How to Build an Enterprise BC Program (That gets around the roadblocks)

Transcription

1 February 11 14, 2018 Gaylord Opryland Resort and Convention Center, Nashville #DRI2018 How to Build an Enterprise BC Program (That gets around the roadblocks) Scott Baldwin, CBCP, MBCI VP, Strategic Product Development

2 Scott Baldwin, CBCP, MBCI Scott Baldwin is VP, Strategic Product Development for Virtual-Corporation. and has been in the resiliency field for over a decade. During this time he has worked in all areas of resiliency and managed programs at Charles Schwab, PayPal and most recently, head of the global BC program at ebay. Previously, Scott spent a decade as a software engineer, and brought his knowledge of technology solutions to the resiliency field.

3 Basics of BC Program Building There is no one correct way to build a program No organization is the same, so this framework will need to be customized to yours Use judgement on scaling this framework especially for smaller organizations

4 Terminology Program Maturity Levels Resilience Readiness Compliance

5 Compliance Absolute minimum requirement for a functioning enterprise program Absence of any of these components would likely result in most audit failures Basic BCP Activities: Executive Communication Business Impact Assessment Business Continuity Plans Validation Exercises Sustainable Updated on a regular basis Enterprise-Wide All areas of the enterprise need to be accounted for

6 Readiness The ability of the business to respond to a disruption or impact Compliance Achieved Ownership of Business Continuity truly in the hands of the Business Business owns the responsibility for recovery and are on the front line of defense Realistic, Useful and regular functional exercises are taking place Inter-departmental, inter-disciplinary exercises conducted at an appropriate cadence.

7 BC Resilience The ability to proactively identify & mitigate risk and avoid impact Compliance Achieved Readiness Achieved Working closely with other risk areas to identify, mitigate and avoid impacts of risk Using other risk group policy and controls, conduct risk assessments and enact proactive strategies to avoid disruptions Corporate group spending time training and mentoring, rather than conducting actual BC activities

8 Two Common Scenarios Program Reboot Cycle Compliance Lock

9 Program Reboot Cycle New Management New Management Consultants Brought In

10 Compliance Lock Compliance achieved, but at the cost of 100% effort. Must continue to swim or face the possibility of sinking Maturity or progress impossible to obtain without additional headcount Program is not sustainable long term

11 Two Common Scenarios Program Reboot Cycle Compliance Lock

12 The Framework Step 1. Gain executive support

13 Gaining Executive Support Gap? is in every standard, best practices, guidelines, etc yet is consistently listed as one of the reasons BC programs fail.

14 Types of Executive Support Actual Executive Support Count your lucky stars and take advantage it s rare! Usually the result of 1 or 2 passionate members of the board or Executive Leadership Team Ask, ask ask! However it probably won t help you long term Supportive leader can change focus, or even leave the organization Leaving you without sustained support Official Executive Support Found in financial institutions, governmental bodies and other highly regulated sectors Typically results in official policy approvals and, at best, compliance level programs Does not typically convert to business engagement

15 While ANY executive support is good.. The Thing needed for this framework to be successful Is agreement and official policy approval giving total BC ownership to the business

16 Business area BC audit results Owned by the business Actual disruption response Compliance responsibility Owned by the business Owned by the business All business area BC responsibility Owned by the business

17 Arguments for Business Ownership True Subject Matter Experts in their Areas As the SMEs for their areas, the business is the only group who can truly understand and describe the best way to conduct their business during an adverse situation. Ownership Produces Motivation Without the feeling of ownership, the business will simply assist with BC tasks when it is convenient, or when forced. With ownership, the relationship between the business and corporate group changes: Instead of the Business doing us a favor and helping us to do OUR job, WE are helping the Business do THEIR job.

