Session R16: Examining the Inherency of Business Continuity in the Organization. Edward Cahn, PhD, PMP, CBCP BAE Systems

Transcription

1 Session R16: Examining the Inherency of Business Continuity in the Organization Edward Cahn, PhD, PMP, CBCP BAE Systems

2 Significance Introduction Problem Statement Purpose Expectations Hypothesis Methodology Agenda Organizational Structure Departmentalization Data Analysis 2

3 Crisis Management Team Training 3

4 Significance Since September 11, 2001 attacks in the United States, business continuity has taken on an ever increasing role of importance Many organizations have slowly begun to realize the vital aspects of recovering their businesses in the wake of disaster Several United States government edicts depict business continuity as having national importance Abundant evidence exists in various disaster survival statistics that firms do not invest enough time and resources into business continuity management 4

5 Introduction The lack of the implementation of a standard set of businesses continuity requirements allows organizations to create systems that are highly specific and applicable to their organizations only While this can be positive, it also promotes these organizations to do as little or as much as management allows Problems arise due to missing key elements and an understanding of the overall big picture of the organization Fragmented systems across industries are the outcome from this type of requirements-less implementation 5

6 Problem Statement The processes involved in developing and managing a business continuity system requires a vivid understanding of the organization Including its structures, dependencies, functions and stakeholders To be successful, a business continuity system requires a deep penetration into the organization down to the departmental processes themselves 6

7 Problem Statement By adhering to a rigid organizational structure, the tailoring of business continuity requirements must be done to provide the proper fit The main problem is that key requirements and organizational elements are likely to be missed By adopting a standard set of requirements, organizations can match corresponding roles to implement the proper set of constraints This will help to provide a cohesive and comprehensively resilient business continuity system 7

8 Purpose The purpose of this presentation is to explore and describe how basic business continuity requirements are already inherently present in most organizations The baseline for this presentation consists of: Research of established business continuity elements A known cross section of business types and organizational structures Pre-defined departmental functions 8

9 Expectations The economic payback of showing how business continuity is inherent in everyday organizational tasks will become evident By equating daily tasks to these requirements, employees will understand that there will not be a significant additional workload 9

10 Expectations The Business Continuity Manager (BCM) usually has expertise in another discipline besides business continuity The BCM is not expert in every other organizational function They are now the organizational expert in BCM The BCM needs to work with these other functions By showing that business continuity is already inherent in many functional tasks, the BCM can better fulfill his/her duties 10

11 Hypothesis An organization should not have to drastically alter its structure or create new entities to incorporate a business continuity system Implementation issues may arise if: An organization is not prepared Lacks an understanding of the purpose and requirements of business continuity By showing that many of the basic elements are already intrinsic, the organization will more readily grasp many of the new concepts presented When they have in fact already been a part of the system, it will also be easier to create and maintain: Implementation strategies Business continuity plans and procedures 11

12 Methodology The independent variable the changeable portion: Specific departmental functions Organizational structures The dependant variable the unchangeable constant: Accepted and published business continuity requirements British Standard :2006/ :2007 BS was found to offer the greatest uniformity and applicability BS provided the best set of constants for this study 12

13 Organizational Structure Organizational structure can be defined by the way an organization arranges its resources to best meet its goals and objectives There are an equally infinite number of organizational structures as there are organizational types Trends from the traditional organization towards new and adaptive structures have come to light in recent years Borgatti (2001) credits globalization at the forefront of these trends A diverse and flexible workforce also shapes how an organization operates 13

14 Organizational Structure Business Continuity Planning Business continuity planning Requires an organization to utilize a set of methodologies that enable it to: Analyze its threats Provide mitigations to minimize them Determine critical assets, processes and functions An organization must also see through the walls and look both externally as well as internally noting perceived and unperceived risks 14

15 Organizational Understanding Element 2 of BS (2006, p. 16) - Understanding the Organization the activities associated with understanding the organization provide information that enables prioritization of an organization s products and services, identification of critical supporting activities and the resources that are required to deliver them 15

16 Organizational Understanding In order to properly undertake these understanding activities, an organization must be intimate with its dayto-day operations, activities and outcomes in order to properly implement any type of system that effects the entire organization The organization needs to do a deep dive into itself and emerge with the awareness of its structure and critical make-up This will provide greater insight and more robust implementation strategies By breaking down the building blocks of business continuity, one can begin to understand its overall purpose in the organization 16

