How Software is Addressing the Continual Evolution of Business Continuity

Blog
Dec 7, 2021
Danya Strait

Whether you’re preparing for winter weather impacts, pandemic response, or any other interruption to business as usual, remember that it all starts with a solid plan. When building your business continuity plan, take note of the different resources you’ll require to continue serving your customers and keep the business running - through technology like business continuity management software.

Examples of these resources include internet connection or technology, access to a facility or office, equipment, or supplies – what does each department or business function require, and how will you access these during a disruption?  

Once you have a written business continuity plan, you’ll need to test that plan to make sure it does what you want it to do during a disruption. In other words, can you continue operating and serving customers?

In order to test, you’ll need to involve your people – are they ready, prepared, and trained on how to respond? Think about how you’ll communicate instructions, roles, responsibilities, and information to your employees and staff. While testing your plans, you may uncover gaps or areas for improvement – be sure to document your findings so you can address them. And lastly, be sure to incorporate lessons learned from tests or real-life business interruptions into your plans for next year.

Market Definitions 

Gartner defines business continuity management program (BCMP) solutions as "the key tools used to manage business continuity management (BCM) programs. They provide risk assessment, business impact analysis, business process, vendor and IT dependency mapping, and plan management functionality. Some products also offer plan exercising capability, resource modeling capability and crisis/incident management 'lite' support.” 

Forrester defines BCM software as “Tools used to create, maintain, test, communicate, and execute more structured, current, collaborative, and actionable business continuity plans.” 

Why Do You Need Business Continuity Management Software? 

Dynamic Plans 

Today, there are more threats to business than ever before that are happening more frequently and are more widespread. COVID-19 may dominate the conversation, but that doesn’t mean all other incidents stop; in fact, there has been an increase in interruptions like cyberattacks, severe weather, IT outages, and supply chain disruptions

Incidents oftentimes have multiple impacts happening at once or one event triggering another. For example, in spring 2021, Texas faced ice storms that resulted in no heat or internet, which compounded the disaster. 

Most disasters are dynamic and change over time. Because of globalization, the effects can be far-reaching. As a result, an organization’s response needs to be able to change course quickly and continuity plans need to be just as dynamic. 

These incidents, on top of the pandemic, show the need to plan and exercise for disasters of different lengths, such as plans for less than a week, a month, multiple months, or even longer-term recoveries. 

With different disasters, scenarios, and impacts come many types of plans to create, manage, exercise, and maintain, which will likely be owned by different people or departments within a single organization. 

Business Expectations 

In today’s business environment, customer expectations are high. Digital business means business is 24/7. Data security laws and cybersecurity threats have necessitated additional planning needs, such as making cyberattack planning part of BCM.  

Getting Started 

Technical Setup 

Here is a diagram of the areas within BCM software you will need to populate for your program. There are a lot of different activities and inputs, which may seem daunting:

BC Planning Chart

We recommend starting with the foundation: personnel, departments, sites, relationships, and resources. 

A big benefit of BCM software is that instead of having data throughout different documents and spreadsheets, we can use the power of a relational database. A relational database allows for data sharing across the system (modules) so we can access the foundational data no matter the area, plan, or process. 

There are certain core systems that an organization may want to connect to in order to take the manual component out of data management, such as APIs to your HR directory or IT inventory, which provides for this information to sync in real-time. 

Another option your software may provide is setting up batch uploads on a schedule. 

BCM software often provides single sign-on ability, making it easier for the end user, or file syncing, which automatically updates the file or folder in the BCM software when it’s updated elsewhere. 

Either way, adding automation to your data management will help you maintain the relevance of your data, which is key for organizational resilience, as it ensures more accurate data and easier data collection and maintenance. 

Program Setup 

As you determine where to start, here are some things to consider: 

  • What are your organization’s goals

  • What is the current state of your organization’s BCM? 

  • How can you follow the life cycle/chosen framework?

  • Are there regulatory needs (e.g. MRAs) or other things that need immediate attention? 

You want software that will allow you to choose where to start and follow the methodology your organization has chosen. 

