Using program management to manage business continuity
Business continuity planning is a complicated, sometimes difficult endeavor for an organization. One of the challenges contributing to the situation is that business continuity planning as a discipline is still in the formative stages. Business continuity experts who are working today are often the same individuals who performed disaster recovery planning on early mainframes and self published their findings. Although there is always a definite need for business continuity, many barriers to success exist. This paper describes a methodology intended to facilitate success for business continuity by applying program management, project management, and business continuity best practices in a coordinated manner.
Business Continuity Background
Business continuity planning superseded the concept of disaster recovery in the mid- to late 1990s after Hurricane Andrew. During this widespread disaster, some companies found that they had protected their infrastructure (by using disaster recovery), but had failed to protect the company (business continuity). This initiated an evolution from disaster recovery thinking to business continuity thinking.
Simply stated, business continuity deals with all of the elements of the company:
- Infrastructure (buildings, communications, and computing)
- Fulfillment and customer service
- Human resources
- Risk scenarios
To oversimplify, business continuity deals with the organization holistically; in the past, disaster recovery dealt with only a specific portion of the organization.
But there are some definite challenges to business continuity. First, in order to address a problem, the organization must recognize that a problem or need exists. Many organizations fail to plan for business continuity for various reasons, such as lack of resources, lack of budget, and lack of interest. Many organizations suffer from the belief that “It won’t happen here” and fail to take adequate precautions to protect the enterprise. Some organizations fail to plan for basic corporate governance and are willing to risk corporate failure.
Think about it: how often have the officers and directors of a company that failed into bankruptcy been criminally or civilly prosecuted for the failure? Only in rare recent cases of fraudulent activity have there been prosecutions; Enron, Tyco, and Worldcom would be recent examples of criminal prosecutions. But while these prosecutions have been very public events, there are very few corporate leaders who suffer this fate.
However, what about the average company that simply fails for some reason? An example might be Montgomery Wards. Montgomery Wards failed to keep pace with the market, failed to upgrade their infrastructure, and failed to follow new trends. Ward’s ultimately lost a customer base large enough to support the company and had to liquidate in bankruptcy. No one went to jail or was held civilly liable. It has become a semiacceptable business process to build, squeeze, and then let the company “go” in the United States.
These issues present a problem for the business continuity professional. The company may not have the commitment to excellence or a commitment to its own future. A continuing impediment to business continuity planning is the time and money commitment involved in managing the planning and program.
My “Thin Business Continuity Program Management” methodology uses the “A-B-C-D Analysis” at the beginning of the program. The “A-B-C-D Analysis” asks if certain conditions exist that indicate willingness to proceed:
A – Awareness of a problem, issue, or need to be addressed
B – Budget available to address the need
C – Concern about the problem, issue, or need
D – Determination at a senior management level to address the need
If all of the conditions are present, then the business continuity program has a potential for success and should be initiated. If one or more of the conditions are not present, then the prudent program manager or business continuity professional may elect to defer program initiation until conditions are more favorable.
Thin Business Continuity Program Management combines multiple standards and best practices to expose a practical methodology for business continuity planning and management. Thin Business Continuity Program Management combines standards from Disaster Recovery Institute International (DRI®), Disaster Recovery Journal (DRJ), and Project Management Institute (PMI®) in order to form a structure for initiating, planning, and managing business continuity planning and the business continuity program.
DRI® has long published a set of best practice areas for disaster recovery--business continuity planning. Ten areas are defined as part of business continuity planning:
- Area 1: Project initiation and management
- Area 2: Risk evaluation and control
- Area 3: Business impact analysis
- Area 4: Developing business continuity strategies
- Area 5: Emergency response and operations
- Area 6: Developing and implementing business continuity plans
- Area 7: Awareness and training
- Area 8: Maintaining and exercising the business continuity plan
- Area 9: Public relations and crisis coordination
- Area 10: Coordination with external agencies
Recently, DRI® and DRJ have collaborated with many external contributors to define the DRI/DRJ GAP (Generally Accepted Practices) for Business Continuity Planning. The GAP takes the best practice areas and adds definition and detail to the original framework.
Each section of the business continuity GAP defines:
- What is to be done in that area
- How it is to be accomplished (at a high level)
- Points of reference (regulations, standards, references) for the business continuity practitioner to use
Each section also provides references to other sources.
