These problems stem from the following seven mistakes:
- Top management, whilst aware of risk and the need to comply with relevant regulatory requirements, doesn’t commit sufficient time to actively lead middle management and general staff, and doesn’t commit sufficient resources to embed BCP in the organisation.
- Only a Risk or BC Manager is fully aware of the plan and this person becomes a ‘single point of success’ without the broader workforce being ready at any time for an incident.
- The Risk or BC Manager developing complicated BCP/Risk Assessment/BIA templates, sending them to business divisions, and expecting them to complete them without proper guidance. The divisions are often unclear about the purpose of these documents, which results in low quality information being captured and eventually creating resistance to revisiting/maintaining the information.
- The BCP is built as a large document, which is centrally managed by the Risk/BC Manager, not regularly maintained, and impractical in real incidents because relevant content is difficult to find. Version control (if any) is impeded by only one person being able to edit the latest version at a time. Plus when internal systems are down, the document can’t be retrieved as it sits on the system that is now unavailable.
- Broader staff awareness is low or non-existent, in particular amongst those who don’t have a BC role but who may think they do, thereby wasting space at alternate working locations or using recovery provisions intended for others.
- Disaster tests being timed inconveniently, generally boring and having a ‘pass/fail’ flavour, causing participants to try to look good in front of management rather than trying to find areas of the plan that need improving.
- BCP involvement being seen as a ‘nice to do’ addition to their role, falling in the same bucket as fire wardens, causing those involved to constantly prioritise their daily work at the expense of Business Continuity tasks.
I have seen clients spend hundreds of thousands of dollars on consultants, only to find they still make these mistakes. The resulting problems recur every few years when the documents are out of date; or sooner – and this is much worse – when a real-life incident occurs and the BCP and other controls don’t work or nobody knows how to activate them.
Is this a fairy-tale?
So, the right approach includes the following elements:
- Top management are involved in collaborative Risk Management workshops to determine their shared views on Risk appetite and Risk evaluation criteria, from which follows the commitment to BCP from the top.
- A ‘superhero’ team is established, consisting of 4-5 BC Facilitators from across the business to assist in creating the plan, engaging other staff, and planning and running training and rehearsals.
- Middle management and general staff are engaged in one or more efficient, highly interactive workshops (tackling Risk, Business Impact Analysis (BIA) and BCP strategies). So they start developing buy-in for the process and contribute to optimal, easy-to-maintain documentation, practical work-arounds and realistic continuity procedures.
- BCP documentation is simple to maintain (e.g. by using colour coding and bullet-style checklists) and based on a top-down holistic approach (e.g. by working with a small number of ‘core consequence scenarios’). It resides on an interactive, common platform such as the organisation’s SharePoint/network/Intranet site (i.e. one that the broader workforce already uses in their daily life) and has a remotely accessible copy in case live systems are down.
- Staff awareness campaigns focus on training everyone, which also means informing those who don’t have a BCP role that they should not claim recovery provisions such as laptops, work space and connectivity (and even vacate their existing place of work to accommodate others who have a more time-critical role).
- Disaster rehearsals/simulations are fun and strongly encourage participants to make mistakes and identify BCP gaps instead of covering them up, only for these gaps to show up during a real incident. Exercises include audio-visual tools and a range of practical assignments (including realistic testing of decision-making processes and notification systems) in order to ensure management and staff develop a true readiness for incidents.
- Key staff (e.g. BC Facilitators) are recognised for their contribution (e.g. during performance appraisal time) and are provided with highly interactive training (including practical exercises and the opportunity to learn from other organisations), and ideally the option to certify their skills in related standards such as ISO 22301 and ISO 31000.
The goal is for everyone to be able to sleep soundly at night knowing that, not only are good plans in place, but also that they are up to date, and that the right people know what to do should an adverse event occur.
About the author
Ms Rinske Geerlings is an internationally known, award winning consultant, speaker and certified trainer in Business Continuity, Security, Disaster Recovery and Risk Management with over 20 years global experience. She founded Business As Usual (www.businessasusual.net.au) in 2006.