4 Step Approach to Building Your Business Continuity Plan

By Lowers & Associates,

To stay prepared, organizations must expect the unexpected. Business Continuity Planning (BCP) addresses the need to have contingency plans in place to deal with potential threats that can turn an organization on its head. Continuity planning is a necessary part of coming out on top in the face of the most challenging circumstances such as a natural disaster, a significant market crash, or a serious hit to a company’s brand or reputation.

As a risk manager, CEO, or any party responsible for the long-term success of an organization, you need to have a plan in place to clearly outline what you would do if the worst were to happen tomorrow. Here are four phases to putting your BCP in place.

1. Business Impact Analysis (BIA)

The first step to building your company’s BCP is to consider the potential impact of each type of disaster or risk event that your company may face. For example, a company in the finance industry may consider the role of the stock market, data breaches, or the possibility of a fraud scandal. The BIA helps you discern which processes are the most critical to recover or initiate in a state of a disaster and assigns a monetary value to the protection of assets involved in specific business processes.

Key goals of the BIA should include:

  1. Identifying the impact of uncontrolled events
  2. Prioritizing critical functions
  3. Establishing maximum tolerable outages

2. Risk Assessment

Upon identifying the impact of the risks facing various functions across your business, the next step is to determine the potential magnitude of these risks. This is a critical assessment to perform, as it helps establish which risks should be most emphasized in the BCP. Priorities can be established by looking at which risks are most likely to occur to determine the breadth of coverage for your company’s BCP. To do this, you can run a gap analysis to compare your company’s current contingency plans against that of the proposed risks to identify any holes you need to fill. With knowledge of these gaps, you can analyze various threats to identify their respective impact.

To aid in this process, it is helpful to work from a list of potential emergencies or viable threats as well as the likelihood and impact of such events such as to personnel, assets, or monetary impact. These can help formulate different scenarios to plan for, such as natural disasters or terrorist threats, as well as minor events such a power outage.

A best-practice risk assessment report should cover the following:

  • Summary of Business Operations
  • Risk & Vulnerability Analysis
  • Critical Support Infrastructure
  • Physical Environment
  • Recovery Time Objectives
  • Business Recovery Strategies & Priorities

3. Business Continuity Plan Preparation

During this step, the BCP is developed, taking into account the likelihood, magnitude, and potential impact of the risks that were identified in the previous step. The BCP preparation stage will take it a step further by documenting strategies and procedures to maintain, recover, and resume critical business functions as quickly as possible. Part of this preparation will entail a list of procedures to address priorities for critical and non-critical functions, services, and processes.

The BCP should include:

  • Business Operations
  • BCP Organization
  • Plan Activation & Operation
  • Preparation & Readiness Checklists
  • Emergency Operations
  • Facility Restoration & Relocation
  • Emergency Communications
  • Emergency Forms & Terms
  • Incident-Specific Response Checklists

4. Business Continuity Plan Testing and Table Top Exercises

Once a plan is established, it’s time to put it to the test with table top exercises. During this final step, key staff members and management will come together to simulate their response to various emergency situations that were identified as likely risks. Using the procedures outline in the BCP, these exercises will identify gaps in the plans to improve them in a controlled setting. This process can also help establish the different roles and responsibilities across team members.

When it comes to risk mitigation, hope for the best but plan for the worst. Take your risk planning to the next level by getting started with your Business Continuity Plan. Talk to a risk mitigation expert today.

  Category: Risk Management
  Comments: Comments Off on 4 Step Approach to Building Your Business Continuity Plan

Is Your Organization Moving Toward High Reliability? [SlideShare]

By Lowers & Associates,

High Reliability Organizations (HROs) offer benchmarks for other organizations and systems whose missions are critical but operate in challenging high-risk environments. Successful HROs offer insights on operations, culture, performance, and evaluation that can be adapted to other organizations to improve the reliability of achieving objectives.

Early research on HROs attempted to understand how organizations such as aircraft carriers and the air traffic control system could continuously produce desired outcomes despite the high uncertainties of input conditions (environment) and the inherent interdependence of operations. Observing these unlikely success stories led to the distillation of 5 principles:

• A preoccupation with failure.
• Reluctance to simplify.
• Sensitivity to operations.
• Commitment to resilience.
• Deference to expertise.

Recently, managers in less fraught, but still complex, organizations and systems have begun to adapt these principles to deliver a similar high reliability in outcomes. Among others, good candidates for applying the lessons of HROs include the cash management system and healthcare organizations and systems.

The Joint Commission on healthcare accreditation is sponsoring work to develop a path for healthcare organizations of various sorts to move toward high reliability outcomes. A 2013 Joint Commission paper by Mark Chassin and Jerod Loeb titled “High Reliability Healthcare: Getting There from Here” summarizes a process to move toward the goal. An important point it emphasizes is that the improvement is continuous: HROs seek perfection, but never finally reach it.

Chassin and Loeb lay out stages healthcare organizations might follow on the journey toward becoming an HRO. Other types of organizations would have to adapt these to their own circumstances, but they do provide a template for moving forward.

Our latest SlideShare, What makes a High Reliability Organization? provides deeper information about the 5 principles, and illustrates how they might be applied in your organization.

Take a look here:

Slideshow: What Makes a High Reliability Organization?

By Lowers & Associates,

High reliability organizations (HROs) operate within challenging conditions. Think of air traffic control, aircraft carriers, and nuclear power plants for clear examples of such conditions. Mistakes in these settings often have catastrophic consequences.

Yet they seldom fail.

