freshidea - Fotolia
While business continuity is typically thought of as a process for responding to specific disruptive events, activities performed as part of the business continuity process may be useful in long-term strategic planning activities.
Strategic planning is aimed at defining the direction an organization takes to achieve its vision and mission. Many factors and lots of data are used to formulate an organization's business strategies. We examine the five primary activities in strategic plan development and how the business continuity process can add value.
Mission and objectives
Once the organization identifies its mission and vision, which includes the core values of the firm, the next step is to define visionary goals. These goals are used to develop the organization's business objectives, such as achieving revenue goals or increasing market share.
Under most circumstances, you will not see business continuity included among these activities. But why wouldn't it be a relevant business objective? After all, a business that is damaged or destroyed by an event it was unprepared for will not achieve its business objectives. Many organizations assume they will not experience a business-threatening incident. Logically, this assumption is highly risky, but it's pretty much the norm.
This phase gathers information about the organization, the industry and marketplace in which it plans to operate, as well as external factors that could impact its success. An internal examination typically includes a strengths, weakness, opportunities and threats (SWOT) analysis that scrutinizes a broad range of situations that could affect the firm. Specialized analyses, such as those using Michael Porter's "The Five Competitive Forces that Shape Strategy," can be conducted to examine the marketplace.
A business impact analysis (BIA) and risk analysis (RA) can combine to provide excellent input to a SWOT analysis. The BIA can contribute data to the S, W and O portions of the analysis, as it provides data on how the business operates, relationships (dependencies) among various elements of the business, and any impact to the business if certain key processes were unavailable or disrupted. The RA provides data on the T portion of the analysis, as it identifies situations that could threaten the continued operation of the firm.
Next, the organization's strategies for achieving its vision, mission and objectives are defined. Porter defined three specific strategies that can be applied to most businesses:
- Cost leadership embraces a number of approaches, not just having the lowest prices, to achieving market goals.
- Differentiation defines ways the firm offers unique product and service attributes that are considered valuable to customers.
- Focus involves zeroing in on specific strata of a market and concentrating the firm's resources on being the best in that specific area.
Business continuity activities can add value to each of these strategies by identifying situations that could negatively affect the firm's ability to achieve its goals. Properly analyzed, BIA and RA results can provide clues for better planning, structuring and implementing business strategies.
Once the above strategies have been defined, the next step is to implement them. This step requires careful analysis of budgets, people, procedures, technology and facilities. On the chance that the people who implement the strategy are different than the ones who designed it, communication is very important so all parties are in sync.
Business continuity is an essential part of the implementation process, and should be factored in wherever possible. Risks to the successful completion of implementation must be identified, and plans must be established to ensure any unplanned disruptions are handled quickly so the implementation can proceed.
Post-implementation evaluation and control
Successful completion of the strategic planning process means the newly implemented strategies must be periodically evaluated and updated as needed. This includes setting up metrics for evaluating performance, comparing performance against the metrics and making adjustments so that performance is aligned with metrics.
In a successful business continuity program, once the plans have been tested and put into operation, they must be periodically reviewed and tested again. This is to ensure they are still consistent with the firm's business mission and objectives, fully supportive of the firm's strategies and will perform as required in an emergency. It may be possible to streamline these processes or share information gathered in one to benefit the other.
Additional tips from The Business Continuity Institute
The Business Continuity Institute's Good Practice Guidelines (GPG) is a helpful source of guidance for identifying business continuity activities that can support strategic planning initiatives. For example, the GPG states that:
"The process of analyzing threats in a risk analysis can identify situations with a high probability of occurring in a near-term horizon. As such, these risks may need an increased level of attention and preparedness. By contrast, the analysis of longer-term trends is not as common, yet this form of horizon scanning can provide an objective perspective on the future BC activities in addition to strategic planning."
The GPG further suggests that consequences of the trend toward greater globalization can be seen in widespread adoption of extended supply chains:
"The increased examination of supply chains has identified new and hidden tiers within the supply chain, which are increasingly important considerations for strategic plans. …Trend analysis may well be performed by strategy or risk management within the organization or by individual lines of business, but it is an important resource to tap into and use to ensure the BC program is suitable for both the near term and in the future."
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor, and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at [email protected].
Developing successful BC exercises
Dig Deeper on Disaster recovery planning - management
Zombified Gov.uk Verify is officially dead - so what's next?
Industry concerns over government digital identity plans risk a confusing outcome for users
Follow these standards for business continuity and resilience
Meet the Identity and Attributes Exchange – GDS’s future for digital identity after Verify