nike business continuity plan

Product details

Teaching delivery modes

• Integrations

Symbia Logistics

Business Continuity: Finding Vulnerabilities in Your Supply Chain

• By Sean Mueller
• Dec 14, 2020

Not every company can be  Nike . As with most retailers, it experienced a first-quarter loss in 2020. Its revenue dropped 38%.  However,  its latest quarter showed a $1.5 billion net profit, which was 11% higher than the same 2019 quarter. How was it that Nike was able to pivot and outperform Wall Street predictions?

Nike is known for its world-class  supply chain expertise , and after years of analysis, they’ve nearly perfected the manufacturing process. The company used the information to build a resilient supply chain by identifying vulnerabilities and working to minimize associated risks. It then created a business continuity plan that would ensure its ability to thrive during catastrophic events.

Business Continuity Plans (BCP)

Continuity plans  are more comprehensive than disaster recovery plans. They outline how an organization will operate during an unplanned service disruption. Contingencies are outlined for every aspect of the business, including supply chains.

According to an informal survey conducted by  Harvard Business School,  almost 70% of companies were still trying to find potential solutions to the disrupted supply chain well into March and April. With a business continuity plan, companies such as Nike were the first to secure the materials and resources to keep their supply chain functioning. Why? Those businesses had already asked and answered questions to ensure continuous operation. They had found answers to three questions:

Is the supply chain visible?

Is the supply chain agile?

Is the supply chain resilient?

The companies had assessed the vulnerabilities in their supply chain and developed plans to mitigate the risk when a disruption occurred.

Supply Chain Visibility (SCV)

Supply chain visibility  enables companies to know their inventory status and where the components, parts, or products are while in transit to a final destination. Visibility is designed to strengthen the process by keeping all stakeholders informed as to what is happening.

Visibility is also knowing what suppliers will do if a problem arises anywhere in the supply chain. For example, businesses are concerned about the final mile deliveries. Focusing on the end of the journey assumes that the upstream supply chain is working flawlessly. What if it isn’t? Companies need to ask their upstream providers what their business continuity plans are. There’s no point in worrying about the last mile if the shipment never finishes the first.

What happens if inventory cannot leave an organization’s primary facility? Labor strikes, natural disasters, or political upheavals can delay or force the rerouting of shipments. Businesses need to know what alternatives are available and how suppliers will respond. These plans need to be visible to the entire supply chain. According to a recent study by  McKinsey , supply chain visibility is crucial to identifying relationships that increase vulnerabilities.

Supply Chain Agility

If nothing else, 2020 has taught organizations exactly how critical agility is. Why were some manufacturers able to keep their brands on the shelves and others not? Those who could scale quickly and maintain a reliable process were far ahead of those who struggled to maintain their existing supply chain.

Agility  characterizes a process that responds quickly to changing requirements while delivering significantly different outcomes effectively. In other words, an agile company would know the financial ramifications of one distribution channel over another and be able to pivot to a more cost-effective solution.

For example, a company’s primary delivery port suddenly has a labor strike. Agile companies with a business continuity plan have already assessed other routes. They know other ports that can be cost-effective alternatives.

Logistics providers with robust delivery channels should have plans in place for a service disruption. They should be able to move quickly to realign resources for on-time delivery. If not, organizations are creating a vulnerability that can increase potential risks.

Supply Chain Resilience

Before companies can be resilient, their supply chains must be visible and agile. Without those capabilities, companies cannot mitigate risk from unexpected events. Supply chain  resilience  is the ability to prepare for unforeseen circumstances to respond and recover quickly to potential disruptions.

McKinsey  analyzed unexpected events such as financial crises, terrorism, extreme weather, or pandemics and their impact on resilience. Specifically, what the lack of resiliency costs an organization.

They looked at disruptions in the supply chain for over ten years. They calculated that a company would lose 42% of one year of before-tax earnings in that same ten-year period from unplanned disruptions. Such losses are a strong financial motivator for supply chain resilience.

Where are vulnerabilities in supply chain resilience? Vulnerabilities reside with the participants. If they lack a business continuity plan, they can’t respond quickly, which increases the potential risk.

For example, is everyone in the supply chain ready to pivot if the country’s political climate turns hostile? Do they have resources in place to move as much inventory as possible as quickly as possible to ensure a steady supply? If not, the ability to meet demand may be compromised.

Supply Chain Vulnerability

To eliminate vulnerabilities, companies must make sure their supply chains are visible, agile, and resilient. They must document their methods in a business continuity plan that is used whenever a service disruption occurs. It doesn’t matter if the interruption is a power outage or a global crisis; the document must ensure a rapid return to operations.

Before the start of a new year, companies need to evaluate their supply chain carefully. They need to ask hard questions of their suppliers, such as:

Do you have a continuity plan?

If you have a power outage, will my shipment go out on schedule?

If my distribution center closes because of adverse weather, can I easily shift to another center?

What happens if a border closes and my shipment can’t get through?

Can I ship to a different port?

If you aren’t happy with the answers, contact  Symbia Logistics  to discuss how we can help your company be more agile, visible, and resilient.

Get industry news, education, insights and more delivered straight to your inbox.

• Skip to right header navigation
• Skip to main content
• Skip to secondary navigation
• Skip to primary sidebar
• Skip to footer

Business Continuity and Crisis Management Consultants

The Ultimate Guide to Business Continuity

Last Updated:  January 23rd, 2023

This article explains everything you need to know about Business Continuity.

You’ll learn what it is, why it’s important to your organization, how to develop a business continuity program, how to establish roles & responsibilities for your program, how to get buy-in from your executives, how to execute your Business Impact Analysis (BIA) and Business Continuity Plans, and how to integrate with your Crisis Management strategy.

We’ll also provide some perspectives on how to get help with your program and where to go to learn more about Business Continuity.

What is Business Continuity?

Business continuity is a rapidly evolving discipline, so there’s understandably still a lot of confusion about what a business continuity program really encompasses. Google “what is a business continuity program” and you’ll see what I mean.

Sometimes the best way to understand something is by understanding what it’s not.

And a business continuity program is not:

• A business continuity plan (standing alone)
• An IT disaster recovery plan
• A software subscription
• An insurance policy from your insurer
• Filling out a template and checklist and putting your staff through a one-hour click-it and forget-about-it web-based training module

While these are all important pieces of a business continuity program (although arguably not insert-fork-in-eyes web training), they are not in themselves a comprehensive and effective business continuity program.

So then, what exactly  is  a business continuity program and what does it take to make sure your’s gets the job done?

Most simply, we think of business continuity planning as the discipline of making your organization more resilient, or able to solve big problems.

A business continuity program is the means by which you embed this discipline into your organization to build your capacity to prevent, withstand, and recover from unplanned disasters and adverse events. In the face of disruption, it ensures that you can continue operations and protect your most important assets, especially your people.

ISO, the international standards body, would further define business continuity in ISO 22300 as

The capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.

