Six Tell-Tale Signs Your Business Continuity Plan is ‘Tanking’
In previous articles I’ve contested that the act of planning is more important than the plan itself. I know not all Plans are created equal. Calling something a “Plan” doesn’t make it one. Real planning should go into its creation – not simply filling in blanks in a template, or copying a pile of lists to an appendix. A viable Plan is actionable, applicable to any dire event, and effective under all circumstances. It should be accessible, practiced and up-to-date. If not; it might not be a Plan; it may simply be a document. Engagement with those that will action the Plan ensures knowledge and the all-important ‘buy-in’.
Here’s six tell-tale signs your Business Continuity Plan is in trouble. If your Plan exhibits two or more, it's time to pay it some attention.
1. Predicated on Assumptions. Assumptions can be useful, if they’ve been validated. But assumptions can also be an excuse for threadbare Plan content. The more widespread and general the assumptions (“This Plan assumes all staff, IT networks, transport, production systems etc. will be available…”) the less useful the Plan will be.
Quick fix 1: Focusing on restoring critical assets (a Process, a Utility, etc.) rather than ‘operations’ will make planning easier – and lead to an actionable Plan.
2. Largely Untested. Resting on your laurels knowing that a Plan exists and that you’re prepared when adversity strikes is simply a ‘fingers-crossed’ approach. Claiming what a Plan will do – without testing – is foolhardy. Testing the Plan reveals gaps, without which they’ll remain unidentified – until it’s too late.
Quick fix 2: Even simple desktop exercises will help identify the gaps and shortcomings. Testing is conducted without grading (no Pass/Fail). The objective is to learn. This should be at least once a year. Start simple and build up to larger-scale exercises.
3. A Closely-Guarded Secret. If only the author has seen the plan, or, nobody but the CEO or GM has a copy, it will be near impossible to implement in a crisis. Especially if none of these people are available.
Quick-fix 3: Copies of the plan should be available to everyone who will have a role in executing it. If there’s confidential information in the Plan (customer data, financial information, passwords/access codes etc.) that not every member should see, restrict this information only to those need-to-know participants.
4. Out-of-Date. Business Continuity Management is an activity, not a one-off. Businesses evolve and if plans don’t evolve too, they won’t be effective.
Quick fix 4: How often should a Plan be updated? Preferably, every time there’s a fundamental change within the business (or business unit, or function) it is designed to recover. At a minimum, 6 months and reviewed every 3 months would be advisable.
5. A Collection of Lists. A list of who’s in charge, a list of whom to call, a list of critical applications, a list of vital records. It’s easy to turn a plan into a reference document: provide a list of everything that might be needed and someone will figure out how to use them.
Quick fix 5: The list (the ‘what’) is important; it’s really the ‘how’ that makes it a Plan. The reason your Plan is just a collection of lists may be because the Plan has such a wide scope (all the functions in a facility, every function in a major section, for example). Narrow the scope, and focus on core-functions. If the Plan is designed to recover a single critical process, it is much easier to plan for the possibilities if any of its assets (people, facility, IT, supply-chains, etc.) are suddenly not available.
6. Based on a Single Scenario. We like to think that a plan based on “Earthquake”, or a “Tsunami Plan” will work. Scenario-based plans rely on Assumptions (see #1). Murphy’s Law ensures the real life situation will likely be very different (more likely, worse) than the plan assumes. Unless the scenario plan can be expanded or scaled back quickly and easily, it won’t be useful.
Quick fix 6: Scenarios have their place (if you can prepare in advance for a Cyclone, or a Pandemic – a scenario plan makes sense), but what’s your chances of planning precisely for the next unforeseen event? Instead, focus on assets. If you know what you need, you can plan what to do if that asset becomes unavailable. It doesn’t matter what caused the disruption – as long as you know what actions you can take to recover the missing asset(s).
A well-developed Business Continuity Plan provides you a degree of comfort – knowing that you are prepared, should the unforeseen happen. Sitting on a poorly constructed document masquerading as a real Plan creates a false sense of preparedness. Planning, like training and testing (exercises), is an investment not a cost, and one worth the time and energy.