If you choose software that is designed for BCM and scalable, configure the areas you’re working on. Don't get lost in the setup. Focus on the areas that need attention first. 

Next, set up permissions. You may not want to show certain modules or areas, and if your organization is larger, you may want to consider if the software can segment the areas of the business but easily roll up for management and reporting purposes. 

This is a good time to bring awareness into the program through training. Hold short sessions to let people know about the software and their roles within it.

Create Your BC Plan

Create your business continuity plan with a step-by-step checklist.

Analysis and Risk Assessment 

Part of BCM best practice is risk assessment. Traditionally, BCM risk assessments were threat assessments focused on locations. Because BCM is often integrated into risk management, there is BCM software that goes beyond threat assessment and supports all types of operational risk assessments such as IT, 3rd party, and business processes. 

Some software provides surveys that you can send out to the appropriate subject matter expert. They may provide survey templates and a list of threats. Software enables you to evaluate the responses by allowing you to utilize their formulas or create your own and add weighting. 

BCM software can also create risk registers and provide heat maps and other risk reports to reveal priorities and trends. Use BCM software to compare and analyze risks and to determine the level of controls/treatment required and ensure controls are enacted. 

Business Impact Analysis (BIA) 

The BIA is often seen as time consuming, but is a crucial part of the BCM life cycle. Without fully understanding the priority of your processes, it will take longer to continue your critical business if hit with a disaster. The BIA includes many inputs such as processes, resources, dependencies, and interdependencies.

Use software to automate the collection of BIA data. Some software can make this easier by providing a BIA wizard and mapping your dependencies and interdependencies. 

If you’re not sure how to determine the recovery time objective (RTO), use the software to determine your maximum outage or have it determine RTOs based on a formula. Then, the software can prioritize processes automatically and objectively. 

Use software to more easily identify gaps, such as between IT systems not meeting a business process’s RTO or RPO. 

Planning 

BCM software typically allows administrators to enforce planning requirements using completion tracking and reporting and approval workflows.

Having software is a great opportunity to establish standardization. You can create your own template or utilize the system’s templates to help guide you in creating a plan. Use the sharing functionality to provide standard information through each of your plans. Change it in one plan so that it cascades through all of your plans. 

There are many types of plans and scenarios. BCM software can allow you to have as many plans, scenarios, teams, and tasks as you need. Permissions provide a way to segment the different resilience areas so they can manage and maintain their particular plans.  

Give stakeholders access to their plans and let them create teams and tasks, as well as attach necessary files. With ownership, more people will get involved and BCM will become more ingrained in the culture, and you can still manage plan creation by setting up approval workflows. 

3rd Party/Supply Chain Planning 

Use the software’s BIA component to identify the vendors/suppliers associated with critical processes. Prioritize the critical vendors/suppliers based on impacts to critical processes. 

Consider appropriate and achievable supply chain continuity strategies and integrate this with BC plans, such as by tracking alternate vendors and suppliers. 

Identify vendor risk, and plan for vendor failure through vendor contingency planning. 

ISO 22318 provides guidelines for supply chain continuity: 

  • Develop a strategy that considers the requirement for supply chain continuity 
  • Analyze the supply chain using the BIA to identify critical activities or processes 
  • Consider the appropriate and achievable supply chain continuity strategies and integrate this with BC plans 
  • Ongoing performance management to maintain an appropriate level of continuity management within the supply chain and deliver continuous improvement 

Incident Management 

Use your BCM software's incident management to activate plans or only the part that’s needed. You may want to activate based on a scenario, by location, by an application or system, or by process, and software gives you the ability to do this. 

During a crisis, people need to focus on where they are going, what they need to do, and who they need to communicate with. Some software will slim down the plan to just these components when a plan is activated so that each team member has a playbook where they can quickly see their tasks. 

With some software, files can be attached to specific plans, teams, tasks, etc., making it easy for a team member to get important files. Software makes changing team members on the fly easier. You may not know who will be available at the time of disaster, so you can indicate in the software the type of person you’ll need, like a nurse or engineer, and name the person as the spots are filled. Some software will let you email tasks directly to the team member without them even entering the software, which may be good for executives or those members who are being filled in on the fly. 