17 Organizational Function vs. Design Research suggests that by understanding how the organization functions (organizational theory) as an entity, one can see its inherent blueprint (organizational design) This bottoms-up approach is based on looking from the inside-out From the functional level towards the group or corporate level The inherent nature of business continuity can be better understood When looking top-down The view tends to be cluttered with the bureaucracy starting at the executive level and working its way through the entire organization 17

18 Organizational Structure Many types of structures, sub-structures, and combinations of arrangements exist in the business world today These formal compositions are based essentially on how they can best meet the organization s goals and objectives Their configuration is also defined by market, stakeholder, environmental, and geographical factors among others Six basic structures were best applicable for this study: Functional - Networked Matrixed - Borderless Projectized - Virtual 18

19 Departmentalization The process of departmentalization is defined as: The grouping of similar functions for the purpose of achieving a common product, process, or service 10 companies across 6 distinct industries were examined: High Tech & Manufacturing - Instructional Diversified foods - Life insurance Newspaper and communications - Transportation 19

20 Departmentalization This cross-sectional view provided a broad base of functions This helped to avoid any focus on a single industry which may corrupt the data Several functions were detailed as being a separate department in one company are subfunctions in other companies 20

21 Departments and Functions Twenty-one unique departments were defined: Communications Compliance Contracts Customer Service Distribution Engineering Environmental Safety & Health Facilities\Maintenance Finance Human Resources Human Resources Information Technology Legal Management & Administration Marketing Operations Procurement Quality Assurance Research & Development Sales Security Supply Chain\Logistics 21

22 Objectivity Analysis An objectivity analysis obtained the level of relevance of each department to the dependent variable This analysis examined the attributes of each department s function Analysis was scored to reflect their relationship to each of the 27 requirements of BS What level is the department responsible for meeting this requirement? How much influence in the organization does this department have in meeting the objective of this requirement? An equal analysis was performed at the organizational level Less important but supports departmental theories 22

23 Constancy and Variability Analysis A constancy and variability analysis assessed the level of rigidity and flexibility of each department to the dependent variable These scores reflected the levels of ability of the specific functional roles The department s ability to meet requirements The department s flexibility to vary its responsibility to meet requirements An equal analysis was performed at the organizational level Less important but supports departmental theories 23

24 27 Top Level BS Requirements 3.1 Planning the Business Continuity Management System Scope and objectives of the BCMS BCM policy Provision of resources Competency of BCM personnel 3.3 Embedding BCM in the organization s culture BCMS documentation and records Control of BCMS records Control of BCMS documentation Business impact analysis Risk assessment Determining choices 4.2 Determining business continuity strategy 4.3 Developing and implementing a BCM response Incident response structure Business continuity plans and incident management plans Exercising, maintaining and reviewing BCM arrangements BCM exercising Maintaining and reviewing BCM arrangements 5.1 Internal audit 5.2 Management review of the BCMS Review input Review output 6.1 Preventive and corrective actions Preventive action Corrective action 6.2 Continual improvement 24

25 Objectivity Analysis for Departments 80.00% 70.00% 60.00% 50.00% 40.00% 30.00% 20.00% 10.00% 0.00% Management & Administration Compliance Communications Quality Assurance Finance Human Resources Environmental Saftey & Health Legal Security Facilities\Maintenance Information Technology Operations Contracts Customer Service Distribution\Logistics Engineering Marketing Procurement Research & Development Sales Supply Chain Management Department 25 Total %

26 Departmental Objectivity Common Processes All functions share some common processes Data revealed that every department is involved minimally at certain levels with: Business continuity planning (paragraph 3.1) Defining scope and objectives (paragraph 3.2.1) Providing resources (paragraph 3.2.3) Assessing risk and analyzing its impact (4.1.1, 4.1.2) Determining choices and business continuity strategies (4.1.3, 4.2) Developing and implementing business continuity responses (4.3) These essential processes are required to ensure a sound foundation for business continuity in the organization 26

