14 Steps to Selecting a Business Continuity Software Vendor

How to select a Business Continuity Software vendor

Business continuity management is all about helping organizations ensure that their critical business functions continue to operate in the event of an unexpected disruption. And as disruptions have become more commonplace, business continuity has become more consequential.

Accordingly, the practice has changed, as well. Although the business impact analysis and business continuity plan remain lynchpin practices, business continuity has become more strategic, oriented toward business resilience and away from check-the-box compliance.

As a result, digital technology is now intrinsically linked with business continuity and enterprise resilience. And thanks to advances in cloud computing, business continuity software can speed up processes, help practitioners perform deeper levels analysis, and collaborate more effectively.

Of course, software requires investment, and investment requires backing. How to make your case for business continuity software and then pick the best software vendor for your needs? Many business continuity managers have asked those very questions.

To help answer, we’ve put together this guide, laying out 14 clear steps to selecting a business continuity software vendor, with a final software selection template you can use to select the best software solution for your needs.

Part One. Building the business case

In many organizations, you’ll need to build a business case for business continuity software to get the greenlight to progress to software vendor selection. And so, in this section, we’ll take you through the steps to building a business case for business continuity and resilience software.

Step 1. Understand external forces

Business continuity isn’t just about compliance, but often compliance is a driving force of software procurement. If this is the case, your software business case should make explicit note of that rationale. List out the precise statutes the organization needs to comply with and what the exact requirements are; recent regulations with extensive business continuity requirements include:

• The Digital Operational Resilience Act (DORA)
• Australian Prudential Authority (APRA) CPS 230
• Sound Practices to Strengthen Operational Resilience
• U.K. Operational resilience of the financial sector regulations

Beyond regulations, though, customers, partners, and suppliers might also be external actors pushing the organization toward digitizing business continuity. For each factor, list out the exposure type (e.g., risk of fine, risk of lost revenue, breach of contract, etc.,) exposure explanation, and the exposure amount.

Step 2. Figure out who would be impacted by disruption

Senior leadership might still be unmoved. In which case, it’s important to identify who would be impacted by the inability to deliver your products and services and how much disruption would they face. Again, potential impact categories will include the market, customers, investors, suppliers, the Board and senior leadership, employees, and brand reputation.

If you’ve done a business impact analysis, you likely already know when pain is felt initially, when that discomfort becomes intolerable, and what would be the ultimate impact to the company. If you haven’t, consider the following factors:

• The role your products and services play in the lives of others
• Potential substitutes for your products and services
• Impact categories that are likely to feel the worst pain and when they are likely to feel it
• Potential impact to the business, including loss of customers, loss of employees, regulatory sanction, reputational crisis, etc.

Step 3. Cost out your assumptions

Like a legal brief, your business case should tell a story. And just like in court, emotionality must be tempered with appeals to reasons. That’s where numeric supports come in. You must cost out just how much disruption will cost the organization, as the return on investment for procuring a software solution to avoid that disruption.

Again, if you’ve already performed a BIA, this step will be easier. You will start by determining the most important business services and products the organization delivers. Now, what if they go down or are otherwise unavailable? Add a rating for each of the following:

• Scope of disruption
• Revenue at risk
• Deferred revenue
• Potential fines or penalties due to downtime

Step 4. Determine your vulnerability

Now that you’ve identified each of your core business services (and products), you must ask yourself how vulnerable each is to disruption. On a scale of extremely vulnerable to not vulnerable at all, rate each; to do so, ask yourself some of the following questions:

• Are there multiple delivery channels available to reach the customer?
• Is there flexibility in channel engagement?
• Are there single-points-of-failure for facilities, people, equipment, IT, and/or transportation?
• Are there other logistics-related single-points-of-failure and/or long lead times to transition to alternatives?
• Is there adequate supplier/vendor inventory available to address disruption?
• Is there supplier redundancy?
• Can the organization easily switch to an alternate partner or in-source?

Step 5. Know what you need to protect the business

You’ve costed out the price of disruption, and you know how likely the organization is to pay it. The next step is figuring out what you need to protect the business. Presumably, the organization has a business continuity capability already, however rudimentary. Devote this next step to listing the capabilities that you have versus what you need to protect the business.

Some questions you might ask when determining the maturity of the business continuity program include:

• Do you have an accompanying crisis management and crisis communications capability?
• Have the appropriate plans and strategies to anticipate, respond to, and recover from a loss of resources been documented?
• Does the organization regularly test the effectiveness of those plans and strategies?
• Is the relevant data and information available to make effective and timely decisions during a disruption?

Step 6. Establish the ROI of business continuity software

The inputs you’ve entered up to this point have highlighted the importance of business continuity and resilience. But for senior leadership, they’re still likely to want to understand the value that business continuity software brings to the company.

Value has two components: indirect and direct. The indirect value are business benefits, such as the added consistency, standardization, and efficiency digitization and automation bring to business continuity.

Of course, those benefits might sound like Marketing-speak to senior leadership and Finance who will want to see the raw numbers. To calculate the ROI of automation, identify the routine activities you undertake and the time required to complete each task. Consider activity, people, hours, cost, and action.

Now, calculate the effective hourly rate for you and your team. The final component is identifying the high-value activities that the investment in business continuity software will help you achieve to increase your organization’s level of resilience.