Keep track of the tasks being done and where you are in your recovery. Use software to help with your post mortem, such as showing where you didn’t meet RTOs and keeping track of the disaster automatically. 

Crisis Communications 

If your software has a notification system, you’ll quickly see the ROI. 

You can set up the system for all types of devices, like email and texting. Messages can be sent to employees and external stakeholders, such as vendors and regulators. The pandemic has shown us that communicating with employees and external contacts is key for morale and confidence in the organization. 

Software can track the return of responses, and two-way communication platforms allow you to answer questions in real-time. Some platforms offer a conference bridge. 

Communications planning is a key part of your emergency preparedness plan. With a notification system, you will be able to prepare messaging for all types of circumstances. Many systems allow you to send messages simply by selecting groups defined in the system, like departments or locations. 

Possible Scenarios 

Different Emergency Communication Messages 

  • Activate emergency operations center 
  • Alert entire organization 
  • Send alert to senior leadership 
  • Immediately notify people about a cyber breach and advise them to take protective steps 

BCM Notifications 

Some BCM systems may let you send tasks to team members when a disaster is activated. There are also system-driven notifications, like reminders to update plans and BIAs. Automate tasks such as: 

  • Triggering emails 
  • Approval processes 
  • Scheduling 
  • Assignment 
  • Follow-up 
  • Monitoring 

Compliance & Program Benchmarking 

Many systems incorporate the more recognizable standards and provide a means of measuring and mapping compliance

Use BCM software to track your BCM compliance under a particular framework. Then, use the mapping capabilities to evaluate your BCM program’s progress and actual compliance with the particular standard. Finally, generate an audit report for internal and external review. 

Exercise 

Exercising is a critical step in the BCM life cycle. 

Use BCM software to:  

  • Schedule exercises 

  • Frame exercises, training, and awareness 

  • Document exercises 

  • Track and manage after-actions 

  • Demonstrate exercise compliance to internal and external auditors 

Ongoing BCM Maintenance 

Things change regularly in business. Regulations and best practices require annual business continuity activities, including the BIA, risk assessments, exercising, and plans. Without BCM software, this constant maintenance and requests for information may be daunting.

Senior management and the board must approve these changes at least once a year. Some software allows leadership to review just those areas that have changed or easily see tracked changes, as it provides for automatic versioning. 

With software that is a relational database, no matter how the software gets into the system, BCM software facilitates global data updates by cascading individual changes throughout the system. 

Reporting 

Software supports the creation of program management metrics and analysis. A relational database allows the creation of complex reports that summarize business continuity across the system. Manually gathering data from documents to create metrics is a big task that can easily be inaccurate. 

Since BCM software is designed for reporting, there are default reports you can run even if you’re unsure of the reports you may need. 

What-if modeling is a good way to not only see the effects of a certain impact but to highlight gaps when running different scenarios. 

Additional Uses 

Vendor Management 

Vendor management is different from vendor contingency planning. You need to classify your vendors and monitor them, as well as have up-to-date contact information. Make sure they are meeting their SLA, that you have their contact information, and you know contract expiration dates. 

Inventory Management 

Keep track of both hardware and software and all information associated with it. 

Business Processes 

An inventory of business processes includes dependencies and interdependencies. It also provides an overview of organization/dependency mapping. 

Key Takeaways 

BCM software

  • Is beneficial no matter the BCM approach, methodology, or maturity level 

  • Improves and builds a culture of resilience 

  • Matures BCM programs 

  • Makes plans more secure and accessible 

  • Provides more reliable data 

  • Enables easier upkeep and program tracking 

  • Provides tools and workflows for program management 

  • Provides better crisis communications 

  • Provides business continuity intelligence 

  • Becomes the single source of truth for everything BCM 

Business continuity is a continuous cycle and Agility can help your organization maintain resilience with an all-in-one approach to business continuity: plan, train, test, alert, and recover.