The Value of Business Continuity

Here are some of the ways that we explain the value of a business continuity & crisis management program to help our clients win over their internal stakeholders:

• Investing in business continuity demonstrates that you value your people: Not only will you better protect human life and safety; you’ll also position your team to respond more quickly to recover, protect, and recover your organizational assets during and after a crisis. Your employees are your most important crisis management tool and investing in their well-being and safety will undoubtedly pay dividends during your next crisis.
• Business Continuity protects your organization’s most important assets: When done right, your business continuity & crisis management program should provide a structured process for identifying your organization’s most important assets and implementing a plan to hedge against the potential loss of or damage to those assets.
• Investing in Business Continuity protects your reputation and elevates you over the competition: It can take decades to build a reputation but only minutes to destroy it. When the next heatwave shuts down the power grid, you don’t want to be the hospital that’s forever remembered for its patients dying from heatstroke.
• Your business continuity & crisis management program helps your organization meet its compliance obligations: Business continuity & crisis management best practices often reflect the demands of regulatory and compliance obligations. As a result, investing in your program is also an indirect investment in helping to meet your compliance obligations. In addition, in many instances, ensuring operational continuity is an explicit regulatory imperative. PCI for payment processors and HITRUST , EHNAC , and DirectTrust for patient health information are just a few examples.
• An effective business continuity & crisis management program helps you identify and mitigate risk: A strong business continuity and crisis management program is rooted in identifying and preparing for specific risks, which inevitably helps your enterprise risk management team and other risk-focused teams on their mission of anticipating and avoiding those same risks. These teams also share many of the same stakeholders. So it’s no surprise that companies whose risk management and business continuity teams work together closely in a bone-building synergy create enormous value for their organization.

We’ve written extensively on the value of business continuity & crisis management programs.  Some of our best articles on the topic include What’s the Value of Business Continuity:  Beyond ROI , How to talk with your CEO about Business Continuity , Making the Case for your Business Continuity Program , and 10 Tips for framing your case for Business Continuity to Executives .  

Business Continuity is an important component of an overall Resilience Strategy

Business Continuity is important to an organization, but in our minds, it’s just one component in an overall resilience strategy for an organization. We believe there are fundamental components that every business should have in place if they want to make good on their overall resiliency imperatives.

“The ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.”

But like a lot of standards-based definitions, this leaves a lot to read between the lines.

At Bryghtpath, we think of resilience as a group of capabilities that supports an organization’s ability to solve big problems, continue operations, protect its assets, and most importantly, protect its people.

On a practical level, this is achieved with basic blocking & tackling—implementing certain key components in a logical way to prevent, plan for, respond to, and recover from disruption.

These core components consist of:

• Business Continuity
• IT Disaster Recovery  (or Technology Continuity)
• Crisis Management
• Enterprise Risk Management
• Information Security
• Physical Security  (or  Global Security , or  Corporate Security ), including  travel safety & security ,  Intelligence , &  workplace violence prevention
• Crisis Communications
• Life Safety and Emergency Procedures  (Evacuation, First Aid, Shelter-in-Place, etc.)

Implementing a full-blown resilience strategy from scratch is a tall challenge. We’ve written extensively about thinking through a resilience strategy for your organization, how to prioritize efforts, and working around roadblocks that may get put into your path in our article What is Resilience?

Business Continuity Policy

The ISO 22301 Standard calls for a business continuity policy for the organization that accomplishes 4 specific goals in clause 5.2.1:

• Is appropriate to the purpose of the organization:  In other words, the policy outlines a business continuity management system (BCMS) that is appropriate for the organization’s size, scope, and strategic objectives.
• Provides a framework for setting business continuity objectives:  The policy establishes a process by which the organization establishes objectives for the business continuity program and monitors progress towards those objectives. This generally means some sort of governance process, such as a business continuity steering committee, which sets and monitors these objectives.
• Includes a commitment to satisfy applicable requirements:  The policy must outline the organization’s intent to satisfy all appropriate internal and external requirements relevant to business continuity.  This might include things like HITRUST, ISO 22301, FFIEC, PCI, or other regulations or compliance frameworks applicable to your specific industry or company.
• Includes a commitment to continual improvement of the Business Continuity Management System (BCMS):   The policy must outline that the organization is committed to continually improving its business continuity program.

ISO 22301 further outlines that the business continuity policy must be communicated within the organization, specifically requiring in clause 5.2.2 that:

• The policy be available as documented information
• The policy be communicated within the organization
• The policy be available to interested parties, as appropriate

Beyond the industry standard requirements in ISO 22301, we typically use a Business Continuity Policy to set the strategic approach for a business continuity & crisis management program, delegate authority to the program for certain activities, define governance and accountability requirements, establish roles and responsibilities, and incorporate other documentation that provides more operational detail.

We believe it is important in a policy to clearly define terms like business continuity, disaster recovery, and crisis management – and assign responsibility for these components of an overall business continuity program to certain business units in the organization. The policy should also define the roles and responsibilities of executive sponsors and the steering committee in an organization.

Roles and Responsibilities within a Business Continuity Program

We believe that establishing clear roles and responsibilities within a Business Continuity Program are critical to its success.

Business Continuity and Crisis Management are often paired together in the same organization or as parts of a broader program, which might be called  Business Continuity ,   Business Continuity & Crisis Management , or just  Resilience  or something similar.  However, you choose to think of them, in almost every case they are part of the same broader program – and that program must have a governance structure with clear roles and responsibilities to be successful.

Here’s a breakdown of the most common roles  that should be established within a  Business Continuity & Crisis Management Program :

• Board of Directors:   Every board member has a fiduciary duty to exercise strategic level visibility and oversight over business continuity and crisis management. Importantly the board sets the foundation for success by promoting a company culture that recognizes the value of well-managing risk.
• Audit or Risk Committee:   Specific board oversight and strategic level visibility are typically delegated to the board’s risk or audit committee, as outlined in the committee charter. Sometimes another committee has this responsibility such as an operations or governance committee.
• Executive Management:  Each member of the executive team retains ultimate oversight and responsibility for crisis management & business continuity planning in their specific area of operations.
• Executive Sponsor:  One or two persons at the executive level (typically the general counsel, COO, CIO, CTO, or a C-Suite appointee) act as executive sponsors. They have direct oversight of the crisis management & business continuity program and usually chair the steering committee.
• Steering Committee Members: The business continuity & crisis management steering committee—usually an interdisciplinary team of six to eight people—meets quarterly or annually to ensure the program is aligned to corporate strategy and objectives and is maturing and making forward progress towards annual goals.
• Business Continuity & Crisis Management Program Manager:  The program manager has direct oversight and responsibility for business continuity & crisis management program operations, reporting, and day-to-day activities. They manage and set the programmatic expectations that guide the execution of the program throughout the year.

Well-defined and understood  roles and responsibilities  are critical to the success of your organization.

We’ve written a more detailed article on  Business Continuity Program Roles & Responsibilities  which provides much more context and insights that you may find valuable as you explore additional roles & responsibilities within your program.

Effective Business Continuity Governance

If you think that having good governance for your business continuity and crisis management program is just an exercise in bureaucratic box-checking, you’re missing the point.

Like most people who come to us with a problem, you might have issues:

• Getting your executives to care about your business continuity and crisis management program
• Getting other teams to participate in business continuity activities
• Getting IT to build the availability and disaster recovery strategies that you need to ensure continuity of operations for business teams

Here are some key benefits of strong & effective business continuity governance:

• Builds visibility and awareness for your business continuity program
• Helps identify and address gaps in your business continuity program
• Provides a mechanism for accountability
• Ensures compliance with ISO 22301

How to implement effective business continuity governance:

• Get your policy in place
• Set clear roles & responsibilities
• Build a strong steering committee

We’ve written an extensive article on business continuity governance that we think you’ll find helpful: Why good Business Continuity Governance is critical to Resilience .

