crank out? If you can tell me what my management is expecting me to produce during this contingency period, I can then tell you what I need to do, when I need to do it and what I need to get it done.
Seems to me, we miss that step. We make middle management guess at what our business targets are. And, furthermore, we never ensure that their guesses are consistent with one another. Each individual manager who completes the BIA makes their own assumptions about what the overall business objectives are during a business interruption event. Seems a bit risky to me.
I understand why and how this happens. It is primarily because middle management is more accessible in our planning process. It is much easier to include middle management in the planning process, feed them the BIA questions and get them to assign MADs, RTOs and RPOs than it is to include Senior Management in the process. But – there’s that damn word again – how can we really define viable business continuity objectives if we don’t first know our business objectives during time of an event?
I wonder what would happen if we tried? I wonder … what if you posed that question to upper management? What if we added that step in our BCP Methodology: Define adjusted business objectives that must be achieved during a serious business interruption event. IN BUSINESS TERMS – not in BCP terms. Interesting.
Anyway, just a thought. What do you think?