HROs have the unique ability to deliver stunning reliability in complex environments. How do they do it? What makes an HRO? Our latest slideshow provides a glimpse inside. Read through it here:


The Making of a High Reliability Organization [Infographic]

By Lowers & Associates,

The High Reliability Organization (HRO) is an irresistible topic. How can any organization (like an aircraft carrier) or organized system (like American commercial aviation) operate in a totally threat-filled environment without frequent catastrophic failure? How can any organization realistically seek perfect reliability under conditions where the unexpected is routine?

Organization design experts have been working out the answers to these questions over the past 20 years. What has emerged from this research is a growing understanding about how an organization in a complex environment can become a resilient, adaptable HRO.

People working in HROs continuously seek ways to improve processes, and use every failure as an opportunity to install beneficial changes. They do not assume that just because something has worked well in the past that it will always continue to do so. The people and the system they are part of are open to change.

Early research focused on “heroic” organizations like the U.S. commercial aviation system. In 2015, there were about 24,000 commercial flights every day, operating through a network of 476 control towers and 14,000 controllers. Yet there were zero fatalities due to operations in commercial aviation that year.

Vivid outcomes like this helped to highlight how HROs operate to manage the unexpected. These same principles can be used in more ordinary organizations and systems to improve performance. A prime example is how healthcare organizations of different types are working diligently to adopt HRO principles.

This infographic, The Making of a High Reliability Organization, gives a fast summary of the characteristics of an HRO. Managers of every organization should be familiar with HROs to evaluate how they might adopt operational and cultural factors that lead to very high reliability to their own environments.


5 Principles of High Reliability Organizations

By Lowers & Associates,

High Reliability Organizations (HROs) are anomalies. They exist in the kind of very complex, fast-evolving environments where you would expect chaos to prevail. But it doesn’t. HROs are able to cope successfully with unexpected conditions. That’s what makes these unusual organizations so attractive to researchers.

What can we learn from them?

Knowledge about HROs is rooted in what we call “heroic” organizations like aircraft carriers and air traffic control systems where a thousand things must go right every moment or someone dies. People like Karl Weick and Kathleen Sutcliffe, two of the most prominent scholars in the field, are beginning to stretch the concepts developed by evaluating HROs to apply to less heroic settings like banking, healthcare and manufacturing.

Weick and Sutcliffe use the phrase “mindful organizing,” which entails “sense-making, continuous organizing, and adaptive managing” to summarize the approach taken by HROs.[1] They identify 5 principles that make up the body of mindful organizing found in successful HROs, and in organizations that aspire to that continuously high reliability.

1. Preoccupation with Failure

Systems in modern organizations are complicated, and they experience failures. HROs focus like a laser on failure; they give “continuous attention to anomalies that could be symptoms of larger problems.” The basic insight here is that big problems don’t emerge fully formed in an instant. They are almost always preceded by smaller problems or anomalies, or evidence that would point to the big problem if it were given proper attention.

What HROs do NOT do is assume that if a control in place succeeds in containing a failure, everything is right. They look deeper into an incident to find underlying causes. They also do not lump a failure with common elements to another into a class that all are alike. Evidence is gathered and evaluated.

2. Reluctance to Simplify

Complexity means that organizations have numerous potential sources of failure, and HROs do not apply generalized terms to describe them. It is a common and convenient response to a problem to name a general kind of cause and consider it a solution, e.g., ‘the bank has a state of the art alarm system’ so the failure of the alarm can be fixed by replacing it. What if the alarm’s failure is caused by something deeper, what specifically was the cause? In HROs, the occurrence of a failure is taken as an opportunity to dig deeply into the details of the system involved to find a real cause-you differentiate the details within those broad, convenient generalizations.

3.  Sensitivity to Operations

Operations happen in real time, they include both discrete components and the system they compose. As such, operations generate outcomes that we can observe. The HRO continuously evaluates outcomes to determine if they are in fact serving the objectives of the organization. They do not assume that the continuous outcomes will be the same as planned, assumed, or hoped for.

Operations are what an organization does. In this sense, HROs treat them as hands-on experiences from which lessons about the organization can be taken to further improve function in real time.

4.  Commitment to Resiliency

“The signature of the high reliability organization is not that it is error-free, but that errors don’t disable it.” HROs are essentially adaptable, learning organizations. They can experience a failure but continue operating under degraded conditions while marshalling resources to restore capacity.

To operate like this, HROs can recognize emerging anomalies despite prior beliefs, experiences, or plans. In large part, this requires both open-minded observation and a willingness to react appropriately even under unanticipated conditions.

5.  Deference to Expertise

The fact that an HRO must be open-minded rather than judgmental leads to the idea that the culture of the HRO defers to expertise. The key point, however, is that the “expert” involved is the person with hands-on knowledge of the operation at the point of a failure, not the “expertise” conferred by hierarchical authority.

In the HRO, the expert has access to upward reporting, and there is no intimidation from authority to impede the communication. The openness required for the HRO to succeed depends on accurate information from every source.

Not every organization will adapt every HRO principle, at least in the short term. Many organizations can improve continuous operational reliability by adapting the pieces that fit. Over time, more and more of the organization can be improved this way, moving toward the “perfect reliability” objective of the HRO.

Learn more about making your organization an HRO in our new whitepaper, Building a High Reliability Organization.

[1] Weick, Karl and Kathleen Sutcliffe. Managing the Unexpected: Sustained Performance in a Complex World, 3rd Edition. Hoboken, NJ: John Wiley & Sons, 2015. p. 7, 21.