Beyond having good governance in place, we strongly encourage identifying an executive sponsor (or sponsors) for your program that can champion your program internally with senior leadership.

Effective executive champions do a few key things that can help your program advance:

• Continually look for opportunities to build the case for business continuity with their peers
• Unapologetically forward your business continuity agenda
• Help your business continuity team anticipate strategic changes
• Act as a mentor and trusted source of help to you and your business continuity team

Executive champions are the proverbial wingman to the business continuity & crisis management team.

Learn more about the role that an executive champion can play in advancing your business continuity program in our article  How to Champion your Business Continuity Program as an Executive Sponsor .

The Business Continuity Steering Committee

We believe that a strong Business Continuity Steering Committee is an important part of a business continuity program as it provides you with an approach to governance overnight for your program.  It’s also a critically important forum for sharing the strategy, progress, and challenges that your program is facing as you seek to improve your organization’s resilience.

Some typical responsibilities for the Business Continuity Steering Committee might include:

• Provide strategic program guidance to ensure that the objectives of your business continuity program are achieved
• Promote an environment of ownership and accountability within business units
• Set priorities for program execution and risk mitigation
• Ensure that adequate resources are available to meet your program’s objectives
• Review the status of the program through a review of strategic and operational metrics provided by your team to the Steering Committee
• Review gaps in the program, such as the gaps between business requested technology RTOs and actual recovery capabilities – prioritizing actions to resolve, mitigate, or accept program gaps
• Continually improve the effectiveness of the Business Continuity program through the regular review of policies, objectives, audit results, management responses, program updates, preventative and corrective actions, and the review of after-action reports following activations and exercises.

Typically, the Steering Committee will be led by your Executive Sponsor(s) and consist of 6-8 leaders across your organization representing the major business and support organizations. We strongly recommend that a senior IT leader be one of the members due to the critically important technology dependencies in almost every organization.

We recommend that Steering Committees meet at least quarterly, but when starting up a new program you may want to have this group even meet monthly in order to provide guidance and insights while helping remove obstacles that arise during program implementation.

Business Continuity Lifecycle

A business continuity lifecycle helps illustrate to an organization the necessary processes to bring a business continuity program to life. It’s a cyclical process of assessing threats and impacts; developing, exercising, and maintaining plans.

The business continuity annual lifecycle generally consists of the following components, which are executed annually or every other year:

• Identify critical business processes and capture impacts of a disruption through the Business Impact Analysis
• Build procedural tasks and guidance for recovery of critical business processes in a Business Continuity Plan
• Validation of plan tasks and operation
• Build confidence & muscle memory
• Continual plan maintenance

Beyond the high-level illustration of an annual lifecycle there is a more detailed process lifecycle for Business Continuity that illustrates the connectivity between various components in a broader program, including risk assessment, disaster recovery, incident & crisis management, issues management & risk mitigation, and post-incident/crisis after-action reporting.

Why do you need a business continuity lifecycle?

Most businesses make the mistake of thinking that business continuity planning is a linear process, rather than a circular one.

They assess the most likely threats to their critical functions, develop plans to mitigate the impacts of those threats, conduct a few trainings and exercises, and consider the business continuity planning box to be “checked” for good. The result is a flat and lifeless program that quickly stales.

But your business and the threats that face it change and evolve over time. And when your plans for responding to those threats don’t, the resulting miscalibration all but guarantees that your company will become less resilient over time.

As any fitness buff will tell you (although I’m definitely not one of them), you have to continually use and exercise your hard-earned muscles if you want to maintain them. And because your body and environment change over time, you will probably have to adjust your routine to keep the same fitness results.

This example perfectly illustrates the need for a business continuity lifecycle—a cyclical process for assessing likely threats and their potential impacts on your business, developing plans to address those threats, and then exercising, reviewing, and improving those plans over time.

Once you’ve built your organization’s resilience muscles—with a comprehensive business impact analysis and thorough business continuity plans—you have to exercise and adjust those plans to ensure that your resilience muscles are always ready to do the job.

The business continuity lifecycle is how we do this.

We discuss the concepts behind a Business Continuity Framework in Episode #102 of our Managing Uncertainty Podcast .

You can obtain a copy of our Bryghtpath Business Continuity Framework here on our website . It’s the same process we use here at Bryghtpath in our  Business Continuity as a Service  (BCaaS) offering.

We’ve written an extensive article about the business continuity lifecycle that you may find valuable:   What (almost) everyone gets wrong about the business continuity lifecycle .

The Business Impact Analysis (BIA)

How many days can payroll be down before it impacts your business?

What about the servers that power customer networks? Or that internal VPN employees use to work remotely?

An hour? A day? A few weeks?

You may not know how long your business could survive with critical systems, business processes, facilities, or third-party service providers/suppliers.

For that reason, a thorough business impact analysis (BIA) is one of the most important steps you can take within your business continuity program.

Here’s what a business impact analysis is, why it’s important, and what you’ll learn by doing one.

Here’s the formal definition of a  business impact analysis  from the  ISO 22301 Standard :

• The process of analyzing the impact over time of a disruption on the organization. 

To say it more clearly: A business impact analysis is a thorough examination that exposes the likely impact a business disruption will have on the revenue, expenses, operations, and reputation of your company.

Here’s an example of what an impact analysis report looks like, including the impact over time across multiple different factors.

Recovery Time Objectives

Business disruptions aren’t usually isolated.

If a hurricane knocks your data center offline, your customers might be locked out of their systems, payroll might be down, the internal intranet might be inaccessible, and lots more.

Over and over, we’ve seen companies make the same mistake in this situation: They try to recover  every  system and  every  process all at once. And it’s a mistake that can easily cost a company millions of dollars.

That’s why recovery time objectives (RTOs) are so important.

Some systems and processes need to be recovered  now  — usually, these are the ones that generate revenue: customer products and records, sales pages on an eCommerce website, or similar systems.

Every minute these systems are down, they cost you money.

Other systems need to be recovered, but they don’t necessarily have to be recovered  immediately .

Payroll, for example, needs to be recovered quickly — but not necessarily ahead of revenue-generating systems.

A business impact analysis looks at each critical system in your business and assigns it an RTO.

With recovery time objectives in place, we can build a prioritized list of systems and processes to recover during a disruption — a key first step when creating a business continuity plan.

Conducting your Business Impact Analysis (BIA)

• Scope the Need:   Determine which areas we need to look at – we often do this through a high-level criticality survey to determine what are the critical functions or processes within an organization.  Often this helps us narrow the BIA to truly critical processes that need to be recovered within a short period of time.
• Schedule BIA Interviews and Assign Prework:  We identify everyone that we need to interview and send them some simple prework to complete before our conversation.  This often involves basic questions about their responsibilities and their history with previous business disruptions. That way they come to the interview with a clear idea of what we’ll be discussing.
• Conduct BIA Interviews:  The interviews are the most important part of the process — because this is where we uncover the strengths and weaknesses of your systems and processes. We capture details on your business process recovery time objectives (RTOs) and your dependencies (technologies, vendors/third parties, facilities, other business processes), and your recovery time needs for each of those.
• Prepare and Present a BIA Report:   When all the interviews are complete, we aggregate everything we’ve learned, including the impact of a disruption to revenue, expenses, and reputation in every area we’ve examined. Our report also includes our analysis of key systems and business processes, along with recovery time objectives for every area. The report also captures the interdependence of operations within your organization.

