You completed the hard work. Not it is time to wow management with what you have done and what you can do going forward!
After you have completed your Business Impact and Risk Assessment it is time to build an executive report for management’s review. I like to do one comprehensive report including both the results of the BIA and RA. The report can also be done separately for each analysis if you prefer. Either way the analysis will provide management with a comprehensive view of criticalities, dependencies, threats and risks.
Go into the meeting confident and proud. You will see, they will love your analysis.
Toward the end of the report include high level recovery strategy recommendations. They do not have to be finely detailed, as strategy development occurs in the next phase of the cycle. Let them know what might make sense and the options that are available. Management will most likely provide valuable input.
Work-up some costs versus impact rationale. During the early years of my career I did not include high level recovery strategies in this report and it was requested by management so I improved the process. These value-added suggestions have always been very well received.
Tip – Great news: having completed a thorough analysis of recovery time-sensitivity, impact and risk your business continuity plans will accurately reflect the reality of your business.
Tip – More great news: if you use an automated BCM system much of the dynamic content in your ensuing business continuity plan will be automatically populated and updated in real-time.
The executive report must be formatted in a professional – visual manner. When I did my first few executive reports years ago I Googled ‘executive reports’ for ideas on formatting. I admittedly do not have a very ‘visual eye’. When I used to develop software systems I would develop the back-ends – databases, logic, algorithms, etc. and I would leave design to the front-end folks. Again, if you are using a BCM tool you may have a nicely formatted and easy to customize Executive Report template that automatically populates – how cool is that!
I structure the sections of my combined BIA, RA Executive Report as follows. Every organization is different so please customize the report for the needs and requirements of your management:
- Give a short high level overview of the work that was performed
- List the objectives of the BIA
- Describe the process you used to gather the information
- Provide a listing of the processes in scope. I prefer to include all processes in my BIA’s
- Describe the time buckets of time-sensitivity (criticality) to recover the process
- Provide a list containing each process/sub-process in time sensitivity order from most time sensitive to the least time sensitive.
- Include the process owner name and a brief description of the major impacts for each process
- Graph of the process/sub-processes, grouped by time sensitivity buckets, i.e. 1-4 hours…
- List of process/sub-processes by time sensitivity buckets, i.e. 1-4 hours…
- Provide regulatory impacts – I list each sub process with a criticality rating, authorities, fines…
- Provide revenue impacts – you can often get these from sales and/or accounting
- Provide brand impacts
- Provide customer loss impacts
- List IT Systems. Map systems to processes. Include the RTO, RPO
- List process staffing head-counts – both regular and recovery requirements. I group by time-buckets
- List employee skills and certifications
- Provide a summary of general findings during the interviews
- List threats / hazards to each of your locations
- Calculate the probability of threats becoming a reality
- List vulnerabilities
- List impacts
- List risks
- Include the BIA questionnaire you used to collect the results and the responses
- Include the risk assessment analysis including threats vulnerabilities and impacts
- Include the risk assessment charts (see risk assessment post for examples)
- Summarize all of the findings
- Describe high level prevention, mitigation and recovery strategies for each process/sub-process
Tip – For discussion purposes with management, include the previously mentioned high level recovery strategies you think are appropriate to meet the business recovery requirements. I show maps with arrows and icons illustrating some possible recovery strategies. I emphasize how I am being cost conscious where it makes sense and I will save them money while still building resilience into the business. I include pictures of workstation area recovery rooms, tech’ed out mobile trailers recovery solutions, etc. Executives are probably not familiar with what is possible to keep their business going. Wow them with what you can really do!!!
Executive Report Cycle Steps:
- Send the comprehensive report to management along with a meeting invite to discuss the report and to answer all of their questions. Give them a few days to read the report prior to the meeting.
- Meet with them and discuss the report. Some executives will read the report prior to the meeting and some will not. They will have questions and comments. Go through each section with them during the meeting. Keep the acronyms to a minimum. Answer any and all questions.
- During the meeting they will probably provide updates and adjustments for you to incorporate in the report. In some cases management might have a different view of the time sensitivity for recovering some of the processes. Occasionally, their view of a process is less time-sensitive than seen through a process owner’s lens. I have rarely seen anything drastically misaligned between management and process owners. You will then make the adjustments they request and resubmit the report to management for final sign-off so you can move forward.
Congratulations on getting to this significant milestone. Yes, it is time to celebrate. Enjoy dinner at your favorite restaurant.