PMI® is cited as a reference multiple times for A Guide to the Project Management Body of Knowledge (PMBOK Guide®)--Third edition (Project Management Institute, 2004) in DRI® areas 1 and 2. Many other recognized standards organizations are used as references for how to identify, plan, quantify, and manage business continuity needs; some of these are:
- National Fire Protection Association
- Federal Financial Institutions Examination Council
- American Society for Industrial Security (ASIS) International
- National Institute of Standards and Technology
- Federal Emergency Management Agency
Whereas the original DRI® Business Continuity Best Practices had 10 loosely defined areas, the DRJ-GAP has over 250 subtopic areas that are detailed and given reference points.
Planning and managing business continuity for a single organization unit or department is complex. Planning and managing business continuity for an entire enterprise will require multiple business continuity professionals and a highly structured approach.
The projected use of multiple business continuity professionals (quasi project managers or program managers) to plan, implement, test, modify, and manage the business continuity program clearly indicates that this effort is a candidate for using PMI’s Standard for Program Management.
The Standard for Program Management indicates that the program should be managed to employ three methods of management:
Benefits management: to deliver the planned program outcomes, benefits, and synergies from the multiple individual projects or combined programs
Stakeholder management: to manage affects of the program on stakeholders and to manage the large number of stakeholders who are involved in the program
Program governance: to develop policies, procedures, and practices that facilitate program management
All of these are themes that are universal in nature and are needed throughout the program life cycle. All of these elements blend with and contribute to structural definitions of generally accepted practices for the business continuity program.
In the Thin Business Continuity Program Management model that I have created, I have taken the liberty of using the five program phases based on The Standard for Program Management--Second edition exposure draft (PMI, 2008):
- Program initiation
- Program setup
- Deliver benefits
- Close program
Most of the process definitions used in the Thin Business Continuity Program Management methodology are based on Version 1 of The Standard for Program Management. Several customized processes are also used.
In defining Thin Business Continuity Program Management, our goal was to combine the elements of the DRI® best practices, the DRJ GAP, and the PMI® Standard for Program Management and Standard for Project Management into a series of steps that conform to the program management structure. These steps will use defined structured processes in order to enable a simple yet highly structured approach to performing management of business continuity for the enterprise. Our approach is to have specific processes used in each step. The processes used will utilize specific inputs, tools and techniques, and output. The processes will facilitate producing the desired results to complete the business continuity projects and overall program management.
Thin Business Continuity Program Management Structure
The methodology uses a program life cycle with five phases as defined in the Standard for Program Management. In Phase 1 (pre-program phase), Step 1 of our 10 Steps methodology occurs.
In Step 1 of our methodology, our intent is to determine whether or not the proposed program has value (Exhibit 1). In a business continuity context, the program manager in conjunction with the sponsor or sponsors must determine if the enterprise has the determination and resources to perform business continuity planning. The initial program scope will be required in order to determine what departments, units, locations, or areas of the enterprise will be included in the business continuity program.
Exhibit 1--Thin Business Continuity Program Management Step 1
Please note that in Exhibit 1, processes that are designated with an asterisk (*) are customized processes created for this methodology. Each process has specific inputs, tools, and outputs customized for the business continuity program environment. Processes that have no asterisk (*) are standard processes defined as part of the PMI® Standard for Program Management.
Phase 2 (program initiation) has a single step contained within it, just as Phase 1 does.
In Step 2 of our methodology, the program manager will initiate the business continuity program (Exhibit 2). Three processes are used to perform this step. In this step, the overall program is formally initiated through generation of the formal program charter. The principal stakeholders for the program and the core program team members are identified. An important outcome for the business continuity program focuses on a steering committee’s being defined to support the program.
Exhibit 2--Thin Business Continuity Program Management Step 2
Steps 3 and 4 make up Phase 3 (program setup).
In Step 3 of our methodology, the program manager ensures that program controls are in place for the business continuity program (Exhibit 3). In this step, quality parameters are planned, resource requirements are defined, and basic plans to control costs, schedule, scope, resources, component projects, and communications are put into place.
Exhibit 3--Thin Business Continuity Program Management Step 3
In Step 4 of our methodology, the program manager, program team, and stakeholders work together to define the scope of the program (and scope for any individual projects associated with the program) (Exhibit 4).
Exhibit 4--Thin Business Continuity Program Management Step 4
Phase 4 (deliver benefits) begins with Step 5 and encompasses Steps 6, 7, 8, and 9.
In Step 5, the program manager will work to define risks and vulnerabilities that may affect the enterprise and therefore must be addressed by the business continuity program (Exhibit 5). Several specific component projects must occur in Step 5: business continuity program risk identification project, business impact assessment (BIA) project, emergency situation project, and business continuity program strategy development project. The BIA is very important; the BIA identifies business processes, what they do, what they interact with, and who performs them. The BIA documents what processes are required to support and continue the enterprise and therefore need protection by developing business continuity alternatives and plans.