BIAs are an important foundation of your Business Continuity Program

Without a BIA, you’ll lack the data to properly prioritize your business continuity plan. In the worse case, you may even be overlooking critical systems and processes you never thought to include in the first place.

Without a BIA, you’re blind to the full impact a disruption could have on your revenue, expenses, and reputation.

With a BIA, you’ll have the data you need to plan a business continuity program that protects the  most  critical systems and processes first — and gives you a roadmap for recovering everything else in order of importance.

Learn more about the Business Impact Analysis (BIA)

We’ve written an extensive overview of the Business Impact Analysis (BIA ) that you may also find helpful with additional context and insights.

Business Continuity Plans

How long does the business continuity planning process take? And who should be involved?

I would love to be the definitive source of truth here, but in reality, there is no perfect answer. Size, location, industry, management structure, and existing reporting, resources, and experience—every company is different, as are their business continuity planning needs. These factors and more influence how we tailor our approach to business continuity planning with each of our diverse clients.

Still, like many you’re probably here because you’re getting ready to embark on the business continuity planning process and you have a lot of questions.

Bryghtpath has over 50 years of collective experience in business continuity planning working with a multitude of global clients in varied industries.

1. Establish the Fundamentals of Business Continuity Planning

When we start working with clients on their business continuity plan or BCP, the general end goal is always the same—create a plan to keep things running in the event of a disruption. But while most companies have the same vision for the outcomes of their business continuity planning process, they may have different ideas of how they are going to get there.

Your company should start the process by agreeing on a few fundamentals at the start.

• What are the plan objectives?
• Who will be responsible for creating and activating the plan?
• What resources are available for Business Continuity Planning?

2.  Assess Risks and Business Impacts

Just as the integrity of a well-built home depends on laying a sound foundation, so too does the effectiveness of a good business continuity plan rely on the right assumptions. A thorough business impact analysis, or BIA, is key to developing the accurate underlying assumptions that will ensure business continuity planning success.

3.  Select and Develop your Response & Recovery Strategies

The menu of response and recovery strategies is typically broken down by resource (i.e. workplace, workforce, 3rd parties, and technology) and also includes an estimation of the time needed to implement and the expected sustainable duration for each strategy.

Each separate recovery strategy should include a detailed procedure that further describes how that specific response and recovery strategy will be accomplished.

4.  Create your Response & Recovery Roadmap

After all available response and recovery options have been cataloged, the next step is to develop the procedures and guidelines that will serve as your business continuity plan roadmap. Your team will use this roadmap to help you initially assess the disruption, activate the appropriate response strategy, and carry out that strategy to completion.

A critical part of preparing your response and recovery roadmap is detailing how and when you will evaluate your plan. While the inherent nature of business disruptions precludes testing your business continuity plan in a practical sense, regularly reviewing the performance of your BCP can provide important insights and improvements.

Likewise, roles change, people leave, and technology and processes evolve. And disruptions that were once imaginable (like a global pandemic) may emerge as all-important. You should evaluate and update your BCP on a regular (at least annual) basis and also in an after-action to any specific response and recovery plan activations.

We’ve written a detailed article  4 Steps to Business Continuity Planning Success , that goes into further detail on business continuity planning that you may find helpful as well.

Business Continuity & IT Disaster Recovery

Business continuity and crisis management experts rarely talk about the gap between  business continuity  and IT disaster recovery planning.

But they should.

The distance between the IT disaster recovery program you have and what you need could be bigger than you think.

Like one of our clients whose IT disaster recovery plans for several critical systems needed to support a recovery time objective of 24 hours but were built for 7 days.

They’ve unknowingly been walking a tightrope over the Grand Canyon and hoping for the best. Because that 6-day gap could become a multi-million dollar problem in the face of a crisis.

My stomach is hovering somewhere above my head just thinking about it.

If you want to avoid canyon-sized gaps like this, and the potential consequences, your business continuity and IT disaster recovery functions need to work together closely.

But in most organizations, they aren’t working together at all.

Consequently, IT is often pressed to come up with its own answers to critical system requirements, such as availability, acceptable downtime or recovery time objectives (RTO), and recovery point objectives (RPO).

We think about Recovery Time Objective (RTO) as the maximum amount of time that a business process or IT system can be disrupted before the impact becomes unacceptable to the broader business.  We think about Recovery Point Objective (RPO) as the point in time to which systems and data must be recovered following a disruption (sometimes referred to as maximum data loss).

Here are three ways to close the gap between Business Continuity & IT Disaster Recovery:

• Make sure IT has a seat at the table:  While IT should ideally own the disaster recovery process, their input is critical to both your organization’s overall technology strategy and in determining system availability and recovery requirements in the event of a disaster. So the best and first way to close the gap between business continuity and IT disaster recovery is to ensure IT is represented in your business continuity and crisis management steering committee.
• Design your BIA process to capture the right data:  Expecting your IT team to architect the right IT disaster recovery solutions without the right data is a lot like putting four wheels on a car but no gas tank and expecting it to drive. Your business impact analysis  (BIA) should be designed to capture the key data that your IT team needs to design an effective IT disaster recovery plan.
• Stick to the standards (ISO 27031, more precisely):   ISO Standard 27031  is specifically focused on the information and communication technology requirements for business continuity and disaster preparedness. The standard is built to ensure your IT DR program satisfies crucial data security requirements and meets the needs of your enterprise operations. It also provides for IT-led disaster recovery exercises, which should be a part of every IT DR program.

We’ve written an extensive article on this topic that expands upon these ideas, outlines common reasons for this gap between business continuity & IT disaster recovery, and goes much farther into potential solutions that you may find helpful:   Closing the Gap between Business Continuity & IT Disaster Recovery .

Supply Chain Resiliency

“Companies routinely exaggerate the attractiveness of foreign markets, and that can lead to expensive mistakes.” -Pankaj Ghemawat, Global Professor of Management and Strategy at New York University’s Stern School of Business.

Ghemawat’s statement sounds like a round-up of recent supply chain woes at the hands of the COVID pandemic crisis.

Yet it comes from his prescient warning to industry sounded nearly two decades earlier in his landmark  article , “Distance Still Matters: The Hard Reality of Global Expansion.”

A critical one (in our humble opinion as  business continuity  &  crisis management  professionals) is that your business is only as resilient as your third parties.  And if you’re leaving them out of your business continuity and crisis management planning process, your business might not be as resilient as you think.

Here are some practical steps you can take to better understand the resilience of your third parties and in doing so, improve your ability to navigate the next crisis.

• Shore up your supply chain risk at the program level
• Identify vendors with a high disruption impact
• Conduct joint resilience exercises with your vendors and providers

Protect your investment in resilience and your business

Failing to include key vendors and providers in your resiliency planning is a lot like locking your front door but leaving the garage wide open.

When disaster strikes, you may quickly find out the hard way that your business is only as resilient as your third parties if you’ve failed to include them in the resiliency planning process.

Effective resiliency planning requires a holistic approach to assessing your dependencies, risks, and business continuity and crisis response.

We’ve written an extensive article on Supply Chain Resilience that provides additional context and deeper insights that you may find helpful:  Your supply chain may not be as resilient as you think .

Business Continuity Program Metrics

“Are there metrics we should be tracking?”

In short and emphatically, YES!

What metrics should you be tracking?

It depends:

• Do you really want to know whether your business continuity program is working; that your organization is resilient and actually prepared to respond to the next disruption?
• Or do you just want to make sure all of the boxes are checked?

