September 2023

by Michael Herrera, CEO, MHA Consulting

[originally published on mha-it.com; written by Colin Garrison based on an interview with Michael Herrera]

The business continuity management roadmap is a simple but powerful tool that can help organizations strengthen their BCM programs and enhance their resilience. In today’s post, we’ll lay out an eight-step process your company can use to create its own, customized BCM roadmap.

The Power of the Map

At MHA, we believe strongly in the value of roadmaps. We think they’re essential. There’s no better way to achieve an ambitious, difficult goal such as moving an organization from a state of vulnerability to one of resilience than by breaking that journey down into steps, putting those steps into a sensible order, and tackling the steps one-by-one on a phased timetable. This is what a BCM roadmap is and does.

In contrast, undertaking BCM projects without a roadmap is unlikely to bring enduring benefits no matter how much money is spent.

The roadmap is the mission of the program. The mission sets the direction, the direction sets the behavior, the behavior sets the actions, and the actions accomplish your goals. It’s the roadmap that puts everything in motion and makes that motion purposeful rather than flailing and arbitrary.

Unfortunately, most organizations do not have a roadmap, and this can generally be seen in the results they obtain—or rather do not obtain.

What a Roadmap Looks Like

Let’s get specific about what a roadmap looks like. It does not look like a conventional map. Rather, it is commonly formulated as a table or checklist. A typical roadmap sketches out the organization’s planned actions for its BCM program for the coming year, two years, or five years. It’s divided into time periods, such as business quarters, and it lists the actions the BC office will aim to accomplish in each period. Here’s an example:

Basically, the roadmap sets out what you are going to do and when as you move forward in strengthening your program. It takes into account the fact that you can’t do everything at once. The actions are sequenced.

As you can see, a roadmap contains two kinds of information: the steps to be accomplished and the timeframe for accomplishing each one. When we talk about creating a roadmap, what we’re really talking about is the task of coming up with this information. This is a challenging task but one that is eminently achievable, provided you proceed the right way.

 Eight Steps to Creating a BCM Roadmap

The process of creating a roadmap can be broken down into eight steps.

  1. Establish a BCM governance structure, if the organization doesn’t have one. No effort to devise an enduring, effective roadmap can succeed in the absence of a governing body that is committed to developing and carrying out the map. This body must possess the authority to make decisions, resolve roadblocks, and obtain the necessary resources.
  2. Familiarize yourself with basic BCM methodology. Devising a BCM roadmap is not rocket science but it’s impossible if the people in charge are not familiar with the foundational concepts of modern business continuity (e.g., BIAs, TRAs, RTOs, etc.)
  3. Select a business continuity standard. Roadmaps are designed to bring organizations into compliance with standards. Therefore the organization must choose which of the available BC standards it aspires to meet. There are five main standards, each with its pros and cons. Which is best for a given organization depends on its industry, size, and mission.
  4. Decide whether you will seek help from a consultant and/or utilize one of the commercially available software tools. MHA has extensive experience in working with clients to devise roadmaps, and our BCMMETRICS tool suite is well-suited for this task. However, there are many consulting firms that can help and other tools that can do the job. It’s also perfectly feasible for a company to create a roadmap on its own with no special tools.
  5. Assess the state of your current BCM program. The real starting point in devising a roadmap is understanding exactly where the organization stands right now, at the beginning of the process, in terms of its recoverability and vulnerabilities. Be honest and unflinching in conducting your assessment. Pretending things are better than they are provides current comfort at the cost of future pain. Don’t do it if you’re serious about improving your resiliency.
  6. Identify and rank the threats facing the organization. Assess the threats facing the company and rank them high risk, medium risk, or low risk depending on the likelihood of their occurring and the impact if they did occur.
  7. Devise a prioritized list of steps needed to mitigate your risks and close any gaps. Sort the list so the highest risks and most serious gaps appear at the beginning
  8. Complete the roadmap by distributing the necessary steps over the envisioned timeframe. The idea is to address the highest priority items first so your efforts yield the maximum gains in resiliency as soon as possible. It’s also important, in deciding on when you will do what, to be thoughtful about dependencies.

That’s all there is to it, except for one critical item: following through. The worst kind of roadmaps are the ones everyone ignores. The best ones are working instruments that  actively guide the company’s efforts and investments over time.

Ideally, the organization continously strives to achieve the goals laid out on the map, getting things done in order and on time. Also, the map should be regularly reviewed and updated, though with no changes being made unless they are approved by the governance committee.

The governing body should also hold people accountable for meeting roadmap deadlines and be active about resolving roadblocks, whether of money, resources, or individuals. (BCM staff who bring roadblocks to the attention of the governance group should also offer suggestions on how they might be resolved.)

Moving from Vulnerability to Resilience

A well-structured BCM roadmap is essential for any organization intent on moving from vulnerability to resilience. By establishing a list of actions that need to be taken to make a company more recoverable, and ordering them in terms of priority and timelines, the roadmap gives purpose and direction the organization’s efforts to improve its security.

Creating a robust BCM roadmap involves an eight-step process, starting with establishing a governance structure and concluding with distributing the prioritized remedial actions over the envisioned time frame. Three factors that are critical to the success of any roadmap are an understanding of BCM methodology, a willingness to face reality, and diligent follow-through.