I had a déjà vu moment talking with a customer this week. The customer asked me how we could deliver (what I would call) a right-sized business continuity plan. And that made me flash on cybersecurity planning.
When we work with customers on cybersecurity planning, we like to use the “controls” specified by the Center for Internet Security (CIS). What we really like are the “implementation groups” that CIS defines. I wrote about CIS Controls last week (read it here). The TL:DR version goes like this: the controls tell you what to do while the implementation groups tell you how extensively to do it. What you get is a right-sized cybersecurity plan.
Why Frameworks Don’t Deliver a Right-sized Business Continuity Plan
Getting a right-sized business continuity plan takes a little more effort. We use frameworks that are similar to the CIS Controls when we consult on business continuity planning. Here are three of our favorites.
- Here’s one from the Council on Foundations.
- We like this one from the Nonprofit Coordinating Committee of New York.
- And there’s this framework from the Alliance for Human Services.
All these frameworks are comprehensive. But what they don’t feature are the equivalent of CIS’s Implementation Groups. There’s no Papa Bear/Momma Bear/Baby Bear sizing guidance provided. Why? I call such frameworks “highest common denominator” plans. (The math geek emerges) These plans want to provide as much depth and cover as many variations and considerations as possible. They’re like your kid walking in front of you at the grocery store, tossing items into the cart. (Remember shopping at the store?)
During my customer meeting, I said that the difference between a robust business continuity plan and a right-sized business continuity plan was depth, not number of topics. For instance, you need a disaster recovery team. And the team requires certain roles, such as Finance, Administration and Communication. But in a smaller organization, those roles might be filled by the same person. And the attendant plans, such as communications, might be briefer than they would be in larger organizations. The art in business continuity planning is knowing what you can leave out, while still providing a proper level of resources.
Elements of a Robust Business Continuity Plan
What are the elements you should have in a robust business continuity plan? Here are some topics to consider.
- Restoration of applications
- Recovery of data and documents
- Delegation of authority
- Communications (internal and external)
- Primary and secondary workspace readiness
- Personnel and cross-training
- Ordinary and disaster-related program funding (if you’re a grantmaking organization)
- Plan training and testing
- Plan governance
- Services that will be restarted in full
- Services that will be restarted with some loss of capability
These last two items are most about scope than planning: what are we trying to resuscitate? Maybe we’re OK if we can’t recruit and hire people right after a disaster. Maybe we’re OK cutting checks, but at a reduced capacity.
Disaster recovery plans tend to focus on the first two items. Yes, that’s important, since you can look at ransomware as another kind of disaster you want to recover from. But business continuity addresses the broader question: how do we get back on our feet as an organization?
How to Develop a Right-Sized Business Continuity Plan
We’ve seen the list of all the elements we need in our plan. How do we adjust the effort, so that we have a plan that works for us? How do we get to a right-sized business continuity plan?
We go back through each of these plan elements and ask: how much is appropriate for our organization? Do we need to worry about a secondary workspace? Or do we just presume that home is the secondary workspace? Do we define delegation of authority beyond two or three executive staff? Does our communication plan consist of a text notification service for employees, and a note on our website for partners and customers? Is that enough?
The key to arriving at a right-sized business plan is knowing what things are critical to the functioning of the organization, especially in the short term. A foundation CFO once told me, “Dan, we write checks. As long as we can do that, everything else can wait”. Sounds like good advice: know what’s critical to restart in the first two weeks following a disaster. Then answer the question again for the first two months. Then the first year. Your goal in a right-sized business continuity plan is to get to the point where “we’ll figure it out” is a legitimate plan.