How does Business Continuity Management incorporate Continuous Improvement?
Feedback from BCP Builder Community on LinkedIn:
- Hot and Cold Debriefs should be conducted following all incidents and exercises.
- Continuous improvement should be the result of performance evaluation at all parts of the cycle.
- We should be continually monitoring, measuring and assessing against our Business Continuity Management objectives (strategic, tactical and operational – assuming we have them) this includes audit and management review.
- The continual improvement is simply ‘acting’ on the outputs of these performance aspects. It’s not a separate phase but an umbrella to the whole management system.
Good Practice Guidelines
- Continuous Improvement also appears in Professional Practice 1 – Policy and Programme Management.
- This can be referenced in the Business Continuity Policy, which forms part of the programme. The Policy is enabled in Professional Practice 2 – Embedding Business Continuity.
- Continual Improvement is validated in Professional Practice 6 – Validation, which includes cost benefit analysis outcomes in most professional practice elements.
- My recommendation, although not referenced (yet) in the current Good Practice Guidelines 2018, is a Business Continuity Management maturity model.
- Know your current state of competency.
- Know the direction of travel.
- Know the desired level of competence.
- Know how you will close the gap to provide continual improvement.
- Always have a “future” state beyond that which is desirable to drive continual improvement and stretch targets.
Continual Improvement Log
- I maintain a continual improvement log/ document. It’s designed like a tracker, with root cause analysis, corrective and preventive actions which I use to track continual improvements.
- What I track may include:
- Non-conformities from internal audit and gap assessments.
- Issues raised during exercises and tests.
- Comments on issues and feedback on the Business Continuity program during management review meetings.
- Non-conformities from external audits, e.g., ISO 22301 certification audits.
- I follow through by involving relevant parties and adequately tracking document updates (the document follows a cycle that captures – “current status” of each item until closure).
- Additionally, other parties get to work on this document, e.g.;
- Each continual improvement item has someone responsible for it; therefore I ensure the Business Continuity Manager (who is accountable for this process), works with those people, to glean progress/resolution updates for each item.
- Other independent parties like, representatives from internal audit and internal control review the tracker too; (each item is independently evaluated and monitored for effectiveness till it is closed).
- I ensure the Business Continuity Manager sends a summary report to the Business Continuity Management System sponsor/ Management representative (who reviews and approves the items closed within the review period).
- Finally, a separate Continual improvement summary report (mainly graphical); is presented to Top Management – bolstering the details that reveal the maturity of the program.
If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.