An interview with our BCP expert, Glenn Chamberlain
To get Business Continuity Awareness Week kicked off, we wanted to have a quick sit-down with a proficient business continuity professional, Glenn Chamberlain, to understand how he has been so successful in his role over the last several years, and the ways that he focuses on over-serving his clients today.
Why don’t you start by telling us a bit about yourself?
My name’s Glenn Chamberlain and I’m a consultant with risk3sixty. I work both in our compliance and security service lines, providing clients with a rounded and tailored solution to meet their needs. I graduated from Kennesaw State University with a BBA in Information Security & Assurance after serving as a Data Chief for five years in the United States Marine Corps. You can think of a Data Chief in the Marines similarly to a CIO in a traditional company’s organizational structure.
How has your background helped you implement BCP programs?
I have been able to take strategic lessons learned during military workups and couple them with the insight into business operation granted by my formal training and work experience. This allows us to bring practical and focused solutions to the programs we implement. Additionally, my formal training has included achieving my ISO 22301 Lead Auditor certification. ISO 22301 is a standard which the International Standards Organization created to unify business continuity management best practices into a cohesive management framework.
How has COVID-19 affected your BCP clients?
The great thing about having an established and mature business continuity program is that the hard work is done upfront before a continuity event occurs. By allocating the time and resources needed to establish appropriate plans and procedures during a period of relative calm, our clients were able to rely on those same plans and procedures as 2020 has unfolded. This ensured plans and SLA’s were in place for employees, suppliers, and company services. So, for the clients, we strive to make it feel like it’s still business as usual even when it’s not.
What did you learn from putting so many BCP plans into action at once?
You’ve probably heard the adage that “The best time to plant a tree was 20 years ago. The second-best time is now.” Well, I believe that adage applies to business continuity programs. While organizations would obviously benefit from having established programs in place going into 2020 and all that it has offered, they will still benefit by starting today.
What are some key elements to include in a solid BCP plan?
I approach the implementation of business continuity programs utilizing a defensible approach so that our clients have a story to tell to prospective clients, suppliers, and even regulatory bodies. So, we utilize ISO 22301 as the framework for building our programs. With that being said I believe some of the critical elements include governance, strategic planning, risk management, and the monitoring of the program.
I’d like to expand on each of those elements as each one can be wide in scope and deep in detail. Governance is where a solid business continuity program starts. This is where we look at achieving executive buy-in, commitment, as well as establishing the roles and policies that’ll be needed to build a robust program. Without these elements, you’ll find that it can be very difficult to get the resources needed across the organization to be effective.
Strategic planning encompasses the project management aspect of building out your program by ensuring the program meets the organization’s objectives and can overcome implementation roadblocks. This is also where you should develop some key performance indicators (KPI’s) to be able to measure the effectiveness of your program.
Risk management is the process of identifying the risk to your organization and using that information to make decisions on either avoiding, transferring, mitigating, or accepting those risks. Practically this process looks like the completion of BIA’s, or business impact analysis, and threat assessments as well as generating treatment plans and recovery procedures.
And lastly, the monitoring of the program is required as you should always INSPECT what you EXPECT. This is a continuous process wherein you are able to evaluate your program utilizing those KPI’s mentioned before.
What are some characteristics of companies with strong BCPs prior to your work with them?
Generally, what I see are very robust disaster recovery procedures in place, particularly for SaaS companies, but minimal business continuity plans and processes. Those which have both in place tend to be organizations in which the executive team has made this a priority and requirement year over year.
What are some of the common challenges you might face when developing a BCP for clients?
As with any new program or change to an organization, you can be met with a certain level of resistance, particularly if it involves the creation of new roles or the altering of existing processes. In these situations, it’s important to communicate the benefits that the business continuity program has to offer, not only to the organization as a whole but to their specific departments. This is also where great program management will succeed by providing teams with short- and long-term objectives so they can see and feel the continuous progress
How do you ensure that executives are involved in the development of BCPs?
That’s a great question and one that’s essential to the success of a business continuity program. A business continuity program should not operate in a vacuum and certainly shouldn’t operate out of site from the executive team because ultimately the decisions the organization makes will be their responsibility. To ensure the program aligns with the executive team’s vision and direction the policies, procedures, business continuity roles and organizational structure, and risk management decisions should be reviewed and signed off by the executive team. In reviewing those items, the executives should validate that the business continuity program is meeting the objectives they have set forth to integrate continuity into the organization’s business processes.
It’s important to note that this is not a once and done process, but an iterative one. As changes to the organization are made or as the threat landscape changes those processes and plans are to be reevaluated. Even without material changes to the environment, the business continuity program should be reviewed by the executive team annually.
How do you build a plan that’s both specific enough to work in each different scenario, but also broad enough to be effective in unplanned scenarios?
Part of what I learned in the military was the importance and effectiveness of small-unit leadership. I believe in providing your managers and leaders with the tools to succeed and allowing them to make the dynamic decisions needed to excel once established thresholds have been met to trigger the BCP response. What this looks like in the context of business continuity is the creation and assignment of roles and cross-functional teams within the BCP organizational structure as well as established decision-making frameworks to guide their decisions.
This is important because as you said, there will be scenarios that may not have been thought of, or more likely, they were thought of but because of finite resources organizations take a risk-based approach to developing continuity procedures. But by creating effective cross-functional teams with the latitude and authority to make decisions within predefined limits, organizations can provide those with the most information and insight with those tools necessary to succeed.
Are there any final thoughts you’d like to leave us with?
I’d like to reiterate the importance of not taking the time and resources to generate your business continuity environment only to file the deliverables into a drawer, getting pulled out at the request of auditors. For business continuity to be effective it should be pervasive throughout the company culture and continuously adapted to the organizations changing environment.
Also, I know implementing your own business continuity program can feel daunting or overwhelming, but we are here to help and have the experience and knowledge needed to make the process not only efficient but impactful.