 |
| John Bartlett CBCI, DBCI |
Getting people to think about business continuity and include it in their daily lives is one ofthe most difficult and underestimated aspects of a business continuity programme, yet it can make or break the perception of how successful the programme is. It doesn’t matter how good your resilience and continuity are, if people do not know about it, what to do in an incident or how to maintain it, then you have failed to achieve some of the fundamental principles of implementing business continuity.
This requires communication in the form of education, training and awareness on your organisations business continuity at all levels: staff, management, Directors and key suppliers. Embedding business continuity in the organisation requires an organisational culture change. Organisational culture is often described as ‘the way we do things’, which can be broken down into a collection of shared values, working styles and patterns of behaviour, typically enforced by a set of strong social controls which establish behaviour and control the behavioural patterns. Industry experience has shown that behaviour change initiatives fail to achieve lasting commitment unless attitudes and beliefs are also engaged and corrected. One such attitude which occurs frequently as a barrier to BCM is: ‘it will never happen here’ or ‘it will never happen to us’. In 2003, when embarking on my first BCM project in Oman, I heard these exact comments when discussing BCM threats and risks relating to Cyclones, Hurricanes, floods, industrial disputes and civil disorder/strikes.
The extent of successfully embedding BCM into the organisation will be determined by the degree to which individuals change their behaviour, attitudes and beliefs. To measure and assess this we first have to establish a baseline for the level of current awareness. This helps develop a targetted training, education and awareness strategy and allow the measurement of change achieved through the program. This awareness assessment is similar to a Training Needs Analysis which comprises of:
- Identifying the current level of BCM awareness;
- Defining the desired level of BCM awareness;
- Understanding the nature and scope of the gap to be addressed between 1 & 2.
Once the gaps have been identified, it is a case of working out what needs to be communicated and the best way of doing it. This may also require some development in terms of the tools and techniques that will be used.
Embedding business continuity within the organisation is a battle of ‘hearts and minds’. People need to know what it is, what it does, what benefit it is to them and what could happen if it doesn’t work or is not maintained. The key messages that need to be delivered and understood can be summarised as the who, what, when, where and why of business continuity, the campaign (or project) will then define how these are best communicated. A key aspect is to ensure all the campaign activities are conducted in a clear, easy to understand and consistent manner so that no misunderstanding, mixed messages or confusion occurs.
Who
Simply put, who is responsible for what when it comes to business continuity. This includes:
- What are the roles and responsibilities for establishing and maintaining business continuity?
- What are the roles and responsibilities for investigating, invoking and revoking business continuity?
- Who has ultimate accountability for the above?
The above information may be broken down by function, job title and/or individuals name, such as business continuity manager, department manager, internal audit, corporate communications, human resources, risk management, etc. It is also advisable to implement personal performance measurement criteria for each of these roles to assess whether these activities are being performed as required on an on-going basis. Lastly, there should be one named Senior Manager or Executive at the top level of the organisation who has accountability for business continuity.
What
This aspect should cover communicating what the roles will be required to do, such as maintaining BIA information, updated Business continuity plans, maintaining recovery facilities, updating IT disaster Recovery plans and facilities, conducting exercises and such forth. Each group of individuals identified above (in the Who section) will require specific briefing and clarification on what is expected from them in their business continuity role and how this relates to their day-to-day role.
In addition to the above roles, there will need to be an explanation to all the other staff to explain to them what they may be expected to do (for example, in the event of an incident await instructions from their manager or after a fire evacuation wait at the assembly point for instructions).
When
Having determined and communicated who is involved in business continuity and what they are expected to do, it is important to let them know when they are expected to do it. This will include timing requirements for reviewing and updating:
- BIA and recovery requirements;
- Business continuity risks;
- Business continuity strategy;
- Business and IT recovery plans;
- IT Disaster Recovery and business recovery facilities;
It will also be necessary to communicate how and when issues and problems need to be escalated, to whom, how they will be managed and who is entitled to make decisions regarding business continuity, IT Disaster Recovery and the issues/problems.
Where
This part should communicate where people are expected to go in the event of an incident if business continuity is invoked. Should they go home, proceed to the business recovery site, meet at the nearest hotel, go to the IT Disaster Recovery site, etc. A clear plan of who may be required to conduct essential activities, when and where they will perform them should be communicated.
Why
This is most probably one of the most important aspects to communicate. It needs to be individually relevant to each group identified above and each function. Individuals need to relate to the need for business continuity, the benefit it brings and the protection it provides.
How
This aspect will vary from organisation to organisation and covers the methods that can and will be used to communicate the information above, the tools & techniques, which may consist of:
- Posters;
- Newsletters;
- Computer Based Training;
- E-Learning;
- BCM awareness DVD’s;
- Email briefings;
- Verbal team briefings;
- Awareness sessions;
- Trips to the business recovery site and/or IT Disaster Recovery site;
- Individuals involvement in testing;
- Inclusion of business continuity in induction programs;
- Management presentations;
- A business continuity intranet site/pages.
No comments:
Post a Comment