Ten Steps for Practical Business Continuity Planning

“A practical methodology for managing your business continuity by applying program management techniques”

By Timothy S. Bergmann, PMP, ABCP

Chief Learning Officer

True Solutions Inc.

Business Continuity Planning is a complicated, sometimes difficult endeavor for an organization. One of the challenges that colors the process is that Business Continuity Planning is still in the formative stages. BC experts who are working today are often the same individuals who performed Disaster Recovery planning on early mainframes and self published their findings. While there is always a definite need for Business Continuity Planning, there are many barriers to success. This paper describes a methodology at a high level that can facilitate success for Business Continuity Planning by applying proven project management, program management and business continuity best practices in a coordinated manner.

Business Continuity Planning superseded the concept of Disaster Recovery around 1994-1995 after the Hurricane Andrew experience in Florida. During this widespread disaster event, some companies found that they had protected their infrastructure (Disaster Recovery), but had failed to protect the company (Business Continuity). This initiated an evolution from Disaster Recovery thinking to Business Continuity thinking.

Simply stated, Business Continuity deals with all of the elements of the company:

- Infrastructure (Buildings, communications and computing)

- Sales

- Fulfillment and customer service

- Human Resources

- Security

- Risk scenarios

To oversimplify, Business Continuity deals with the organization holistically; in the past Disaster Recovery only dealt with a small portion of the organization.

But there are some definite challenges to Business Continuity. First of all, in order to address a problem, the organization has to recognize that a problem or need exists. Many organizations fail to plan for Business Continuity due to various reasons, such as lack of resources, lack of budget and lack of interest. Many organizations suffer from the vision that “It won’t happen here” and fail to take adequate precautions to protect the enterprise.

Think about it: how often have the officers and directors of a company that failed into bankruptcy been criminally or civilly prosecuted for the failure? Sometimes, usually in cases of fraudulent activity there have been prosecutions; Enron, Tyco and Worldcom would be recent examples of criminal prosecutions. But while these prosecutions have been very public events, there are very few corporate leaders who suffer this fate.

But what about the average company that simply fails for some reason? An example might be Montgomery Wards. Montgomery Wards failed to keep pace with the market, failed to upgrade their infrastructure and failed to follow new trends. Ward’s ultimately lost a customer base large enough to support the company and had to liquidate in bankruptcy. No one went to jail or was held civilly liable. It has become a semi-acceptable business process to build, squeeze and then let the company “go” in the United States.

That quasi-process immediately presents a problem for the Business Continuity professional. The company may not have the commitment to excellence or a commitment to it’s own future. A continuing impediment to BC Plannings is the time and money commitment involved in managing the planning and program.

One of the first things that we have inserted into our “Ten Steps” methodology for using program management techniques to manage the Business Continuity Program is the

“A-B-C-D Analysis”. The “A-B-C-D Analysis” asks:

A - is there Awareness of a problem, issue or need to be addressed?

B - is there Budget available to address the need?

C - is the Concern about the problem, issue or need?

D - is there Determination at a senior management level to address the need?

If all of the answers to the question are “yes”, then the Business Continuity Program has a chance of success and should be initiated.

Ten Steps for Practical Business Continuity Planning combines multiple standards and best practices to expose a practical methodology for Business Continuity Planning and management. Ten Steps for Practical Business Continuity Planning combines standards from DRII (Disaster Recovery Institute International), DRJ (Disaster Recovery Journal) and PMI (Project Management Institute) in order to form a structure for initiating, planning and managing Business Continuity Planning and the BC Program.

DRII has long published a set of best practice areas for Disaster Recovery-Business Continuity Planning. Ten Areas are defined as part of BCP:

- Area 1: Project Initiation and Management

- Area 2: Risk Evaluation and Control

- Area 3: Business Impact Analysis

- Area 4: Developing Business Continuity Strategies

- Area 5: Emergency Response and Operations

- Area 6: Developing and Implementing BC Plans

- Area 7: Awareness and Training

- Area 8: Maintaining and Exercising the BC Plan

- Area 9: Public Relations and Crisis Coordination

- Area 10: Coordination with External Agencies

Recently, DRII and DRJ have collaborated and have had many contributors to define the DRII/DRJ GAP - Generally Accepted Practices for Business Continuity Planning. The GAP takes the best practice areas and adds definition and detail to the original framework.

