Getting people to think about business continuity and to include it in their daily lives is one of the most difficult and under-appreciated aspects of a business-continuity programme, yet it can make or break the perception of the programme's success.
It doesn't matter how good your resilience and continuity is; if people do not know about it, don't know what to do during an incident, or don't know how to maintain the programme, then you have failed to achieve some of the fundamental principles of implementing business continuity.
Communication through education, training, and awareness campaigns regarding the organisation's business continuity is necessary at all levels: staff, management, directors, and key suppliers.
Embedding business continuity into the organisation requires an organisation-wide culture change. Organisational culture is often described as "the way we do things," which can be broken down into a collection of shared values, working styles, and patterns of behaviour that are typically enforced by a set of strong social protocols to establish and control behavioural patterns. Industry experience has shown that behavioural-change initiatives fail to achieve lasting commitment unless attitudes and beliefs are also engaged and corrected.
One such attitude that frequently acts as a barrier to business-continuity management (BCM) is the idea that "it will never happen here" or "it will never happen to us." In 2003, while embarking on my first BCM project in Oman, I heard these exact comments when discussing BCM threats and risks related to cyclones, hurricanes, floods, industrial disputes, and civil disorder/strikes.
The extent of success in embedding BCM into an organisation is determined by the degree to which individuals change their behaviour, attitudes, and beliefs. To measure and assess these attitudes and behavioural patterns, we first have to establish a baseline for the level of current awareness. This helps the organisation to develop a targeted training, education, and awareness strategy and allows the measurement of change achieved through the program. This awareness assessment is similar to a Training Needs Analysis, which comprises the following:
Identifying the current level of BCM awareness;
Defining the desired level of BCM awareness;
Understanding the nature and scope of the gap to be addressed between 1 & 2.
Once the gaps have been identified, the organisation must work out what needs to be communicated and the best way of doing so. This strategy may also require some development in terms of the tools and techniques that will be used.
Embedding business continuity within the organisation is a battle of hearts and minds. People need to know what it is, what it does, of what benefit it is to them, and what could happen if it doesn't work or is not maintained.
The key messages that need to be delivered and understood can be summarised as the who, what, when, where, and why of business continuity. The campaign (or project) will then define how these are best communicated. A key aspect is to ensure all campaign activities are conducted in a clear, easy to understand, and consistent manner so that no misunderstandings, mixed messages, or confusion will arise.
Simply put, who is responsible for what when it comes to business continuity? This includes the following:
nWhat are the roles and responsibilities for establishing and maintaining business continuity?
nWhat are the roles and responsibilities for investigating, invoking, and revoking business continuity?
Who has ultimate accountability for the above?
The above information may be broken down by function, job title, and/or names of employees (e.g., business continuity manager, department manager, internal audit, corporate communications, human resources, and risk management).
It is also advisable to implement personal-performance measurement criteria for each of these roles to assess whether these activities are being performed as required on an ongoing basis.
Lastly, there should be one named senior manager or executive at the top level of the organisation, who has accountability for business continuity.
This aspect should cover the communication of the responsibilities of the identified roles, such as maintaining BIA information, updating business-continuity plans, maintaining recovery facilities, updating IT disaster recovery plans and facilities, and conducting exercises.
Each group of individuals identified above (in the Who section) will require specific briefing and clarification on what is expected of them in their business-continuity role and how this responsibility relates to their day-to-day role.
In addition, all the remaining staff will need to be briefed on what they may be expected to do during an incident.
For example, when an incident occurs, they may need to await instructions from their manager, or after a fire evacuation, they may need to wait at an assembly point for instructions.
Once an organisation has identified those individuals who will be involved in business continuity and has briefed them on their responsibilities, it is important to let these individuals know when they should expect to snap into action.
This will include timing requirements for reviewing and updating;
BIA and recovery requirements;
Business and IT recovery plans; and
IT disaster recovery and business-recovery facilities.
It will also be necessary to communicate how and when issues and problems need to be escalated; to whom; how they will be managed; and who is entitled to make decisions regarding business continuity, IT disaster recovery, and solutions to the issues/problems.
This part involves telling people where they are expected to go if an incident occurs and business continuity is invoked. Should they go home, proceed to the business-recovery site, meet at the nearest hotel, or go to the IT disaster recovery site? A clear plan detailing who may be required to conduct essential activities and when and where they will perform these activities should be communicated.
This is probably one of the most important aspects to communicate. It needs to be relevant to each group identified above and relevant to each function. Individuals need to relate to the need for business continuity, the benefit it brings, and the protection it provides.
This aspect will vary from organisation to organisation and covers the methods that can and will be used to communicate the information above.
The tools and techniques may consist of posters; newsletters; computer-based training; e-Learning; BCM-awareness DVDs; email briefings; verbal team briefings; awareness sessions; Trips to the business-recovery site and/or IT disaster recovery site; involvement of relevant individuals in testing; inclusion of business continuity in induction programs; management presentations; business-continuity intranet site/pages.
*The author, who has over twenty-five years
experience in business continuity, information security and risk management, is the General Manager of Al Mamlakah Services United LLC. This article is the ninth in a series of 10 weekly articles on aspects of business continuity, which will be carried on Monday's edition of Times of Oman.