Exhibit 5--Thin Business Continuity Program Management Step 5
In Step 6, the program manager in conjunction with stakeholders and sponsors obtains agreement as to the chosen strategies for business continuity (Exhibit 6). The main deliverable that is managed here is the final business continuity plan.
Exhibit 6--Thin Business Continuity Program Management Step 6
In Step 7 of our methodology, the program manager focuses on obtaining work results and monitoring work performance for the overall program (Exhibit 7). Quality checks are performed on the project(s) and the program. This step ensures that all defined program outcomes are achieved.
Exhibit 7--Thin Business Continuity Program Management Step 7
Step 8 is a critical step no matter which option is utilized. The business continuity professional (project/program manager) will be involved in the exercise or activation of the business continuity plan (Exhibit 8). After an exercise, the results of the exercise are available to stakeholders. After an emergency activation of the business continuity plan, results of the actual event are available. Both of these elements will be used in Step 9 to modify the plan as required.
Exhibit 8--Thin Business Continuity Program Management Step 8
In Step 9, the results of an exercise or of an emergency activation of the business continuity plan will be used to modify the plan (Exhibit 9). Step 9 also involves the process of “Identify Required Business Continuity Program Changes,” which includes a periodic review of the plan and enterprise environment. As changes occur in the environment, regardless of plan use, updates to the business continuity plan must occur. Any updates are performed considering version control and distributed to key team members on a regular basis.
Step 9 has an option built into the step flow. After Step 9, the program manager and stakeholders will return to Step 8 if the program is deemed to still have value and can continue to produce the expected benefits. If the program returns to Step 8, periodic utilization and update to the business continuity plan will result.
If the program is deemed to be obsolete, ineffective, or no longer provides the benefits planned, then the program manager will go to Step 10 and terminate the program.
Exhibit 9--Thin Business Continuity Program Management Step 9
The final phase of the program life cycle, Phase 5 (close) consists of Step 10.
Step 10 involves closing the program (Exhibit 10). This step will be used after the benefits of the program have been derived and exhausted and a decision is reached to terminate the program. Component closure will ensure that all associated projects in any form are closed. Contract closure and close program will deal directly with the overall program to ensure that the program ends in an orderly fashion and documentation is archived.
Exhibit 10--Thin Business Continuity Program Management Step 10
This methodology is intended to be a combination of standardized processes and program management structures as well as custom elements used only in a business continuity planning environment. When using one of the standard processes defined as part of the PMI Standard for Program Management, the standard inputs, tools and techniques, and outputs will be used. In many cases, unique elements will complement the standard structure.
It is believed that this methodology provides a simple structure for pursuing development of the business continuity plan and business continuity program. Used in a serial manner executing Steps 1 to 10, it provides a “road map” for the business continuity professional. While this methodology may not answer every possible permutation of need, the reasonably skilled individual can use this to build awareness of what needs to be done, and in what order elements need to be accomplished in order to facilitate success when attempting to manage business continuity for the enterprise.
Disaster Recovery Journal. (2008). Generally accepted practices retrieved on July 3, 2008, from http://www.drj.com/gap/gap.pdf
Disaster Recovery Institute International. (2008) Professional practices for business continuity professionals retrieved July 3, 2008, from http://www.drii.org/DRII/ProfessionalPractices/about_professional_detail.aspx
Project Management Institute. (2008). The Standard for Program Management (2nd ed.). Exposure draft retrieved on February 7, 2008, from http://pmi.org
Project Management Institute. (2004). A guide to the project management body of knowledge (PMBOK® Guide) (3rd ed.). Newtown Square, PA.
Project Management Institute. (2006). The Standard for Program Management. Newtown Square, PA: Project Management Institute.
Other General References
(no information or documents from these sources were used in preparation for this paper)
National Fire Protection Association. (2008) http://www.nfpa.org/aboutthecodes/list_of_codes_and_standards.asp
Federal Financial Institutions Examination Council (2008) http://www.ffiec.gov/
ASIS International (2008) Standards and Guidelines http://www.asisonline.org/guidelines/guidelines.htm
National Institute of Standards and Technology (2008) http://www.nist.gov/
Federal Emergency Management Agency (2008) http://www.fema.gov/
© 2008, Timothy S. Bergmann
Originally Published as part of the 2008 PMI Global Congress Proceedings – Denver, Colorado, USA