This is not a trick question.

We think that everyone should want their business continuity program and your business continuity plans to actually work!

But if you don’t quite grasp the difference between the two, you’re not alone. I frequently encounter confusion around the fact that merely tracking business continuity program compliance—i.e., checking the boxes— isn’t the end game for business continuity success.

But it takes more than “Know the requirements-Do the things-Check the boxes” to gauge whether your business continuity program is effective and moving your organization towards its resiliency goals.

Employing the right combination of metrics—operational compliance, plan quality, and program maturity—are all equally important to understanding your organization’s true resilience.

Implementing a system that measures all three will give your organization the insights it needs to move your business continuity program to full maturity, sustainability, and success in responding to the next disruption.

Is your organization truly resilient, or are you just checking off the boxes?

1.  Operational Compliance Metrics

At the very least you should be tracking progress at the business unit or plan level for:

• Business Impact Analysis (BIA) completion
• Business Continuity Plan completion (if just getting started) or updates (if already in place)

Completion of business continuity exercises

• ​Whether after-action items identified in exercises have been addressed and improvements implemented

In short, your business continuity program manager should have a system to easily check and report on business unit progress towards basic business continuity program requirements.

For smaller organizations, a spreadsheet might be adequate for the job.

Large organizations with more complex operations may need a more robust solution.

2.  Quality Scoring

To avoid a situation where your plans look great on paper but fall flat in actual practice, many companies choose to implement a quality scoring system.

The concept is straightforward. Each business continuity plan is scored, often on a rubric of 1-10, based on criteria that are developed in alignment with both industry standards and company-specific needs.

Things that can impact this score include:

• Plan completeness
• The quality of recovery procedures
• Whether risks that have no available workaround have been acknowledged and accepted
• Business continuity exercise participation
• Continued training and evaluation

Quality scoring enables you to assess your team’s true resilience capabilities in response to a disruption. In short, it is an invaluable tool for understanding whether your business continuity program is truly effective or merely compliant and is one that I recommend every organization employ.

3.  Evaluating Program Maturity

We measure this progress using a proprietary model based on the ISO 22301 standard across 98 core factors or elements by evaluating how close each element aligns with the company’s pre-defined standards (as informed by both industry standards and the specific needs of the business), we can identify gaps in the program and the strategic objectives that are needed to bridge those gaps.

The maturity metric is the pinnacle of business continuity program performance and integral to ensuring the long-term sustainability of your resiliency program.

Getting the Metrics Right in your Business Continuity Program

• Just get started:   Start tracking some metrics.
• Make sure your business continuity program metrics support your organization’s strategic objectives :  Business continuity leaders can often get so caught up in the details that they forget about the importance of linking their business continuity program objectives to that of the company as a whole.  Whatever metrics you develop should help you establish direct connectivity between the two. This is especially important when it comes to making the business case for business continuity resources and tools.
• Implement the solution that’s right for you:   Your business continuity program doesn’t have to be world-class to work well. For example, some companies benefit from a robust SaaS business continuity software platform that can roll business continuity capabilities such as the Business Impact Analysis, business continuity planning, and more, including metrics, into one package. We have a few that we love and can help our clients on board, configure, and learn how to use effectively. Still, not everyone has hundreds of business continuity plans to manage across a business with dozens of units and a global presence. In that case, a less robust and expensive solution might be sufficient.

We’ve written a longer article,  3 Key Metrics for Business Continuity Program Success , that has additional context & detail along with example metric images that you may find helpful as well.

Plan-Do-Check-Act (PDCA)

There are endless explanations for why we humans find it so hard to make progress towards our goals—whether it be losing weight, saving money, or making strides in our business.

When it comes to organizational resiliency, one of the most common problems I see is not having a good system for implementing and improving your business continuity program.

Ad hoc efforts usually lead to ad hoc results. Opportunities for improvement slip through the cracks and your program quietly and unimpressively manages to subsist. Not exactly your dream scenario.

Especially considering the ramifications of being unprepared for the next disruption.

Meaningful improvements—whether to your waist size, your resiliency, or your bottom line—require a proven methodology to evaluate what’s working and what’s not. And to ensure that you’re making consistent efforts towards those improvements over time.

If your business continuity program doesn’t already have a system in place to do this, the Plan-Do-Check-Act model is a good place to start.

What is Plan-Do-Check-Act?

In early iterations, the PDCA model was referred to as the Deming-Shewhart cycle (named for its creators) and today is part of the foundational theory that undergirds  Lean Six Sigma ,  Kaizen , ISO standards, and other systems for quality management and improvement.

So if your organization already has a process for establishing and maintaining your programs, it likely shares many similarities to the Plan-Do-Check-Act model or is loosely based on the PDCA methodology.  Whatever your experience, you’ve likely heard of Plan-Do-Check-Act before, or at least seen it in practice.

But what exactly is Plan-Do-Check-Act and how can it help your organization better achieve its resiliency goals?

The PDCA model is based on a four-step closed-loop cycle that is used to improve a process or project over time. The steps, in short, are as follows:

• Plan:  Establish your objectives, processes, procedures, and resources
• Do:  Implement and operate your program or project as informed by your plan
• Check:  Gather data and evaluate the outcomes from the “do” phase
• Act:  Use insights from the “check” phase to identify corrective and preventive actions and drive continuous improvement over time

The PDCA process is continuous, rather than focused on a discrete endpoint.  The result is an upwards spiral of continuous program and project improvement that has the potential to bring tremendous gains when applied consistently and correctly. Nike and Toyota are but two commonly cited examples of organizations that have used the PDCA model with much success.

We’ve written an extensive article on using Plan-Do-Check-Act (PDCA) in your business continuity program that you may find helpful:   Plan-Do-Check-Act and your Business Continuity Program .

Business Continuity Awareness & Culture

In most organizations, the only times a business leader and their team learn about business continuity & crisis management is when the time comes to update their business impact analysis and associated plans – or when an incident or crisis occurs. It’s not a great way to drive business continuity awareness.

Instead, business continuity & crisis management leaders should be meeting and communicating regularly across the business to explain the program, highlight the program and organizational wins, and constantly explain how the program helps support the organization’s strategic business objectives.

When I first was asked over fifteen years ago to take over my then-employer’s business continuity program, I patiently explained to my would-be boss at the time that I knew very little about business continuity and crisis management. I would be a bad fit for the role.

He laughed, looked at me, and said, “I don’t need a subject matter expert Bryan. What I need is someone who understands how to communicate and can market & promote the program across the company.”

He was right.

This is an even more important topic at the time of this writing, in mid-2022, when there’s never been a time where business continuity & crisis management have been more important to an organization – and there’s never been a more important time to  make yourself important  as a business continuity leader.

How can you set about doing so within your organization?  Let’s dive in.

Telling your program’s story

Every great narrative starts with a bit of an origin story. Where did the program come from?  Why does it exist?  What is its mission?

In any story I set out to tell about business continuity & crisis management, I start with the whys.  Why do we do this?  Why does the program exist?  How does it support the organization’s strategic initiatives?

This information is then consolidated into a document I call the “walkaround deck”.  In my previous roles, I literally printed out a copy and carried it around in my planner so that I could tell the story at any time I needed to with any willing audience that would listen.  It was a constant feature at morning “coffee meetings” where I would meet with yet another peer from across the organization to share our program’s story and initiatives and learn how they might intersect with my colleague’s area of responsibility.

