Customers are our Northstar
The future of business continuity is customer-centric. Moving forward, we need to embrace a customer focus as our guiding star. I am not the only one to suggest this idea. Picking up on the concepts I shared in Business Continuity Plans Are Dead and Why Dashboards Are Better Than BCPS, I will explain why BCM should put customer needs first.
People expect us to respond confidently to crisis events. The past eighteen months taught us that the ability to address multiple crisis events is our new normal. Regardless of company size or geography, many colleagues shared that they experienced several concurrent incidents over the past year. The legacy of COVID is that worldwide, long-tail events occur that do not diminish the expectation that we also manage other incidents. My concept of a customer is the internal stakeholders our programs support and the people who buy our company’s products.
COVID was instructive in reminding us that successful recovery depends on both internal and external partner’s capabilities. Whether you integrate your BCM program with an operational resilience framework or choose to align planning and crisis management, taking a customer-centered approach will enhance organizational resilience. It is a significant shift in perspective to define success based on whether you can service a customer when an event occurs. This aligned approach converges threat management, risk, continuity, operations, and crisis response across the organization.
A service approach builds resilience
If you company chooses not to leverage operational resilience and retains a classic BCM model, I urge you to map your functions along a service continuum. By documenting processes along the service delivery life cycle, you will more clearly expose threats to critical customer offerings. Impact and dependency models rarely look at weaknesses holistically. During COVID, this hit home when business partners told me that their strategies would not work unless somebody also recovered vital personnel from other departments.
If this seems like a no-brainer, I wonder how many of you have genuinely built a service roadmap. Few continuity plans provide insight into dependencies across all aspects of business activity. Conducting exercise scenarios across all business groups to certify the delivery of a product is a good test. However, the future of business continuity is customer-centric because we need to move away from a reliance on a two-dimensional model. Instead, we need to enable the business with tools flexible enough to address a myriad of situations.
Plans are by definition static; they tell you how to achieve something, document procedures, or suggest a program of action. The failure of the plan format is that it provides a false sense of reliance that there is a set formula for any emergency. Although the all-hazards concept purports to achieve this goal, in reality, the majority of our customers remain underprepared. Our stakeholders are busy conducting daily business and rarely find value in the complex plans we produce for them. Along with that, we rarely test plans against enough incident scenarios to build legitimate resilience.
Planning and exercising are important
To achieve greater resilience, we need a structured approach that includes planning and testing. You also need to foster increased capabilities in those utilizing crisis response and business restoration data. Ideally, it helps to exercise towards both likely and stretch events that test tour stakeholders’ proficiency. Taking this approach provides greater insight to exposes gaps not previously realized.
Once you have your business partners invested because they understand the impact of interruptions on the bottom line, you also need leadership insight. It is vital to mobilize active engagement and visibility with executive sponsorship. Additionally, it would be best if you had a way to communicate frequently and openly. Plans are a point-in-time construct that is outdated when developed. To overcome this design flaw, I advocate an alternative model like a dashboard to engages our stakeholders in real-time strategic thinking.
You could ask me, what use is the planning process without the outcome of a plan? It is a good question, and my answer is that we need the best information possible to respond and recover from an incident effectively. As I expressed before, I wholeheartedly agree with Dwight Eisenhower saying that “planning is everything, the plan is nothing.” My goal is to fully integrate tools like dashboards and scenario testing into program design and decision making. I am giving our stakeholders tools that demonstrate current risks in a meaningful way to elevate success rates. Ultimately, resilience becomes a foundational capability across the organization.
Compliance reliance is harmful
Some practitioners have lost sight that the purpose of planning is to know how to respond and recover from a business interruption. The plan is not the outcome. The techniques I’ve employed fall on the spectrum of cataloging minute details or high-level strategies. Neither of these approaches ever produced satisfactory results. If I gave people exhaustive information, they find it challenging to execute during times of crisis. On the other hand, too high-level plans became meaningless, offering no insight into responding to specific situations.
Having experienced both ends of the spectrum, I settled on the Goldilocks solution of a dashboard. For me, dashboards solve the issue by producing an optimal balance between the two extremes. They house critical information in a systematic way oriented for optimal crisis management. Using a dashboard does not give the user a false sense of having a recipe book for every incident but encourages critical thinking. It provides a visual snapshot while offering a way to gain greater insight. A dashboard’s advantage is that it improves situational awareness.
Too many organizations rely on compliance to benchmark the success of their programs. As a result, many stakeholders complete BCM activities out of obligation rather than to achieve preparedness. Finally, regulatory and supervisory bodies are taking notice. Compliance-driven models provide a false sense of security because it engenders fear of an audit versus a genuine interest in gaining the necessary skills and insights for an effective response. A customer-centric, service-oriented approach using crisis-ready tools increases the business’s abilities and is a better indicator of an organization’s resilience.
Of course, we all want high availability and continuous data protection to keep vital systems and apps fully operational during times of crisis. As we move towards a post-COVID world, many of our companies’ most significant identified risks are power or network outages. People suggest that plans are superior to a dashboard because of availability during a power outage. Throughout several blogs, I discuss why that methodology is inefficient. I cannot honestly identify one time during my career when a printed plan was ever more effective than a well-practiced team responding to an event.
At best, plans served as a guidepost. Building collective muscle memory, understanding roles, and developing tactical capabilities are always more effective. For example, does a power outage plan help you recover from that hazard or the knowledge you gained by collecting and analyzing data to create it? A resilient business is practiced enough and has examined its risk, only requiring situational awareness to decide how to respond.
I agree that the frequency of power outages is now all too commonplace. A power outage is an increased risk for many business’ operations. However, the existence of a plan does not predict a successful outcome. Rather, the preparedness activities your team engages in to understand your level of risk and ability to recover from it should be your success measures.
Embracing ongoing change
What I see in the years ahead is change. If the past eighteen months are any indication, we need to be prepared to pivot and address multiple events simultaneously. With the increasing number of physical and digital incidents, we should embrace agility and inventiveness in our crisis response. Likewise, our customers need us to rise to this challenge.
I was recently asked on a panel what my favorite superhero is. I answered Batman without explaining. To elaborate, Batman is my favorite superhero because he has no superpowers but uses his intelligence, strength, and (some pretty cool) tools to overcome challenges. He is superhuman only in his determination and herculean drive to protect Gotham’s citizens. Yes, his inner demons drive him, but they push him to become a stronger person who also inspires others.
Like Batman, I want all of us in the field to gain increased strength and wisdom to overcome hardships. By striving for greater adaptability, we will produce scalable results that safeguard our customers continuously. Achieving this is possible by devoting serious energy to enhancing or transforming existing programs. To accomplish this, we must evolve our thinking to embrace new techniques, models, and best practices.