Each section of the Business Continuity Generally Accepted Practices defines:

- what is to be done in that area

- how it is to be accomplished (at a high level)

- points of reference (regulations, standards, references) for the BC Practitioner to use

- each section provides references to other sources

PMI (Project Management Institute) is cited as a reference multiple times for the PMBOK Guide Third Edition in areas 1 and 2. Many other recognized standards organizations are used as references for how to identify, plan, quantify and manage Business Continuity needs; some of these are:

- National Fire Protection Association

- Federal Financial Institutions Examination Council

- ASIS International

- National Institute of Standards and Technology

- Institute for Business and Home Safety

- Federal Emergency Management Agency

- Standards Australia

- Standards New Zealand

- ARMA International

- General Accounting Office

Whereas the original DRII Business Continuity best practice had 10 loosely defined areas, the DRJ-Generally Accepted Practices has 272 sub topic areas that are detailed and given reference points.

Planning and managing business continuity for a single organization unit or department is complex. Planning and managing business continuity for an entire enterprise will require multiple Business Continuity Professionals and a highly structured approach.

The projected use of multiple Business Continuity Professionals (quasi Project Managers or Program Managers) to plan, implement, test, modify and manage the Business Continuity Program clearly indicates that this effort is a candidate for using PMI’s Standard for Program Management.

The Standard for Program Management indicates that the program should be managed to employ three themes:

- Benefits Management: to deliver the planned program outcomes, benefits, synergies from the multiple individual projects or combined programs

- Stakeholder Management: to manage affects of the program on stakeholders and to manage the large number of stakeholders that are involved in the program

- Program Governance: to develop policies, procedures and practices that facilitate program management

All of these themes are universal in nature and are needed throughout the program life cycle. All of these elements blend with and contribute to structural definitions of Generally Accepted Practices for the Business Continuity Program.

The Standard for Program Management exposes five phases for the program life cycle:

- Pre-program

- Program Setup

- Establish Program Management Infrastructure

- Deliver Benefits

- Close Program

Just like the Project Management Standard, there are five process groups that occur in the Standard for Program Management in every phase of the project. Each of the 39 processes that are defined as part of the Standard for Program Management exist in one of the process groups.

One difference in the Program Management Standard from the Project Management Standard is that in the Program Management Standard there are common Inputs, common Tools and Techniques and common Outputs that are defined to exist in every Program Management process.

In defining “Ten Steps for Practical Business Continuity Planning”, our goal was to combine the elements of the DRII Best Practices, the DRJ GAP and the PMI Standard for Program Management and Standard for Project Management (PMBOK Guide Third Edition) into a series of steps that conform to the Program Management structure. These steps will use the defined structured processes in order to enable a simple, yet highly structured approach to performing management of the Business Continuity Program. Our approach is to have specific processes used in each step. The processes used will utilize specific Inputs, Tools and Techniques and Output. The processes will enable producing the desired results that will enable the Business Continuity projects and program management.
Here is how we have structured the Ten Steps for Practical Business Continuity Planning:The Ten Steps for Practical Business Continuity Planning model uses the Program Life Cycle with five phases as defined in the Standard for Program Management.

In Phase 1 (Pre-Program Phase) Step 1 of our Ten Steps methodology occurs.

In Step 1 of our methodology our intent is to determine whether the proposed program has value or not. In a business continuity context, the program manager in conjunction with the sponsor or sponsors must determine if the enterprise has the determination and resources to perform business continuity planning. The initial program scope will be required in order to determine what departments, units, locations or areas of the enterprise will be included in the Business Continuity Program.

