When needed, a good business continuity plan is the single most important asset a business organisation has to ensure that it recovers quickly from an incident. It can be the difference between an organisation surviving or going under, and it can be the difference between an executive enhancing their reputation or completely ruining it. A good plan well executed will ensure that people, brand, property and profits are protected as well as can be. Unfortunately many plans are seriously flawed. Sometimes this is discovered during or after an incident and leaves nothing but regret, and sometimes this is never discovered but is unnecessarily draining the organisation of valuable resources.
There are plenty of common mistakes made in BCM but, from our experience of providing business continuity, disaster recovery, high availability and resilience solutions to our clients we have selected nine of the most common errors of process, and potentially the most damaging. The good news is that if you are concerned about your plans these errors are all simple to correct.
There are a series of essential steps in implementing business continuity management, this includes development, maintenance and implementation of business continuity plans. Errors of process are evident where there is no framework used to guide the implementation of business continuity management, where experienced business continuity professionals are not called upon to share their experience, and where the organisation loses focus. This can give rise to errors such as:
- “We’ve got business continuity plans… now let me see, where are they?”
- “Head office created some plans last year so I think we’ve got it covered”.
- “I’m not sure who’s in charge during an incident… it’s the CEO isn’t it?”
- “Great communication plan, but what happens when your communications infrastructure is lost?”
- “Jimmy and Dave know the passwords to all our systems, plus they’re stored in a key-code safe in the server room”.
- “We back up our data regularly but have never tested the backups in anger”.
- “We’ve got very strong IT security controls in place”.
- “We invested in a fantastic DR facility about 5 years ago”.
- “A grab bag is a waste of money”.
|1 “We’ve got business continuity plans… now let me see, where are they?”|
|Plans that are created and then left to gather dust will quickly be out-of-date and forgotten. If they’re not relevant and readily available you might as well not bother having them.||Make business continuity a consideration in every strategic decision that you make. In addition to highlighting the importance of business continuity, because considering business continuity involves the identification of organisation weaknesses, points of potential failure and dependencies that affect an organisation’s ability to manage and recover from incidents it will result in more robust strategic decision-making. Review the plans quarterly.|
|2 “Head office created some plans last year so I think we’ve got it covered”|
|Planning that does not involve the staff affected and plans which are not tested are usually flawed. They are not ‘owned’ by the people who may have to implement them and they will have key procedural weaknesses.||Engage relevant staff in the planning process and test the plans either in a desktop or blue-light exercise.|
|3 “I’m not sure who’s in charge during an incident… it’s the CEO isn’t it?”|
|Unclear and un-communicated roles and responsibilities result in confusion and delays during an incident.||Identify, document and communicate the incident ‘command structure’ and the associated roles and responsibilities.|
|4 “Great communication plan, but what happens when your communications infrastructure is lost?”|
|Communication is often a serious challenge during an incident. There are numerous scenarios where things go wrong. If you lose power on an unmanned site or when no one is in, how will you be informed? If your telephone network goes down (including mobile as can happen in some companies and some disaster situations), how will you communicate?||Document your communication plan and think through numerous, relevant scenarios. Depending on your circumstances there are options available for every situation; like installing a failover system or contracting with a third party to monitor your unmanned site; and giving alternative communication tools to key staff members.|
|5 “Jimmy and Dave know the passwords to all our systems, plus they’re stored in a key-code safe in the server room”|
|Unfortunately Jimmy, Dave and the server room might all become unavailable at the same time and in an instant your business is crippled.||Store passwords in at least two geographically distinct locations and make sure details of those locations and access to them is known to people who don’t usually work in the same place together.|
|6 “We back up our data regularly but have never tested the backups in anger”|
|Unfortunately backups do fail, and so do recovery procedures. Also, backups can be lost or inaccessible during a disaster situation.||Design a thorough backup testing procedure that covers all of your systems and run tests at regular intervals. Also test scenarios where backups from your normal backup site are not available.|
|7 “We’ve got very strong IT security controls in place”|
|These days this is indeed the case in most organisations. It is important though not to take your eye off the ball during an incident; when you are vulnerable you are likely to be attacked, and the threats may be internal and external.||Include in your business continuity plans, plans to maintain high levels of IT security during an incident. Appoint an IT security officer to your disaster recovery team and make sure that you continue to monitor your systems for threats.|
|8 “We invested in a fantastic DR facility about 5 years ago”|
|Disaster Recovery facilities need to be kept up-to-date just as any other normal office facility does. Outdated assets like computers, printers, electronic screens and telephony systems might not work when you need them – either because they’re old or they’re no longer compatible with your infrastructure.||Keep an inventory of DR facility assets, update and test them on the same schedule as all other office equipment.|
|9 “A grab bag is a waste of money”|
|Incidents can happen at any time of the day or night and whether or not key business continuity people are in the office. Even with the advent of mobile technology, hard copies may come in handy. The important thing is that somebody will need to ‘grab’ a copy of the business continuity plan, essential contact details, directions to recovery sites and other emergency reference material and supplies so that your well thought out plans can be implemented.||Put a grab bag with all the contents mentioned above next to the main emergency exit of every building.|