+38 (044) 232-20-62 info@pecb.com.ua

7 Mistakes That Make Your Disaster Plan a Disaster

Most Risk Management and Business Continuity ‘experts’ concentrate on documentation, not on actual implementation.
There’s too much focus on ticking boxes to please auditors, too much paperwork, too much effort to maintain documents, too little implementation, too little buy-in, too little enthusiasm from staff, too little incident readiness, and too little enabling staff to think on their feet when ‘it hits the fan’.
It affects entire organisations. Senior management ends up with false sense of security that everything is covered, risk is managed well, and that staff are ready if a Business Continuity (BC) event were to occur. Whilst, in reality, only a few individuals (e.g. Risk Managers, BC Co-ordinators) keep themselves familiarised with the content of the plans and procedures, or even worse, they are the only staff who even know a plan exists.
Other staff are too busy ‘helping the business make money’ and, unless an immediate trigger like a real disaster event occurs, they don’t even think about all the things that could go wrong. Often, Risk Management and Business Continuity Plans (BCPs) only get written or refreshed for audit or other compliance related purposes. And if staff can avoid being involved, they usually will. When a BC test is taking place they take a holiday or simply don’t turn up.
The problem actually starts much earlier than that. Operational Risk Management and BCP consultants tend to work in a solitary way, or mainly involve those in an organisation who already have a Risk Management related role. At best they may try to have a bit of dialogue with senior management and sell them some beautiful stories.
It is often challenging to get buy-in, time and attention from middle management and the general workforce who are busy ‘doing their job’. And that’s where the ball stops rolling in many Risk Management and BCM implementation projects.
The result is that mountains of documentation may get produced including cumbersome Business Impact Analysis (BIA) documents, Risk Assessments and BCPs, but these quickly get out of date. If a real incident occurs, most staff are uninformed and confused. They don’t know their role, what to do, what activities to prioritise, how they will be contacted, whom they should contact, who has the authority to give them instructions. They’re far from ready.

These problems stem from the following seven mistakes:

    1. Top management, whilst aware of risk and the need to comply with relevant regulatory requirements, doesn’t commit sufficient time to actively lead middle management and general staff, and doesn’t commit sufficient resources to embed BCP in the organisation.
    2. Only a Risk or BC Manager is fully aware of the plan and this person becomes a ‘single point of success’ without the broader workforce being ready at any time for an incident.
    3. The Risk or BC Manager developing complicated BCP/Risk Assessment/BIA templates, sending them to business divisions, and expecting them to complete them without proper guidance. The divisions are often unclear about the purpose of these documents, which results in low quality information being captured and eventually creating resistance to revisiting/maintaining the information.
    4. The BCP is built as a large document, which is centrally managed by the Risk/BC Manager, not regularly maintained, and impractical in real incidents because relevant content is difficult to find. Version control (if any) is impeded by only one person being able to edit the latest version at a time. Plus when internal systems are down, the document can’t be retrieved as it sits on the system that is now unavailable.
    5. Broader staff awareness is low or non-existent, in particular amongst those who don’t have a BC role but who may think they do, thereby wasting space at alternate working locations or using recovery provisions intended for others.
    6. Disaster tests being timed inconveniently, generally boring and having a ‘pass/fail’ flavour, causing participants to try to look good in front of management rather than trying to find areas of the plan that need improving.
    7. BCP involvement being seen as a ‘nice to do’ addition to their role, falling in the same bucket as fire wardens, causing those involved to constantly prioritise their daily work at the expense of Business Continuity tasks.

I have seen clients spend hundreds of thousands of dollars on consultants, only to find they still make these mistakes. The resulting problems recur every few years when the documents are out of date; or sooner – and this is much worse – when a real-life incident occurs and the BCP and other controls don’t work or nobody knows how to activate them.

Is this a fairy-tale?

Yes, it is. Let’s look at a few realistic scenarios of what might happen if a flood really were to strike and Company X had to invoke its plan.
Equipped with a short, sharp, dependable BCP, your business will be able to respond effectively to a disruptive event, protecting its brand and reputation, meeting its corporate social responsibilities, and ensuring the needs of its staff, clients and stakeholders are met. To achieve this, senior management needs to commit to BCP ‘all the way’.

 

So, the right approach includes the following elements:

      1. Top management are involved in collaborative Risk Management workshops to determine their shared views on Risk appetite and Risk evaluation criteria, from which follows the commitment to BCP from the top.
      2. A ‘superhero’ team is established, consisting of 4-5 BC Facilitators from across the business to assist in creating the plan, engaging other staff, and planning and running training and rehearsals.
      3. Middle management and general staff are engaged in one or more efficient, highly interactive workshops (tackling Risk, Business Impact Analysis (BIA) and BCP strategies). So they start developing buy-in for the process and contribute to optimal, easy-to-maintain documentation, practical work-arounds and realistic continuity procedures.
      4. BCP documentation is simple to maintain (e.g. by using colour coding and bullet-style checklists) and based on a top-down holistic approach (e.g. by working with a small number of ‘core consequence scenarios’). It resides on an interactive, common platform such as the organisation’s SharePoint/network/Intranet site (i.e. one that the broader workforce already uses in their daily life) and has a remotely accessible copy in case live systems are down.
      5. Staff awareness campaigns focus on training everyone, which also means informing those who don’t have a BCP role that they should not claim recovery provisions such as laptops, work space and connectivity (and even vacate their existing place of work to accommodate others who have a more time-critical role).
      6. Disaster rehearsals/simulations are fun and strongly encourage participants to make mistakes and identify BCP gaps instead of covering them up, only for these gaps to show up during a real incident. Exercises include audio-visual tools and a range of practical assignments (including realistic testing of decision-making processes and notification systems) in order to ensure management and staff develop a true readiness for incidents.
      7. Key staff (e.g. BC Facilitators) are recognised for their contribution (e.g. during performance appraisal time) and are provided with highly interactive training (including practical exercises and the opportunity to learn from other organisations), and ideally the option to certify their skills in related standards such as ISO 22301 and ISO 31000.

The goal is for everyone to be able to sleep soundly at night knowing that, not only are good plans in place, but also that they are up to date, and that the right people know what to do should an adverse event occur.

If you want your BCP to work when you need it most, contact me at www.businessasusual.net.au and if you’re keen on ISO 22301 / ISO 31000 / ISO 27001 training, see the calendar on www.tinyurl.com/bau-events.

About the author

Ms Rinske Geerlings is an internationally known, award winning consultant, speaker and certified trainer in Business Continuity, Security, Disaster Recovery and Risk Management with over 20 years global experience. She founded Business As Usual (www.businessasusual.net.au) in 2006.

Search

Powered by themekiller.com anime4online.com animextoon.com apk4phone.com tengag.com moviekillers.com