Once this presentation is put together, make plans to always keep it current, and then set about to speak at as many forums, team meetings, huddles, all-staff gatherings, or any other meeting you can wrangle an invitation to.  It should be the background for every meeting you have with officers and senior leaders in the organization – enabling you to share your program story, the results you have achieved, and how you are supporting the organization.

Working with Communications for Business Continuity Awareness

Your organization undoubtedly has some sort of communications function that supports internal communications.  They will need to be your new best friend.

Every company has channels for internal communications – an intranet, posters, digital signs, a newsletter, bulletin boards, internal social media, and more.  Meet with your communications team and learn how to submit content for these different channels.  Devise a simple communications strategy that supports monthly and/or quarterly communications as a starting point.  Aim to create a piece of quality content that helps reinforce your story, as we’ve outlined above, for each month or quarter on your communications strategy.

Don’t pass up any opportunity to tell your program’s story

A lot of business continuity & crisis management professionals are content to stay behind the scenes rather than being out front telling the story of their program.

Truly successful programs require leadership that is constantly working to tell the program’s story, gain new allies, and convert others to the cause of preparedness, business continuity, & crisis management.

Never be afraid to make yourself important.

We’ve written a two detailed articles on this topic that you may find helpful:  Effective Business Continuity Awareness Campaigns  and  Building a Resilience Culture in your Organization .

Business Continuity Industry Standards

Grounding your program in an industry-standards driven approach can help you build the right program for your organization’s unique culture, strategic objectives, and situation while ensuring that you’re adhering to best practices developed over decades by the world’s leading organizations.

There is not an established single standard for Business Continuity in the industry, however, there are several widely accepted industry standards for Business Continuity that can help provide you with a foundational approach to your organization’s business continuity strategy. Using one of these standards will save you from reinventing the wheel by describing the key program elements that you should consider as a part of your Business Continuity program in your organization.

NFPA 1600 Standard on Continuity, Emergency, and Crisis Management

National Fire Protection Agency (NFPA) 1600  is a U.S. emergency planning specification that has also become globally accepted. NFPA was the first of the business continuity standards to appear after 9/11. The United States Department of Homeland Security adopted the standard that the  NFPA site  calls “as a voluntary consensus standard for emergency preparedness.” Likewise, the 9/11 Commission report recognized NFPA 1600 as the national preparedness standard.

Despite such endorsements, NFPA 1600 is still a guideline, not a requirement. It includes nine chapters on business continuity program management, planning, implementation, training, exercises and tests, and program improvement. Annex B provides checklists for ongoing self-evaluation.

Our article  An overview of the NFPA 1600 Standard goes into greater detail on this important industry standard.

ISO 22301 Security and resilience — Business continuity management systems — Requirements

The International Standards Organization or ISO is a global institution that researches and creates industry and other standards. All its specifications are voluntary. ISO can’t enforce these or any other standards. ISO simply provides guidelines for what you should do.

The ISO 22301 Standard interoperates with all of the other ISO Standards, which are often used for Enterprise Risk Management, Information Security, and Disaster Recovery.

At Bryghtpath, we typically utilize ISO 22301 as the basis for our Resiliency Diagnosis process, also known as Business Continuity Program Evaluations .

ASIS Business Continuity Guideline – A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery

Published by ASIS International, an association of security practitioners, the  ASIS Business Continuity Guideline  is, as it says, a step-by-step, detailed outline for approaching business continuity. Although perhaps less well-known and therefore less commonly adapted, the plain language makes it an accessible reference.

Incident Command System (ICS) & the National  Incident Management System (NIMS)

The Incident Command System , or ICS, is used by public agencies to manage emergencies. You’ll see this used by police, fire, emergency management, public health, and related government agencies. Some businesses use ICS or an ICS-aligned approach to work together with public agencies during emergencies. This is a commonly used approach by energy utilities and hospitals/healthcare organizations (through the Hospital Incident Command System or HICS, documented below). You can learn more about ICS at FEMA’s Emergency Management Institute ICS Resource Center page .

The  National Incident Management System (NIMS) was established by FEMA and includes the Incident Command System (ICS). NIMS is used as the standard for emergency management by all public agencies in the United States for both planned and emergency events. You can learn more about NIMS at FEMA’s National Incident Management System resource page .

By themselves, NIMS and ICS do not define how to best organize the Crisis Management Framework & Plan for an organization, but they do provide a number of principles that can be applied to private sector crisis management programs.

Hospital Incident Command System (HICS)

The  hospital incident command system  ( HICS ) is an emergency response and preparedness system for hospitals. It enhances a hospital’s emergency capabilities both as an individual facility and as part of a broader response community.  HICS  also provides guidance for performing daily operations, pre-planned event and non-emergencies.

The Hospital Incident Command System  began to be implemented during the late  1980s  in the United States, and similar systems have also been implemented in other countries. The  California Emergency Medical Services Authority  ( EMSA ) publishes the  HICS  Guidebook for the United States .

Our article,  An Overview of the Hospital Incident Command System (HICS) , provides much greater detail and context about this widely accepted standard for healthcare organizations.

Additional Resources on Industry Standards

• Article:  Business Continuity Standards – How each can help you
• Podcast:  Managing Uncertainty – Episode #124 – Business Continuity Standards – Which is right for you?

Business Continuity Software

Gartner’s  Magic Quadrant  does a really good job of identifying the top software solutions in the field.

But there are two problems with relying solely on Gartner.

• Staleness :  Gartner does not update their reports annually, so information can quickly become stale–their most current one on business continuity management program software solutions is nearly three years old.
• Specificity :  Gartner can tell you what solutions are best in the industry, but not necessarily which solutions are best for your particular company and its specific needs.

Interestingly enough, the business continuity management software solutions that we most often recommend to our clients (like Fusion) are also the ones that happen to rank well with Gartner. It’s a good place to start.

Then, here are some other factors to consider:

• Does it meet your most important needs?
• Does their business continuity program methodology align with yours?
• Can the vendor demonstrate all of its advertised capabilities?

What’s the best business continuity software?

There are a lot of good business continuity software solutions. Here we discuss our favorites and the pros and cons of other popular ones.

• Fusion Risk Management :  Fusion is our hands-down favorite and the one that we usually recommend to clients.
• Castellan :  Castellan’s cloud-based business continuity software is well regarded – and our colleagues who have used it love its performance and capabilities.
• Infinite Blue :  Infinite Blue offers the BC in a Cloud, Cenari, and Sendigo solutions that cover operational resilience (business continuity, disaster recovery, and more)
• Archer :  Archer is a long-term player in the space that is widely used – often we see our clients using Archer’s platform because they’re already using it for other capabilities, such as Governance, Risk, and Compliance.
• ServiceNow :  ServiceNow is a newer player in the Business Continuity software space following their acquisition of Fairchild Resiliency Solution’s software product.  Similar to Archer, many companies use the ServiceNow Business Continuity capabilities because they’re already using ServiceNow for its industry leading IT Service Management capabilities.

We’ve written an extensive article  How to Choose the Best Business Continuity Software that provides an overview of the market, the benefits of using business continuity software, and how to make the business case to your senior leaders to bring software into your program.

Business Continuity Case Studies

Case Studies provide a way to learn from previous continuity situations and from the efforts of other organizations to implement business continuity programs.  We’ve included case studies from articles on our website along with some of the relevant work that we’ve done with clients below that you may find valuable.