18 The Framework Step 1. Gain executive support Step 2. Scaling the program

19 L1 #12 (SVP Division) Corporate Group #4 L2 #70 (VP Business Unit) L3 #200 (Director Department) L4 #1500 (Manager Process)

20 This framework is scaled out by a simple equation : C x (15 to 20) = P Where: C = size of the corporate team P = number of programs supportable

21 So, if your corporate team consists of 4 people 4 x 15 = 60 4 x 20 = 80 Your group can support 60 to 80 programs

22 L1 #12 (SVP Division) Corporate Group #4 L2 #70 (VP Business Unit) L3 #200 (Director Department) Programs at L2 level and owned by the VPs L4 #1500 (Manager Process)

23 Now, what if you are an army of 1? No problem 1 x 15 = 15 1 x 20 = 20 You can still support 15 to 20 programs

24 L1 #12 (SVP Division) Corporate Group #1 L2 #70 (VP Business Unit) Programs at L1 level and owned by the SVPs L3 #200 (Director Department) L4 #1500 (Manager Process)

25 Thoughts on Scale The programs and ownership level will dictate the length of time implementation will take Each program will push down towards the process level, the further from that level, the longer it will take Program sweet spot Programs should, ideally, be placed somewhere in the organization that will provide it with enough power and authority, but not where it will be ignored Customize to your own organization Instead of reporting levels, you might define your organization by geography, subsidiaries or other criteria that works for you.

26 The Framework Step 1. Gain executive support Step 2. Scaling the program Step 3. Implementation

27 Implementation Delivering Ownership Program Building

28 Delivering Ownership Offering to support the business Granting a favor Asking the business for support Asking for a favor

29 Delivering Ownership Corporate Group #4 Visit the leader of each and every group at the selected level

30 Delivering Ownership The Executive Overview Explain the corporate expectations of ownership (Leveraging step 1) 1. Create the problem Most leaders will have no idea how to develop or manage resilience capabilities 2. Offer to solve the problem for them Describe the conditions Describe your guarantee

31 Delivering Ownership Conditions Provide a Business Continuity Manager (BCM) to run their program Not a coordinator or champion but a program Manager The BCM will be authorized by the leader to act in their stead The corporate group will train, mentor and support the BCM until they are deemed to be experts in the basics of business continuity planning Support the program Communicate to their organization their backing of the new program Enable the BCM to spend time owning their internal BC program by making it a priority Add BC program management on BCM s measurable annual performance goals

32 Delivering Ownership Guarantee IF the business leader provides an engaged BCM and makes the BC program a priority, the corporate group promises: A compliance level, audit-ready program An internal group ready to respond to impacts Create an internal certification program

33 Program Building Training the BCM Responsibilities Include: First line of defense for their organization Will work with leader and corporate group and activate any response as required Ensuring all BCP compliance activities are completed Initial Review and approval of BCP activities Own the BIA process Training the BC Leads (Planners) for each department within their organization Ensure appropriate validation is conducted Methodology Watch Participate Own Certification When BCM can manage compliance and understand departmental recovery strategies, corporate group provides certification

34 Program Building Corporate Group #4 Train the trainer: Each BCM will assist in selecting and training a BC Lead from the organization layer below.

35 Resilience Business Ownership Readiness Compliance Advanced Exercises

36 The Framework Step 1. Gain executive support Step 2. Scaling the program Step 3. Implementation Step 4. Engaging the Business/Maturing the program

37 Engaging the Business Create a sense of Community Pushing programs to the business will begin the enculturation process Create Community of Practice meetings for BCMs and BCLs Develop a BCM/BCL newsletter Meet regularly with the organization leaders to provide status updates, encourage the BCMs to own and lead the conversation Meet monthly with each BCM, weekly during update quarter

38 Maturing the Program

39 Maturing the Program As the BCMs become experienced and begin owning the compliance level, the corporate group will begin gaining more bandwidth. Develop a robust, realistic training program Look at and address any program gaps: Vendor management Dependency mapping Seating reallocation program Etc.

40 Risk With the BCM/BCL program in place, the BC program has a large and powerful network of engaged teams and individuals across the enterprise. Work with other risk groups to assist with compliance and other risk assessments BCM/BCL network can be leveraged Working with the BCM/BCL community on risk will enhance their understanding of potential dangers and ability to plan for and respond

41 Resilience Business Ownership Readiness Compliance Advanced Exercises

42 Questions