“He who fails to plan is planning to fail.”

The CXO Group: Business Continuity Planning

“He who fails to plan is planning to fail.”

~ Winston Churchill paraphrased from Benjamin Franklin

Business continuity planning (BCP) is not considered as an essential business priority until after an event such as a weather or cyber event. However, post an event is oftentimes a more expensive business bottom-line financial impact than spending the resources necessary to prepare for an event. Business continuity consists of a business’ plan of action. It ensures regular business will continue during a disaster or shortly after an event.

CXO's Tropical Storm & Hurricane Preparedness Experience

Since large events such as the Northeast Blackout in 2003 and Hurricane Katrina in 2005 the US has built a higher degree of competency and resilience in BCP through programs such as over-arching “Critical Infrastructure Projection” (CIP), National Incident Management System (NIMS) Training Program and Homeland Security Exercise and Evaluation Program (HSEEP).

Organizations such as Homeland Security, Federal Emergency Management Agency and The North America Electric Reliability Corporation have spent the last several years building resiliency tools, guidelines and even required standards to help businesses plan and successful manage business continuity events. Whereas entities such as The International Organization for Standardization (ISO) and National Institute of Standards (NIST) are mission based standard setting bodies.

Business Continuity Verses Disaster Recovery: CXO adheres to the best practice that Disaster Recovery (DR) and Business Continuity (BC) are two entirely different strategies, each of which plays a significant aspect in safeguarding business operations. When it comes to protecting your technology assets and business data, it is critical to understand the differences and plan ahead. Those differences arise from both usage and application after a catastrophe strike.

Based on Verizon’s 2019 Data Breach Investigation Report 43% of breaches involved small businesses of less than $100M of gross income a year.

Disaster recovery is a subset of business continuity planning. CXO believes the best disaster recovery plans take into consideration: 1) business requirements and 2) system capabilities and 3) are characterized into service level agreements SLA, for example platinum, gold and basic. Further a total cost of ownership perspective is recommended for developing SLAs, for example, a system that never goes down is very costly. Unless the entity has already defined SLAs for disaster recovery (of which reliability, durability, redundancy) are usually a subset, CXO recommends the City consider either 1) defining these SLAs and/or 2) if outsourcing IT is an option focusing on an outsourcing initiative that will include these steps in the process definition.

Basic SLA components of disaster recovery are included in the table above.

The CXO Group uses it’s 6-step process to build, launch, exercise and assess a business’ BCP.

“Practice Makes Perfect”

~ Proverb Anonymous

“The more you practice, the better your skills are.” The proverb has been traced back to the 1550s-1560s, when its form was “Use makes perfect.” Similarly, with BCP the more an entity practices “exercises” the better they will be prepared, the sooner normal operations can resume when (never if) an event impacts operation.

1. Analyze: act as a trusted partner.

2. Assess: proficiently prioritize gaps.

3. Evaluate: work in conjunction with a business’ team.

4. Act: focus on bottom-line achievable results.

5. Cascade: ensure effective communication plan.

6. Control: create sustainable achievable plan.

1. Analyze: Act as a Trusted Partner

Our differentiate: CXO comes alongside a team and starts BCP where a business is today. CXO gathers as much information as possible to better understand the present state of business continuity for a business. We believe in building on present foundations rather than reinventing and therefore in this phase it’s critical to review documentation such as identified risks, company profiles, regulatory requirements and past performance. We partner with the primary stakeholder: Emergency Manager, BCP Director, CISO to drive meaningful results. It’s at this stage a strong governance structure is established to ensure an inclusive, successful results-based project (scope of work).

Also at this point CXO will begin the process of meeting with critical stakeholders (both internal and external) using both custom and standard tools.

Outcomes: develop the baseline status and recommended next steps of BCP based on present documentation and external best practices.

2. Assess: Proficiently Prioritize Gaps

Often there are so many BC opportunities it maybe difficult for an organization to know where to start. CXO identifies your process, people and technology gap capabilities, as well as labeling the greatest potential risks based on prior history, present performance and external factors.

Outcomes: BCP opportunities are ranked based on several different predetermined factors from step 1.

3. Evaluate: Work in Conjunction with a Business’ Team

CXO works with a business’ team to confirm the present verses desired process performance. A number of different tools are used at this point including workshops, and department level tabletop exercises.

Outcomes: recommendations of changes that are required to people, processes and (possibly) technologies.

4. Act: Focus on Bottom-Line Achievable Results

Oftentimes when a plan is developed at a department level it may not be achievable at a business level because of several different colliding priorities. It’s critical to confirm the ability of the business to move forward with step 3 recommendations based on time, human resource and financial requirements. Those decisions are discussed and determined at this stage.

Outcomes: final next step strategic, tactical and operational decisions approved by entity including timing, resources and financial requirements.

5. Cascade: Ensure Effective Communication Plan

It’s at this point more comprehensive BCP occurs and plans are expanded from a governance and one department to organizational-wide (including if necessary, board, executive, external stakeholder and customer). Business-wide table-top exercises are completed at this phase as well as comprehensive communication, marketing and media plans.

Outcomes: comprehensive tabletop exercises and/or executive presentations.

6. Control: Create Sustainable Achievable Plan

“He who fails to plan is planning to fail.” ~ Winston Churchill

BCP is a continuous process and the processes to manage are similar to operational excellence – what worked today is not necessarily guaranteed to support businesses needs tomorrow. Therefore, it is critical to create a governance structure that enables a business to validate their annual requirements and then execute and exercise at a department and business level (and possible between businesses) on a periodic basis.

Outcomes: governance structures, service levels and ongoing processes created to enable continuous improvement in BCP and ultimately mitigation of risks.

If you are interested in understanding how CXO can help you with your BCP using our integrated c-suite approach, please contact use today at