• A major U.S. electric, natural gas, and nuclear energy company, faced with the challenge of ever-increasing threats against their generation, distribution, and transmission capabilities, turned to Bryghtpath’s  Resiliency Diagnosis  to evaluate their  business continuity  and  crisis management  program and improve the resilience of their organization.  Read the full case study here.
• A major healthcare technology company partnered with Bryghtpath to build, improve, and  manage its business continuity program  on a day-to-day basis through our Business Continuity as a Service offering.   Read the full case study here.
• A major US-based home decor retailer approached Bryghtpath to build & implement a business continuity & crisis management program from scratch.   Read the full case study here.
• A for-profit university with a global presence, working through a sale to a private equity firm and multiple challenges to its business model, turned to Bryghtpath for interim security leadership to rapidly mature their  global security ,  business continuity , and  crisis management  program while realigning their team against new strategic business objectives.  Read the full case study here.

Getting help with your Business Continuity Program

Designing, implementing, and supporting a Business Continuity program is a tall order. Often the best approach is to seek professional help from an industry leader that can help you build and maintain the program that is best for your organization’s challenges.

Here are some ways to get help with your Business Continuity program.

Trusted Advisors

Every company will deal with business disruptions and crisis situations. Sometimes having a trusted advisor on retainer can help you be better prepared, coach you through immediate actions to take to keep your team safe, and keep your business running despite the impacts from the critical moments.

Some of the reasons to use a trusted advisor are:

• The value of an outside perspective. It’s not easy to know how your business continuity program compares to leading programs in other companies. That’s why an outside perspective can be invaluable.
• Guaranteed availability during a disruption or crisis event.  When a disruption happens, it will help tremendously if you have an established relationship with a business continuity and crisis management expert. For example, at some point in March of 2020, your company had a senior leadership meeting to discuss the rapidly evolving COVID-19 pandemic. Maybe you were in the room for that meeting. Maybe you were part of really difficult decisions — everything from the health of your employees to laying people off to cut costs. If so, what was it like? Did you have a plan in place? Or were you forced to improvise?
• Guidance for media inquiries.   Your phone rings. It’s a reporter from your local newspaper or TV station. “We have a report that your CEO was arrested last night for driving while intoxicated. Do you want to comment?” Would you know what to say?
• Proactive messaging for known risks. Some businesses know in advance that a specific type of disruption is likely. For example, a business that operates cloud-based software  will have downtime. It’s just a matter of when. We call these “known risks.” For our clients with these known risks, we help them get ahead of these issues by working proactively  before  a disruption happens.
• Assistance for your executives & board of directors.  Having an existing relationship with a business continuity and crisis management expert can be a major benefit when dealing with senior executives and boards of directors.
• Access to a network of information. If a major natural disaster happens in your location, where will you go for up-to-date information? If a major political demonstration happens in your town — and it threatens to get out of control — how will you stay up to date with what’s happening? When you work with a business continuity and crisis management expert like Bryghtpath, you gain access to a wide network of information that simply may not be available through local news sources.

How to Choose a Business Continuity Consultant

Writing for  TechTarget.com , Richard Jones, a VP at Burton Group, advises, “[T]he first step (after agreeing that a BCP is in order) is deciding who will lead the process. In-house personnel may be qualified, but if not a consultant is what you need”–or it could be a combination of the two.

It may be possible to do the job without a “hired gun.” In that case Jones advises looking for someone already on board who has led at least two successful business continuity exercises in organizations off similar sizes in approximately the same market to the organization.

Also, this updated  piece  from Continuity Central also has some sage advice on the subject. The organization should ask these three key questions:

• If there is a staff member having the necessary knowledge, is it sufficiently up to date and “broad enough to develop a fully rounded business continuity plan?
• If the staff person is not completely “up to speed,” would additional training fill the gaps in areas of deficient expertise?
• Could an external consultant work with the staff member and minimize the amount of consultancy time needed?

We’ve written a detailed article,  8 Things to Consider When Choosing a Business Continuity Consultant , that you may also find helpful.

Sometimes you have a lot of the program in place, but you’re working harder than ever and just not making a lot of forward progress on your business continuity objectives.  Books and podcasts and other training just isn’t getting it done for you.

We’ve often found in these circumstances that working with a coach for a one-on-one coaching session can help you get unstuck, gain clarity, and take their next best step.

Here are some benefits from Business Continuity Coaching that we’ve seen in our experience:

• An outsider’s perspective . Sometimes, you’re too close to the problem to see it accurately. An outsider’s perspective can be the simple insight you need to find the solutions that are probably already in front of you.
• Encouragement and support . Discussing your business challenges with a trusted expert can help you uncover new solutions to your business continuity & crisis management problems or validate the ones that you already have in mind.
• Validation for your ideas. If you’re struggling to get buy-in within your organization, the gravitas of an outside coach or consultant may be just what you need to get your leaders on board.
• An insider’s network. Having a pre-established relationship with a business continuity and crisis management expert can ensure that you are able to quickly find the information and the help that you need when you need it most.

Could coaching be the right solution for you?  Here are some factors to consider:

• You need help with a problem.  An effective coach can help you see your problem more clearly and create an actionable plan to move forward.
• You’re new to the job or in need of specific capabilities. Regular coaching with a business continuity and crisis management expert can help you confidently address emergent challenges and build your professional playbook until you’re ready to stand on your own.
• You’re ready to level up. Individual or group coaching, or some combination of both, can be invaluable in helping you reach the next level in your business continuity program or career.

If you’re ready for actionable insights and a no-BS game plan to take charge of your professional and programmatic success, coaching might just be your next best step.

For additional coaching insights, read our full article  5 Ways Coaching can help your Business Continuity and Crisis Management Program .

Outsourcing your Business Continuity Program

Another option is to completely outsource your Business Continuity Program to a third-party .  It’s often referred to as Business Continuity Managed Services or Business Continuity as a Service .

There are several reasons why you might choose this as an option:

• Hiring an in-house team can be difficult
• In-House teams have high fixed costs
• It’s more difficult to scale an in-house team quickly when a disruption happens

There are several ways to structure using a third-party to manage your Crisis Management Program, three of the most common approaches are:

• Development of your crisis management program
• Facilitation of crisis management exercises
• Help when you experience a crisis

We’ve written a more in-depth article about Business Continuity as a Service – How to Outsource your Continuity Program that covers approaches to doing so – and how to incorporate Crisis Management managed services as well.

Evaluating your Business Continuity Program

In the event of a significant disruption to your organization, how will your company respond?

But this much is certain:  your business will face unexpected disruptions.

Understanding how your program and capabilities stack up is the first step to being able to mature your program – even if you don’t have a formal business continuity & crisis management program today.

Evaluating your business continuity program helps you know exactly where you stand and how to rapidly improve your current state of resiliency.

As we outlined above in our section about Business Continuity Metrics, we believe in measuring program maturity against defined industry standards – ISO 22301 in our case most typically.

A thorough standards-based evaluation of your business continuity program leads to a better understanding of how your organizational resilience stacks up – and helps you understand the path you’ll need to follow to further mature your program.

We’ve written a more detailed article about evaluating business continuity programs that you may find helpful. You can also learn about Bryghtpath’s proprietary Resiliency Diagnosis process that we use to evaluate business continuity & crisis management programs.

Business Continuity Certifications

You might be wondering about business continuity certifications.

Do you need one to be competitive for business continuity jobs?

