In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser discusses Business Continuity as a Service (BCaaS) and how you can mature your business continuity program through outsourcing your program with a company like Bryghtpath.
Topics discussed include what is business continuity as a service, how you can use it to mature your business continuity program while reducing your organization’s financial commitment to the program, and why companies would choose to outsource this service versus doing it in-house.
Hello, and welcome to the Managing Uncertainty Podcast. This is Bryan Strawser, principal and chief executive here at Bryghtpath. And this week I would like to talk about outsourcing your business continuity program. Or in other words, how can you contract with a company like us to provide business continuity as a service?
Now, lots of companies build and manage their business continuity programs in-house. They might hire an expert that has run a team before, run a program before at another organization. But they often will hire an expert in resiliency to help design and execute a program internally. But this comes with challenges. And if you lack the in-house expertise, or you need to implement a business continuity program quickly, you have another option. And that is business continuity as a service.
So what is that? What does that mean? Well, business continuity as a service is the practice of contracting with a third-party firm to design, build, execute, and maintain your resiliency program, your business continuity program. And at Bryghtpath, we work with a number of companies to do exactly this. And we often use the ISO 22301 standard as the industry standard, as to how we approach that service.
We offer business continuity as a service to companies of all sizes. Small consulting firms, up to multi-billion dollar utilities, healthcare organizations, and technology firms. So when we define business continuity as a service, we’re talking about the practice of contracting with a third-party firm to design-build, execute, and maintain your program. Now, why would you do this? Why would you outsource this?
Well, there’s a lot of reasons why companies choose business continuity as a service instead of building and managing a program in-house. The first one is that building that in-house team can be hard. In many locations, you’re just not going to find that many experienced business continuity experts, particularly those that will fit with the unique culture and approach of your organization.
And that makes the recruiting and retention process very difficult. Even in larger locations like Boston, or Los Angeles, London, New York City, business continuity roles are often difficult to fill. The process of recruiting, and hiring, and onboarding can take months or even years. Businesses continuity as a service lets you rapidly access experienced continuity experts without having to recruit or hire them as direct employees. And many of the companies we work with around the service think of our team as embedded members of their team. We’re integrated directly into their business processes as we oversee and lead their continuity program.
The second reason you might consider this is that in-house teams have high fixed costs. The nature of business continuity of course is that you never know exactly when your program is going to have to activate and deal with the challenge. For example, none of us thought, coming into 2020, we would be dealing with a global pandemic situation with COVID-19, but that’s where we found ourselves.
And here we are, a year-and-a-half later as we record this podcast, and we’re dealing with COVID-19. So a company must’ve built an in-house team and created this continuity program sometimes years before there’s a major disruption that really pulls the team into action. There are staff costs and leadership investment associated with that, required to create and maintain that program, and they’re significant. And this is often more than some companies want to invest.
Business continuity as a service is significantly more flexible. You have improvements to your continuity program much faster than you would by hiring an in-house team. And you don’t have to worry about the management overhead, losing staff, or replacing a key team member. You have outsourced that risk to a third party.
It’s also difficult to scale an in-house team and quickly when something happens. When a disruption happens, we often find that we need to rapidly add members to a continuity team when you’re inside of an organization.
And since you can’t hire and onboard them right in the critical moments, companies will find themselves pulling in staff that have no experience in resiliency, or pulling them off of other important capabilities and having them help in an emergency capacity. And again, that was a common story in March of 2020, when COVID-19 suddenly started causing shutdowns, and layoffs, and rifts, and furloughs across the economy, a practice that led a lot of companies to struggle as they adjusted to this rapidly changing world.
By contrast, business continuity as a service empowers you to scale up quickly, accessing continuity experts to the team, adding continuity experts to the team as needed, letting you adjust faster than you could otherwise. So those are three reasons why this might be something that you consider.
How does it work? Well, we can walk through the process we use here at Bryghtpath to deliver business continuity as a service. The first step is a program evaluation, a comprehensive look at what you’re doing. A full evaluation that looks at a needs assessment, reviewing all of your documentation and artifacts, conversations with key stakeholders and leaders in the organization, rating these on a maturity model against the ISO standard, providing observations about the program and opportunities and recommendations for improvement.
So we look at this, across the board for all of this information. And that evaluation then gives us a roadmap. We build out a roadmap, a detailed plan of how we’re going to oversee and manage the continuity program moving forward.
The second part is governance and policy and program support. So these things include managing, facilitating your governance process and documentation, reviewing and updating your programmatic documents, preparing updates for executives, board committees, the board of directors, and any other stakeholders that might be involved in governance and oversight. And then over time, on an annual basis, conducting additional maturity reviews and giving you those comparisons so you can see the strategic growth, the maturity growth of the program over time.