Please note that processes that are designated with an asterisk (*) are customized processes created for this methodology. Each have specific Inputs, Tools and Outputs customized for the business continuity program environment. Processes that have no asterisk (*) are standard processes defined as part of the PMI Standard for Program Management.

Phase 2 (Program Setup) has a single step contained within it, just like Phase 1.

In Step 2 of our methodology the program manager will initiate the Business Continuity Program. Three standard processes are used to perform this step.

Steps 3, 4 and 5 make up Phase 3 (Establish Program Management Infrastructure)

In Step 3 of our methodology the program manager ensures that program controls are in place for the Business Continuity Program. In this step quality parameters are planned, resource requirements are defined and basic plans to control costs, schedule, scope and communications are put into place.

In Step 4 of our methodology the program manager along with the program team and stakeholders work together to define the scope of the program (and scope for any individual projects associated with the program).

In Step 5 the program manager will work to define risks and vulnerabilities that may affect the enterprise and therefore must be addressed by the Business Continuity Program. The Business Impact Analysis occurs in this step. The BIA is almost another project within the other projects and program. The BIA is one of the most important parts of the overall Business Continuity Program. The BIA identifies the business processes, what they do, what they interact with and who performs them. The result of the BIA is a definition of what processes are required and need protection by developing business continuity alternatives.

Phase 4 (Deliver Benefits) begins with Step 6 and encompasses Steps 6,7,8 and 9.

In the previous step, the program manager and the team identified the important elements of the enterprise that require protection. Several business continuity strategies were developed and prioritized. In Step 6, the program manager in conjunction with stakeholders and sponsors obtains agreement as to the chosen strategies for business continuity. The plan for work, the program management plan, is also agreed upon.

In Step 7 of our methodology the program manager works with the project team and stakeholders to obtain work results and to monitor work performance. Information is sent out to stakeholders in the form of status and performance reports. Quality checks are performed on the project and the product. The final outcome of the project to create and implement a plan, the Business Continuity Program will be produced during this step.

Step 8 is a critical step no matter which option is utilized. The Business Continuity Professional (Project/Program Manager) will be involved in the exercise or activation of the BC plan. After an exercise the results of the exercise are available to stakeholders. After an emergency activation of the business continuity plan, results of the actual event are available. Both of these elements will be used in Step 9 to modify the plan as required.

In Step 9 the results of an exercise or of an emergency activation of the Business Continuity Plan will be used to modify the plan. Step 9 also includes the process of “Identify Changes” which includes a periodic review of the plan and enterprise environment. As changes occur in the environment, regardless of plan use, updates to the Business Continuity Plan must occur. Any updates are performed considering version control and distributed to key team members on a regular basis.

Step 9 has an option built into the step flow. After Step 9 the program manager and stakeholders will return to Step 8 if the program is deemed to still have value and produce the expected benefits. If the program returns to Step 8, periodic utilization and update to the Business Continuity Plan will result.

If the program is deemed to be obsolete, ineffective or no longer provides the benefits planned, then the program manager will go to Step 10 and terminate the program.

The final phase of the program life cycle, Phase 5 (Close) contains Step 10.

Step 10 involves closing the program. This step will be used after the benefits of the program have been derived and exhausted and a decision is reached to terminate the program.

When using one of the standard processes defined as part of the PMI Standard for Program Management, the standard Inputs, Tools and Techniques and Outputs will be used. Input and Output data will be unique to the Business Continuity Program.

When using non-standard custom processes developed specifically for this methodology, unique Inputs, Tools and Techniques and Outputs will be specified and realized. Specific details associated with the methodology will be available in True Solutions unique management course “Ten Steps for Practical Business Continuity Planning”.

TSI believes that this methodology provides a simple structure for pursuing development of the Business Continuity Plan and Business Continuity Program. Used in a serial manner executing Steps 1 to 10, it provides a “roadmap” for the Business Continuity Professional. While this methodology may not answer every possible permutation of need, the reasonably skilled individual can use this to build awareness of what needs to be done and in what order elements need to be accomplished in order to facilitate success when attempting to manage business continuity for the enterprise.