Which business continuity certification should you get?

What does it take to get and maintain a business continuity certification?

Do you need a business continuity certification?

While it’s certainly possible to grow your way into a business continuity position from within your organization, it’s best to start working towards a certification as soon as you can.

If you’re looking to start a career in business continuity, most jobs will require you to be professionally certified or will expect you to be certified within a certain period of time. This is especially true if you already have the years of experience required for standard industry certifications; being eligible but not having a certification will stand out as a red flag.

If you’ve been lucky enough to climb your way up the ladder to a business continuity position from within, adding a formal certification to your war chest will be invaluable to getting the internal support and resources you need to carry out your program objectives. And while different training and certifications vary, you will no doubt benefit from the new tools, resources, and network that come through training and affiliation with your choice of certifying body.

In short, I’ve never heard anyone who regretted getting some sort of business continuity certification. Most wish they had done it sooner.

Leading Business Continuity Certifications

In the business continuity industry, the two main certification bodies are the  Disaster Recovery Institute International  (DRII) and the  Business Continuity Institute  (BCI).

In our experience, DRII is the most commonly accepted designation in North America. Its headquarters is in the U.S. and has been around since 1988.  BCI, established in 1994, is based in the UK and is more widely recognized for locations in Europe, Asia, Africa, and the Middle East, but their presence has been growing across North America over the past decade.

In our article  C hoosing the Right Business Continuity Certification , we break down the various business continuity certifications and provide some guidance on choosing the right one for you.

Where to learn more about Business Continuity

There are a number of great options available for learning more about Business Continuity – and many of them are completely free.

Here are some of our favorites.

Free Training

There are a number of free training resources available online that might provide you with answers to some of your questions about Business Continuity. Here are some available free options:

• FEMA’s Emergency Management Institute :  Free courses covering many aspects of crisis management, continuity of operations, emergency management, and related topics.
• Bryghtpath’s Free Introductory Courses :  Our free 101 introductory courses are intended to provide an overview of a particular subject matter in a way that helps both the novice and highly experienced business leader or individual contributor be able to make an immediate impact in their area of responsibility.
• Bryghtpath’s YouTube Channel:   Hours of free video, webinars, and other presentations covering crisis management, business continuity, and crisis communications.
• Bryghtpath’s Webinars & Videos : Our webinars and videos are intended to help you learn more about  business continuity ,  crisis management ,  disaster recovery , exercises , and  crisis communications .

Paid Training

• Bryghtpath’s 5-Day Business Continuity Accelerator :   Our 5-Day Business Continuity Accelerator is an interactive online workshop designed to take you through a hard look at your existing business continuity program – and lay out a plan to rapidly mature your program in just days.We run this course quarterly – learn more, get on the waitlist, or enroll in the next session here on our website .

Business Continuity, Crisis Management, & Resiliency Facebook Group

Connect with hundreds of other Business Continuity, Crisis Management, & Resiliency Professionals in our free Facebook Group.

Our free Facebook Group is a forum for discussion around organizational resilience, business continuity, continuity of operations, emergency management, and crisis management.  The intent of the group is to serve as an active exchange of information, questions, and news related to our profession.

You’ll find daily articles, regular discussion topics, and a safe and welcoming environment for your questions related to your career and moving your program forward.

We hope to see you there!

Join the Free Facebook Group  >>

Books aren’t the best answer for everyone for learning about business continuity, but they are relatively inexpensive and provide a lot of deep insight into a specific topic.

We’ve published our Professional Reading List , which contains our best recommendations for personal study and contemplation that will assist you as you continue to grow in our profession.

There are a number of great (and FREE!) Business Continuity Podcasts.  These podcasts can help you continue to grow your knowledge and skills in these important areas as you seek to mature your organization’s program.

Here are a few of our favorites:

• Managing Uncertainty :  Our own weekly podcast covering business continuity, crisis management, and crisis communications.  Learn more at our Managing Uncertainty Podcast archive .
• Harvard NPLI Leader ReadyCast :  Featuring real-world lessons, best practices, and action-oriented insights for the “You’re It” moments when you are called to lead. Each episode features insights from frontline leaders and the faculty of the Harvard National Preparedness Leadership Institute (NPLI) program.
• Resilient :  Resilient is a podcast series from Deloitte that features authentic, engaging, and thought-provoking conversations with CEOs, senior executives, government officials, board members, and people outside the business world. Hear their personal stories about how they led through a crisis, navigated through disruption, and managed through significant risk events. Discover what they learned about embracing risk, improving performance, and leading confidently in a volatile world.

We’ve outlined a longer list of our favorite business continuity & crisis management podcasts in our article  Top Business Continuity & Crisis Management Podcasts .

Executive Education Programs

The challenges involved in business continuity and crisis management are complex and ever-changing, making ongoing education a crucial part of any executive’s long-term strategies. Understanding the various points of vulnerability for your business, gaining best practices in business continuity management, defining risks and prepping emergency management procedures aren’t skills that are often taught in traditional universities but must often be learned on the job or as part of your networking with peers. Business Continuity & Crisis Management Executive Programs can assist with this opportunity.

Finding a  business continuity executive education  opportunity not only provides you with an opportunity for learning more about the topic but is a valuable networking opportunity as you learn with other professionals who are looking for the most proactive ways to prepare their business for the future.

Some of the top Executive Education Programs include:

• Harvard’s National Preparedness Leadership Institute
• MIT’s Crisis Management & Business Continuity Courage
• Bryant University’s Business Continuity Certificate Program
• PECB’s Business Continuity Management Program

We’ve recapped these programs along with several other options in our article  Top Business Continuity & Crisis Management Executive Programs .

Free Resources

We’ve put together a ton of free resources to help you in your quest to navigate uncertainty and disruption.

Learn more at our Free Resources page on our website.

About the Author

Bryan is a Member of the Business Continuity Institute (MBCI) and a Master Business Continuity Professional (MBCP).

Learn more about Bryan and his background in business continuity & crisis management in his biography .

We can help.

Let the experts at Bryghtpath put their decades of Business Continuity experience to work for your organization

We have the experience, tools, and partnerships to help your organization successfully manage the rough waters ahead – and ensure your organization is prepared.

Learn more about our Business Continuity capabilities, read about the results we’ve generated for our clients , or book a meeting today .

I’D LIKE TO TALK TO BRYGHTPATH

PO Box 131416 Saint Paul, MN 55113 USA

[email protected]

Our Capabilities

• Active Shooter Programs
• Business Continuity as a Service (BCaaS)
• IT Disaster Recovery Consulting
• Resiliency Diagnosis®️
• Global Security Operations Center (GSOC)
• Emergency Planning & Exercises
• Intelligence & Global Security Consulting
• Workplace Violence & Threat Management

Our Free Courses

Active Shooter 101

Business Continuity 101

Crisis Communications 101

Crisis Management 101

Workplace Violence 101

Our Premium Courses

5-Day Business Continuity Accelerator

Communicating in the Critical Moment

Crisis Management Academy®️

Managing Threats Workshop

Preparing for Careers in Resilience

Our Products

After-Action Templates

Business Continuity Plan Templates

Communications & Awareness Collateral Packages

Crisis Plan Templates

Crisis Playbook®

Disaster Recovery Templates

Exercise in a Box®

Exercise in a Day®

Maturity Models

Ready-Made Crisis Plans

Resilience Job Descriptions

Pre-made Processes & Templates