Business continuity planning: program planning

So far in our Business Continuity series, we have discussed the many benefits of having a plan. We’ve also outlined some of the key stakeholders that serve as the building blocks for a successful continuity program. Once a program is underway, there are several planning aspects to consider. In this article, we will outline some of them, so that your organization can have a successful planning phase.

Note: we will not discuss the program management aspects of business continuity plan development in detail in this series. However, we may discuss them in passing as they support the overall process of developing a business continuity plan.

A word on standards

Usually, regulatory compliance requirements mandate a standard to follow but some countries create their own  — these are generally derived from ISO 22301, but localized to suit the priorities of their government. Close compliance with an established standard is especially prevalent for publicly listed organizations or organizations operating in a regulated environment. Despite the various standards and terminologies used by organizations, we will use ISO 22301:2019 as our framework for this series.

Identify the teams

In the planning stage of a continuity program, it’s important to identify all of the involved parties. Typically a business continuity plan will be supported by several groups and individuals including a steering committee, a business continuity lead, a core program team, and subject matter experts and consultants.

First, you should identify who will be on your core program team — and what work will be outsourced. The skill requirements needed will vary, but generally your team should comprise individuals who have strong communication and analytical skills. The selected individuals should also have an understanding of risk assessments (using the enterprise risk framework). The team members do not have to be fully dedicated to the program, but their roles at various stages of the program should be identified in the beginning. Your organization could also divide the team members into specific groups that you engage as needed, instead of involving everyone in every discussion.

The portions of the program that demand the most manpower are the business impact analysis and the risk assessment. To prepare for a business impact analysis, interviews must be conducted with each business function and, depending on the timeline, it is good to assign this task to analysts who are experienced in this area. Having a minimum of three analysts will help you conduct interviews for more than one department at a time.

You will also need an extended team of subject matter experts comprising human resources, auditing, corporate communications, IT, cybersecurity, crisis management and business development. These subject matter experts will help you analyze the findings from the business impact analysis report, risk assessment report and business recovery strategy.

Identify the business functions (departments)

In general, all the business functions (hereafter referred to as departments) that fall under the program scope must be included in the plan development. However, prioritization and the extent to which you need to conduct the business impact analysis, risk assessment and recovery strategy depend on the criticality of the departments. 

For example, if your organization’s business impact areas in the enterprise risk management framework are: financial, reputational,pProducts and services and information technology, you should consider prioritizing interviewing the champions from finance, corporate communications, marketing, sales, product development, R&D and information technology first. By identifying the priority areas, you will have clearer direction on which interviews and reviews to schedule first.

Prioritizing does not mean you leave out the other departments or you giving them less consideration. Rather, it just means that you will provide greater attention to the critical departments in the first round of interviews and then, as you identify the dependencies, invest additional time and resources for the other departments.

Identify champions

You will need support from your organization’s departments in two areas: (i) staff who can provide detailed information on the business processes and the relevant data and (ii) staff who drive business continuity planning and awareness within their respective departments. The head of each involved department must ensure that the nominated staff are made available for the interview and review sessions. You should schedule a group session for the management staff from all involved departments, so that you can present the summary of the program and the set overall expectations for each department. This will ensure that all management staff have a holistic understanding of the program before they assign tasks to their subordinates.

It is fine if the heads of the departments themselves want to champion their team’s involvement. In fact, we recommend the department head to be the main source of information with regards to their respective processes. You also may not need additional presentation and review sessions with the head of the department if the department head themselves act as a champion. However, this may not always be feasible all the time and so, the department head should nominate a senior staff member with extensive knowledge of  their department’s processes and sub-culture.

Change management

After the business impact analysis, your organization should outline a change management plan to prepare everyone for the upcoming changes. A well thought out change management plan can help you introduce changes to your business, products, processes, systems and organizational work culture, in a way that is minimally disruptive to regular operations. Your staff may have a variety of emotional responses to proposed organizational changes, so the earlier you get a sense of their mood, the better. If your staff are anxious about the business continuity plan, then part of your strategy must be educating them about the potential benefits and dispelling any myths they believe.

Monitoring and reporting processes should be established at a very early stage to identify the organizational changes. These processes will help you monitor changes to the organizational strategy, business processes, the way technology is being used, the way information is being accessed, and the overall work culture. Being aware of all the above will enable you to keep the plan relevant and up to date, even before implementation. 

Education and communication

Once the scope of work has been approved by the directors and a program manager and subject matter expert have been assigned, it’s a good time for the program team to begin an awareness campaign. 

During the early stages of the planning, the focus should be on educating staff about the benefits of business continuity planning — especially the ones that will benefit them. If you conduct polls early on to understand the anxieties of the staff, you can then address them through your awareness campaigns (perhaps at a town hall meetings). 

