I strongly believe a great Business Continuity Management (BCM) system is a critical pillar of any mid to enterprise size world class business resilience program. In many ways it is the centerpiece of your technology stack. With a great BCM system you may be able to put much of your program on auto-pilot as I have multiple times!
If you do not own a great BCM system you are probably not getting the full insight into inter-dependencies, risks and opportunities. In my experience plans, dependencies, upstream and downstream gap analysis maintained in word processing documents and spreadsheets can get ugly real fast. Perhaps, you realize those solutions do not scale well. They will inhibit you from spinning finely sliced and diced data into the actionable and insightful metrics and reports you, management and your employees deserve.
BCM Systems Selection Criteria, Suggestions, Tips and Vendor Questions:
If you decide to research the value of a BCM system, I have some suggestions in this post that might help make your life a little easier, and your system evaluation more comprehensive.
- I will describe features and benefits I seek in a great BCM system.
- I will provide you with questions that you must ask vendors to separate the ‘wheat from the chaff’
- I will reinforce the advice we discussed in the ‘You Must Pilot before Buying’ post. Remember, never skip this step!
I have successfully researched and implemented multiple BCM systems for mid and large enterprises, so I speak from experience. It took a few bumps and bruises until I perfected my research and implementation process. These systems were instrumental in bringing each program I worked on to a world-class level. In addition to my suggestions, you must perform thorough due-diligence during your evaluation process.
Tip – Your first step is to conduct a thorough needs analysis within your organization. Decide on what you want to get out of the system. That will drive your system selection. When I was a software developer and built enterprise database systems I started at the end and worked backwards. I would discuss what reports and data input fields were valuable to the client. I would then build user friendly forms so it was simple for users to enter and maintain their information. It pays to be detailed and thorough in documenting what you will want and need from your new BCM system.
Tip – Do research. There is no one-size-fits-all. There are great, good and not so good systems on the market. You might overpay for features that are of no value to you or you may get a low-ball price and buy a system that does not have the benefits you require. You do not want to go there. Contact me if you need assistance. As I have stated throughout the Ultimate Business Continuity platform, I am here for you.
TIP – Read case studies and review the vendor’s website. If they have on-line videos watch them. Look at their reports and input screens. If you like what you see, speak with a salesperson and have him/her conduct a high-level webinar for you and your team. You can use some of the tips and questions in this post but don’t ask them all on the first webinar. The first webinar will have info about the company, which is important, and then they will go through a high-level demo of their product. We call it a dog-and-pony webinar.
If you like what you see and hear, you can do another more in-depth webinar and get all your more detailed questions answered. Do not hold back. Make sure the salesperson has a pre-sales engineer on the call that can answer some of the tech questions in this post.
TIP – Be sure to ask for current and past references from the vendor and speak with each reference. Read between the lines as they provide information. Drill down on their responses when it makes sense.
However, these references are the people the vendors are giving you, so they probably will be positive – ya think? Definitely go beyond these cherry-picked references. Do your Internet research and see if there are any horror stories out on the web. Then pick up the phone or send an email and try to get the scoop. They might give you critical info. If they got burned they may want to prevent the same thing from happening to you. Hey, the worst that can happen is you make a new contact and maybe they say ‘no comment’. It is worth the effort. I can also give you advice on good and not so good products.
But there is more you have to do! You must pilot the finalists!!!
You must kick the tires and really learn the capabilities of each system!!!
Doing a pilot is essential. If you skip the pilot it very well might come back to bite you. You will get bit and you will sigh, ‘I should have listened to Marty, he really knew what he was talking about.‘ I have seen it play out too many times. A pilot will provide clarity. It takes the guess factor out of the equation. During or after the pilot you will know if the system is right for you.
A pilot should be easy for the vendor to set up. Ask for 30-60 days to test. Modern BCM tools often live in the cloud so it is simply a matter of ‘instantiating (spinning up) an instance’ (tech talk for setting up a test site) for you and getting you access. 24-48 hours is all it should take for you to begin testing. It sidesteps the yester-year complicated and time consuming requirement of installing on your infrastructure. If you want to show off your tech chops and impress everyone on the call ask the rep if she can, ‘instantiating an instance’.
Tip – During the pilot make certain to stress-test the system with dummy (masked) data – nothing sensitive. If you expect to have 10,000 records in the system, then put 20,000 or more dummy records and see how it performs. If there is latency during testing it should be a red flag for you.
If you are a vendor reading this: as a buyer, I feel good when a vendor strongly advises I do a pilot. It shows me you are confident that your product will speak for itself. Words are cheap – ‘the proof is in the pudding.’ Impress us.
Below are features in a BCM system that are important to me because they provide benefits and value to my company. If a feature is included in a system but it does not provide any benefits for my company, I do not need valueless bells-and-whistles.
A word of advice: In my opinion your great new BCM system should be a ‘product’ rather than solely a ‘framework’. By ‘product’ I suggest it should include a high percentage of what you will need from your new system on the day you buy it – ‘out of the box’ – without any customization! That includes reports, dashboards, input screens and a normalized database structure.
If you are buying a ‘framework’ understand that getting to production likely will take additional time, effort and perhaps consulting fees.
Your new system should be built on a robust relational database. It must be powerful to scale yet easy to use. Even if you have 1 million records it should be fast.
Your new system should quickly and easily produce consistent detailed reports and dashboards for management. It should include a BIA, RA DR, inter-dependency mapping, IT gaps, RTO inconsistencies and more – on Day 1 – when you buy it.
The ‘product’ should also be customizable. You should be able to build on the 85%+ solution the vendor has supplied. It should be easy to add additional input forms, reports, dashboards, triggers and workflows.