Then there’s the real meat of the service, and that’s the business continuity life cycle. So we’re managing all aspects of that life cycle for your organization. The business impact analysis, business continuity planning, training and development of the teams, documentation of exercises and tabletops, or running tabletops. And simulations, and full exercises. And then assisting in audit or compliance efforts that might touch or involve the BC program.
There are other components that can be added in as well. Vendor resiliency is a critical part of this. As a part of our business continuity as a service offering, we often participate in exercises and plan reviews with strategic vendors, identify vendors that warrant additional scrutiny, and review and work with vendor management or other stakeholders to monitor the resilience of your vendors. More and more companies are critically dependent upon third-party service providers, and so this is an important part of a mature business continuity program.
Your information technology team also plays a critical role in continuity planning. So with IT disaster recovery, we often find ourselves collaborating with the IT team to evaluate risk and create or maintain disaster recovery plans, providing that great BIA data to the IT team that helps them inform their application and infrastructure tiers and recovery planning.
We like to highlight gaps between the disaster recovery expectations about critical applications from business teams, and the actual recovery capabilities as defined by your information technology organization. And then of course, participating in assisting in DR exercises being led by the IT team.
Then there’s communications and awareness. That as an integrated part of your team, we will oversee the communications and awareness strategy within your company for your continuity program, which might look like a quarterly awareness strategy, for example, that has posters and digital collateral and other communications. Internal portal setup and maintenance with supportive materials, such as articles and other resources that promote team roles and responsibilities.
We author and post articles through your various internal communication challenges to educate staff about what they can do to support the organization’s goals for resiliency. And then we often use National Preparedness Month here in the United States as a way to really campaign for personal and family preparedness, knowing that if your team is able to take care of their family in a local or regional disruption, the more they have capacity to make sure that they can take care of the organization as well.
And then lastly, program management. That we regularly provide updates about the work we’re doing to you and your stakeholders, including regular status calls and meetings, real-time reporting, and program status, briefings, updates, and presentations, and then management of all of the logistics; meetings, conference calls, records management, executive updates and more.
So those are the seven components of business continuity as a service, with the way we think about it. But again, this can also be customized to your organization’s specific needs, or to other capabilities that you might need.
We do have some ad-ons that often come up. One is the ability to use or bring to the table business continuity software. Lots of programs, lots of you listening to this might be using Microsoft Excel and Word, or SharePoint, or Access, or some other tool that’s just not adequate to manage your continuity program. So we like to move them, move in our business continuity as a service offering, we like to move those organizations onto a professional business continuity software solution. And we have partnerships with organizations to help make that happen, often at a lower cost than if you were dealing directly with the vendor.
And then of course there’s a crisis management component, and this varies a lot by our clients and their particular needs. We have clients that manage their own crisis programs, and we have clients where we’re managing the crisis program as a part of business continuity as a service. But we can oversee and manage that entire crisis management plan and program, which could include development of your program and plans, maintenance of those plans, facilitation of exercises, and hands-on help as a trusted advisor or facilitator of the process when there is a crisis that impacts your organization, with significant depth of experience in crisis management. So our planning, training real-time assistance can really help you respond and recover, or adjust as quickly as possible.
There are definitely some keys to success to consider if this is something you’re thinking about. Whether it’s with us or another vendor, you want to make sure that the scope of work is clearly defined and understood. Use clear English, make sure it’s laid out. Include in that the tracking and reporting that shows progress, day by day, week by week, against your milestones. And all of that reporting is directly tied to the agreed-upon deliverables from your scope of work.
You should have weekly, or every other week, review meetings to discuss the status of the engagement, accomplishments, and upcoming efforts so that those are clear to you and your stakeholders. On a quarterly basis, that should be reviewed more broadly with a group of stakeholders and leadership. So think of that as a quarterly review. And there needs to be a clear process on how to escalate things internally when blockers occur, and then help your vendor move quickly to find solutions.
That’s a little bit of how we think about business continuity as a service. If this is something we can help you with, here at Bryghtpath, we work with the world’s leading brands, public sector agencies, and nonprofit organizations to strategically navigate uncertainty and disruption. If you’re interested in learning more about how we could assist with business, continuity as a service go to bryghtpath.com/contact.
That’s it for this edition of the Managing Uncertainty Podcast. We’ll be back next week with another new episode. Be well.
In this episode, Bryghtpath Principal & Chief Executive Bryan Strawser walks through the new Bryghtpath Global Security Framework. You could also call it a...
In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser discusses supply chain resiliency. What lessons do we need...
Join us as we sit down with Jeremy Baumann, Managing Partner at Corporate Security Advisors (CSA). With his extensive experience spanning from local law...