The awareness strategy must be developed and integrated into the overall program schedule and take into account the different program stages, the scope, the departments, the types of awareness required, and any communications needs. Usually, the marketing department or the corporate communications department within the organization is skilled in putting together awareness strategies, taking the above discussed factors into consideration. If your organization does not have a dedicated marketing or communications team, developing the strategy with the business continuity lead SME and a few external content creators is a suitable alternative.

Figure 02: Infographic summarizing each major activities involved in the program planning

Discussion with the other plan owners

Some organizations might already have plans that relate to certain aspects of a typical business continuity program, such as a crisis management plan or an IT disaster recovery plan. Therefore, your planning team should initiate conversations with the respective plan owners to determine how to integrate everything into the overarching business continuity plan. 

The below plans are some of the main ones you’ll want to seek out and have conversations about:

• Crisis management plan

• Communications plan

• Disaster recovery plan

• Cybersecurity response plan

Crisis management plan - medium to large organizations tend to have a strong crisis management plan to manage disasters that are internal to the organization (such as a building fire) and external to the organization (like civil unrest or an epidemic).

Communications plan - This may be a dedicated plan or part of your organization’s crisis management plan. Either way, this plan should detail the communication process during a disaster and the staff — including who is responsible for sending out the communications. If such a plan does not exist in your organization, you must identify the department responsible for communications and have discussions with them to learn what their  current processes are. Additionally, throughout the plan development, you should conduct workshops with your communications team to determine the best way to communicate during times of crisis and business recovery.

Disaster recovery plan - Mature organizations have a disaster recovery plan for their information technology systems. The maturity of such a plan varies between organizations and depends on how long the information systems can run without interruption (such as unexpected technical issues).. It is not uncommon for organizations to keep this plan separate from their business continuity plan or crisis management plan. When the IT Disaster recovery plan is not integrated with any other organizational crisis management plans, IT disaster communications fremian within the IT team’s scope.

Cybersecurity response plan - Cybersecurity is a growing field and unless it is dictated by the regulators or the government of the operating country, organizations do not usually have a written strategy to handle cybersecurity incidents. Although incident response activities are technical in nature, many related management processes do exist, right from managing a cybersecurity disaster to communicating to the management. Cybersecurity incidents that are sensitive in nature and deal with privacy or data leakage, must be managed by the executive team as part of the business continuity plan, since organizational reputation and information that are under its custody are at stake. Executives that are part of the business continuity plan are the right people to direct a cybersecurity response when it involves information deemed “classified”.

Once the business continuity program lead has learned about the above plans, they should meet with their responsible owner(s) to discuss integrating those individual plans with the business continuity plan. All parties should always discuss the complexity of such integration before making any decisions.

Scheduling and resource allocation

Once all the above plans are identified and analyzed, the program manager must update the schedule and request for additional resources if required. At this stage, most of the pre-requisite and the major activities should be well known and the schedule must be detailed and stable enough for the next few weeks. This is all essential since the next step after the planning is to be conducting the business impact analysis (or risk assessment — this will be discussed in a companion article later). 

If required, brainstorming sessions should be conducted with the different teams that are identified to develop the business continuity plan to fine tune the schedule, up to the next stage at the minimum. 

Setting the right expectations

Once you have drafted a planning schedule, you should set up a meeting with the program steering committee to present the summary of the program strategy and the schedule. You should also reiterate on any program exclusions. The presentation must be concise, and provide the information required for the target audience. You can always elaborate on more specific items after the meeting, with the relevant individuals. The committee members might seek additional clarifications or raise concerns that need to be addressed in the meeting. As such, ensure you have your primary subject matter expert present in the meeting. A good presentation will help you get further reassurance from the directors.

Once accepted by the program steering committee, conduct additional meetings with different stakeholders as required, tailoring the presentations to them. All these meetings must include a schedule for the upcoming activities and guidelines for the business impact analysis interview sessions. Introduce the spreadsheet templates that will be used to conduct interviews and if possible, conduct a demonstration by selecting one of the business processes and interviewing the respective champion to capture the information required for the template. Allow the attendees to raise questions and clarify as much as you can. This demonstration will help the interviewers to understand the type of questions they might be asked during an interview.

Once the meetings to set the right expectations are complete, send schedules to the respective teams at least two weeks in advance, along with preparation guidelines. At this point, you should run awareness campaigns targeting the attendees for the business impact analysis interview sessions. These sessions will help you educate your staff about the importance of the interviews, what data will be collected and the preparation expected from the attendees. You can use email campaigns to educate the champions about the technical terms that will be used during the interviews.

Conclusion

In this article, we discussed the different activities and analyses involved in the planning phase of the program. Program teams, departments, champions, required changes and current organization resiliency plans must be identified and the right recommendations must be made. When sufficient information has been attained, the planning team should present their program strategy to the stakeholders and all parties should be in agreement that the business continuity plan is on track.