Finally, it must also be easy to migrate your existing plans and data into your new system.
Questions for the vendor- As part of your evaluation, webinars and request for proposal ask about the following. The benefits of each are in italics.
Mr. / Ms. vendor please tell me:
- Dashboards – are they dynamic? Do they include real-time data? Show me. Please change data in a form/table and show me how the dashboard changes. Do I have to refresh the page for updated results? = Management will use these – so blow them away with great real-time dynamic dashboards!
- Do you have a flexible form builder so I can easily build user friendly intuitive forms? How much control do I have over the look-and-feel of the form? Can I use field color properties and background images? Please demonstrate = Users will be spending time in front of the User Interface (UI) so no 1990’s dated interface. If it is too hard for them to input data into the system and they have to first input into spreadsheets or word processing documents and then you enter it in the system you will have big trouble.
- What properties do fields have? Colors, size, phone masks (111)-222-3333, conditional on the data in previous fields? = The more properties fields have the more control you will have in customizing the user experience
- How are sub-forms (child) linked to master forms (parent) on an input form? = You will want to do this to take advantage of the relational qualities of the system. It should be easy to do with minimal clicks
- How do users input sub-form data into a master form? For example, in a business continuity plan how do we add software systems or vital records dependencies to the Customer service business continuity parent form.= Think one-to-many items which can be tedious unless the system makes it easy. Do you have to click to another form or is there a ‘data-grid’ type object on the master form? Those extra clicks add-up very quickly and become very time consuming and very confusing to users. You will get complaints if it is not fast and easy
- Please show me how do I do real-time dependency mapping and gap analysis both upstream and downstream for processes and systems? = The ability to understand upstream and downstream dependencies and critical gaps is important. The BCM tool should make it easy to create analysis reports between any fields in the system. Doing this type of analysis manually can be next to impossible
- Is the presentation layer separated from the data layer? = If it is then the underlying data can then be easily displayed in a form or report in multiple ways for different users. If the data is bound to the form it is not as flexible. I have seen it both ways. Unbound is better, in my opinion
- Tell me about your core BIA / BC Plan(s) mobile app. Is it included in the base price? Is it responsive built with HTML 5 or native IOS / Android? = Plans must be available on mobile platforms. When you ask these type of questions they know you are steeped in tech knowledge. If you are really nice, you will say you read about this in on Ultimate Business Continuity : )
- Tell me about your incident management capabilities? Do you have a dedicated incident management mobile app. Is it responsive HTML 5 or native IOS / Android apps = The ability to manage an incident from anywhere. Mobile is a must
- Please show me your customizable BIA template(s) =You want something to get you started quickly that you can easily customize for your needs
- Please show me your customizable Risk Assessment template(s) = You want something to get you started quickly that you can easily customize for your needs
- Please show me your customizable BCP template(s) = You want something to get you started quickly that you can easily customize for your needs
- Please show me your customizable report templates. = You will need a lot of reports so they have to get you started quickly with a buffet of reports that you can easily customize for your precise needs. There should be no need to build everything from the ground up
- Please show me your full-featured report writer to create powerful new reports. Please build a report for me while I watch. Please join a few tables in the report you build =You will need to easily create new reports over time as your system grows. Asking them to join tables makes sure they do not just show you an ‘easy-peasy’ report
- Please describe the user access security configurations. How do we set up individual and groups of users? Do you support role based access? How do we limit (filter) the data that users can access? = User access is very important, especially if you are maintaining employee data with personal contact information. Role based access is an important concept.
- Do you have a rules engine? Please describe the capabilities. Can we set rules and triggers or do you have to do it? = This allows you to build logic into your forms without the need for coding. You can customize behaviors and automate processes.
- Do you have a workflow engine? Please explain how it works? Can we customize it or do you have to do it? = This allows you to get sign-offs, send emails, create tasks…
- Do you have both an on-line and written user guide? Can I please read it? = pdf is fine – skimpy short often outdated videos are not fine, in my opinion
- Do you have both an on-line and written admin guide? Can I please read it? = pdf is fine- but it must be thorough. Skimpy short often outdated videos are not fine in my opinion
- Do you have an Application Programming Interface (API)? Can you please send me some documentation for my technical team to review? = A good API will enable you to integrate (connect) with other programs such as situational awareness systems and mass notification systems. Ask which types of systems they currently integrate with. Your IT team can review the API with you
- Please describe and demonstrate your methods for data imports = You will most likely want to do nightly feeds of automated SFTP uploads and/or manual imports using spreadsheets, especially if you are migrating from another system or maintaining word docs and/or spreadsheets. Also, you may want to import existing BIA’s and Plans into your new system. Make sure it can be done. If you do a pilot, ask them to import a plan or two and show you the results
- Do you have the capability to localize to various languages? Which ones? = Important if you are a global enterprise. I have used systems with scores of languages.
- Who hosts your platform? What is their up-time? Can you send me a third-party audit of their data center(s)? = Very important! You must be up-and-running!
- Will our data be in a separate database instance or in a shared database with other company’s data? = If shared – Red Alert!
- Will our database instance be located on a shared server or a dedicated server?
- How often is our database instance backed up? What sort of backup is used? Who on your team and the hosting team has access to our data? = Your legal, auditors, HR and IT security teams will need to know this, as you are storing sensitive data in the cloud.
You can also use some of the questions in this post as part of your request for proposal document (RFP). You can then compare and rate various systems in a structured manner.
Track each of the responses in a vendor evaluation spreadsheet.
When you get to the finalists you must do a pilot of each system!
If you urgently need suggestions please contact me and I will get back to you within 48 hours with my recommendations and supporting information.