27 Departmental Objectivity Common Processes Each department is also involved with: Business continuity plans (paragraph 4.3.3) Providing management review inputs and outputs (5.2.2, 5.2.3) Implementing preventive and corrective actions (6.1.2, 6.1.3) Ensures that the organization will continually improve its business continuity system (paragraph 6.2) This level of basic inherency shows a logical progression toward the required basis for implementing business continuity 27

28 Departmental Objectivity Unique Tasks Every department has shared functions within the organization but are also performing unique tasks as well Communications (34.57%) based on common requirements plus its ability to communicate with the entire organization Compliance (53.09%) based on its own unique function in dealing with audits and document control This department is also aligned with Quality Assurance (34.57%) for the same reason of document and record control Every function has unique characteristics which it inherently produces its contribution to the overall organization These characteristics, processes and procedures also reveal themselves in the department s level of relevance to the business continuity requirements shown herein 28

29 Departmental Objectivity Unique Tasks Management & Administration is perhaps in the most distinctive position as having overall organizational responsibility While generally not usually a distinct department, this function is chiefly involved in almost every requirement Except control of records and inputs and outputs to management reviews The objectivity score of 73.31% shows the high level of applicability and therefore of importance of the management function to business continuity 29

30 Departmental Objectivity These top qualifiers therefore share the most influence on system implementation and retain the most responsibility Management would have the most control over the system given their level of objectivity The remaining seven departments fell within these limits with varying degrees of objectivity These results prove that that the objectivity of every department is basically inherent when implementing a business continuity system into an organization Those departments having the most influence also have the most relevance inherently contained therein 30

31 Departmental Objectivity Analysis by Business Continuity Requirements 80.00% 70.00% 60.00% 50.00% 40.00% 30.00% 20.00% 10.00% 0.00% 31 Competency of BCM personnel Corrective action Preventive action Review output Review input Maintaining and reviewing BCM arrangements BCM exercising Exercising, maintaining and reviewing BCM Business continuity and incident management plans Incident response structure Determining choices Risk assessment Business impact analysis Control of BCMS documentation Control of BCMS records BCMS documentation and records Provision of resources BCM policy Scope and objectives of the BCMS Continual improvement Preventive and corrective actions Management review of the BCMS Internal audit Developing and implementing a BCM response Determining business continuity strateg y Embedding BCM in the organization s culture Planning the Business Continuity Management System Business Continuity Requirement Percentage of Requirement Fulfilled

32 Departmental Objectivity Essential Processes Data revealed that every department is involved at a certain levels with at least 4 requirements (6.35%) Essential processes are required to present a consistent basis for the coordination of business continuity in the organization Competency of BCM personnel (3.2.4) % Corrective action (6.1.3) % Preventive action (6.1.2) % Review output (5.2.3) % Review input (5.2.2) % Maintaining and reviewing BCM arrangements (4.4.3) % BCM exercising (4.4.2) % 32

33 Objectivity Analysis for Organizations % 90.00% 80.00% Total Percentage 70.00% 60.00% 50.00% 40.00% 30.00% 20.00% 10.00% 0.00% Functional Matrix Projectized Networked Borderless Virtual Organizational Type 33

34 Organizational Objectivity Every organization is arranged to meet its own unique goals and objectives Regardless of which field of endeavor it operates in, the organizational structure is based on the basic tenets and needs of the business to meet its customer requirements It was found that the three most structured organizational types examined (Functional, Matrixed, and Projectized) all were 100% applicable to the stated requirements These three forms are also the most traditional and common types of company structures found in most industries today 34

35 Organizational Objectivity The Network organization is the next most structured form Rated 69.14% The less defined Borderless organization Scored 66.67% Both types were very similar in their analysis Both organization s scores reflect a lack of centralized management The Networked form was stronger in the aforementioned aspect then the Borderless It lacks in the areas of preventive and corrective action due to the nature of its subcontracted arrangement 35

36 Organizational Objectivity The newest and most open type of arrangement presented is the Virtual organization An objectivity rating of 43.21% This score reflects a lack of centralized management and company culture which is central to the Virtual firm s intrinsic structure The management function contains the most objectivity and is therefore the highest regarded characteristic concerning business continuity implementation The two important aspects of management and corporate culture are a necessary part of any business continuity system as it is those components that reside at its core 36

37 Thank You! Edward Cahn, PhD, PMP, CBCP (office) (mobile) BAE Systems 164 Totowa Rd Wayne, NJ