Part Two: Selecting the vendor

Congrats! Your business case has been approved. Senior leadership was moved; and even Finance greenlit your proposal to procure business continuity software.

Now the real work begins; finding a vendor who will partner with your organization to grow out its business continuity and resilience apparatus. Here are the steps to take to select such a vendor:

Step 7. Know your organization

Sounds simple enough. But key to finding the right vendor is understanding who your organization is and what it needs. To do so, ask yourself the following questions:

• How big is the organization? Big, medium, small?

• In what industry is the organization?
• What kind of corporate culture do you have?
  • Does it value accountability?
  • How well are new initiatives accepted at the organization?
  • Are people self-directed?
• Has enterprise resilience been accepted as a goal?
• Is there an existing resilience strategy?
• How about resilience policy?

Step 8. Identify IT resources

Business continuity software represents a serious IT intervention – even the most out-of-the-box solutions require some level of manual intervention. You should, therefore, be asking what are the IT resources you have, and how willing are they to participate actively in the end-to-end implementation and maintenance process? Also, consider asking:

• Who are your IT resources?
• Are they sufficient to support the implementation, maintenance, and ongoing growth of business continuity software?
• Are you willing to do it all on your own?
• Are you IT-savvy?

Step 9. List system requirements

Too many organizations go to market without fully understanding their own system requirements. Admittedly, there’s a level of not knowing what you don’t know. Nevertheless, organizations can go a long way toward making the procurement and implementation process a success if they have a solid grasp on what they want their business continuity software to do.

To that end, we’ve broken system requirements into two categories: functionality needs and feature needs; consider the following:

• Functionality needs:
  • Business Impact Analysis
  • Business Continuity Planning
  • Dependency Mapping
  • Recovery Strategies
  • Exercises and Testing
  • Business Continuity Monitoring
  • Reporting
  • Operational Resilience
  • IT/Disaster Recovery
  • Operational Risk Management
  • Crisis and Incident Management
  • Crisis Communications
• Feature needs:
  • Messaging and notification
  • Mobile app
  • Data and analytics
  • Custom reporting
  • Relationship visualization

Beyond that, consider the potential user pool for your software. Business unit owners, administrators, senior leadership all come to mind. How many users will need access to the tool? And will you be the primary person interfacing with the software?

Step 10. Establish selection criteria

Now that you know what you need, you can go onto consider how to judge your pool of vendor candidates. It’s best to start with some objective selection criteria, like the below:

• Years in business
• Implementation time
• Number of customers
• Range of industries covered
• Availability of professional services
• Data center locations
• Scalable and resilient cloud
• ISO 22301 certification
• Information security
• Ease of integration
• No-code customization

Step 11. Put together a team to evaluate vendors

Finance is unlikely to have given you budget to purchase pricey software in a silo. You’ll need to amass a team around you to evaluate vendors. What’s more, those team members are likely future users of the software; getting their input early, as you’ll find out, is crucial to the project’s long-term success.

Who should go on that team, then? Consider the following:

• Potential power users
• Business Resilience and Business Continuity (select members if this is a big team)
• Information Security
• Information Technology
• Procurement
• Compliance
• Audit
• C-suite champion
• Vocal stakeholders/detractors (trust us, this will make your life easier down the road)

Step 12. Identify possible vendors

Time to go to market. Some organizations go the RFP (request for proposal) route, to get a cross section of eligible vendors. Consider some other, less traditional methods, as well, such as:

• Sourcing recommendations from colleagues in your network
• Asking around at industry conferences and events
• Relying on your own experiences at prior companies

Step 13. Evaluate vendors

Lucky number 13, evaluating your pool of vendors. For this step, you’ll want to schedule product demonstrations. Don’t just rely on these demos, though, go the extra step to get access to test environments if you can.

Here, you’ll likely need to get Legal involved to look over associated NDAs. Finally, you’ll want to schedule additional meetings to gain further clarity, perhaps, even investing in a short trial of the software.

Step 14. Create a scorecard for final evaluation

The final stage is the evaluation with the team. Like in a candidate interview process, you’ll want to ask your vendor selection team to score the vendors. Here, we recommend creating a scorecard based on the features and functions desired and other relevant, selection criteria (see steps 9 and 10). Calculate scores for each vendor and select the winner. However, don’t forget to communicate to all vendors who have taken the time to submit proposals.

Business continuity software selection template

We understand the vendor selection process might seem daunting. So, that’s why we’ve added a business continuity software selection template you can use. Consider evaluating candidates as good, fair, or poor on all of the relevant selection criteria you might have, add up the score, and select the winner.

Finally, in an age of escalating threats, manual business continuity management won’t cut it. But not all digital business continuity software vendors are created equal, though. And so, we hope by listing out the steps to selecting the best vendor for your needs, we’ve empowered you with strategies and information you can take to the business continuity and resilience software market.

Gone to market and still aren’t impressed? Then, you haven’t trialed Noggin yet. Streamlined, integrated, and automated business continuity management, our award-winning solution facilitates engagement and collaboration across all stakeholders and ensures a unified approach to resilience, so you can be prepared for adverse events and disruptions and stay ahead of the curve.

But don’t just take our word for it. Request a demonstration to see Noggin in action for yourself.