NINE ERRORS OF UNDERSTANDING WITH BUSINESS CONTINUITY MANAGEMENT

When needed, a good business continuity plan is the single most important asset a business organisation has to ensure that it recovers quickly from an incident.  It can be the difference between an organisation surviving or going under, and it can be the difference between an executive enhancing their reputation or completely ruining it.  A good plan well executed will ensure that people, brand, property and profits are protected as well as can be.  Unfortunately many plans are seriously flawed.  Sometimes this is discovered during or after an incident and leaves nothing but regret, and sometimes this is never discovered but is unnecessarily draining the organisation of valuable resources.

There are plenty of common mistakes made in BCM but, from our experience of providing business continuity, disaster recovery, high availability and resilience solutions to our clients we have selected nine of the most common errors of understanding, and potentially the most damaging.  The good news is that if you are concerned about your plans these errors are all simple to correct.

Comprehension of business continuity management is related to a person’s knowledge of or familiarity with the subject.  Most people charged with responsibility for an organisations’ business continuity management are not trained or experienced in it and hence errors of understanding are common.  Such as:

1.  “Skip the business impact analysis, let’s get on with planning!”
2. “Why did you get that system up-and-running first when this one is more important!?”
3. “Business continuity is someone else’s department”.
4. “The IT department is responsible for our business continuity plans”.
5. “Only a few people need to know what our business continuity plans are”.
6. “In business continuity planning, you can’t overdo the detail”.
7. “A disaster in our organisation won’t attract media attention”.
8. “Our insurance policy gives us adequate cover”.
9. “Business continuity management does not affect our business insurance premium”.

 

	Fallacy	Fix
1      “Skip the business impact analysis, let’s get on with planning!”
	If you don’t identify and assess critical business activities before   creating your plans you will create plans that do not give you the best   chance of speedy recovery.  Business   leaders are often surprised by the outcomes of the business impact analysis,   learning what really makes the business tick and how long activities could be   interrupted for before business shuts down.	Give the business impact analysis your   full attention!
2     “Why did you get that system   up-and-running first when this one is more important!?”
	This is a very common issue usually resulting from non-existent or poor   business impact assessment, a lack of communication between the business and   IT, or political issues clouding decision making. It is important to be   selective about which IT systems to bring back online first, and it should be   those that are required by the most important business functions – the ones   that need to be recovered the fastest in order to ensure business   continuity.	Get buy-in from the business into business   continuity management, conduct thorough business impact analyses, assess and   invest in closing the gap between the business requirements and the IT   department’s capability and keep plans up-to-date.
3       “Business continuity is someone else’s department”
1.	The less obvious flaw in this   logic is that if you leave business continuity planning to others then your   department priorities will not be properly understood and accounted for in   the plans.  Your department might be   the one department that if not up-and-running first after an incident brings   the whole business down.	Treat business continuity as a discipline in its own right, make the   process of planning and management collaborative, and put the most senior   executive in charge.
4     “The   IT department is responsible for our business continuity plans”
	The priorities of the whole business need to be understood before   business continuity plans are created.    You’ve got to consider the true resilience of your organisation to   determine where and in what order to channel your resources following an   incident.  Individual departments are   unlikely to understand the full picture.	Treat business continuity as a discipline   in its own right (for example, don’t make it a part of risk management), make   the process of planning and management collaborative, and put the most senior   executive in charge.
5     “Only   a few people need to know what our business continuity plans are”
	Almost every employee should be familiar with the elements of business   continuity plans that affect them.    This should not only include emergency procedures, but also for   example social media policies that govern communication during an   incident.  It is often useful to let   clients, partners and suppliers have access to your continuity plans.  And there are even situations when you   should share continuity plans with your competitors.	In your business continuity communication   plan assess the stakeholders and willingly and openly share relevant   information.
6     “In business continuity planning, you   can’t overdo the detail”
	It is very easy to get bogged down in detail, trying to identify every   eventuality and to plan for its occurrence.    You then end up with a massive plan, a tome of a document that is   impossible to use effectively.  Of course   do mitigate key risks with sensible solutions (for example, if you’re in a   flood plain, build flood defences) but for business continuity plans, keep   things simple.	There are three main incident types that   you can plan for generically: 1. Denial of access to buildings and   facilities.  2. Loss of people.  3. Loss of IT and communications.  It rarely matters what has caused the   issue, the key thing is for you to plan your response
7     “A disaster in our organisation won’t   attract media attention”
	Your business may be small and uninteresting to the public, but some   disasters because of their very nature will always attract media   attention.  Significantly though,   social media enables almost instant communication to millions of people and   as a result your disaster might very quickly become national news.	Include in your business continuity plans   a public relations plan that includes coverage of all media (press and   social).  Build an organisation culture   of healthy respect for the use of social media.  Put policies in place, update employment   terms and conditions, educate staff, lead by example and correct   inappropriate behaviour. Know the social media landscape.  Find out what Twitter, Facebook and other   social media platforms have connections to your organisation, who updates   them and what they are saying?  Keep   this information up-to-date in your business continuity plans because you   might need it when a disaster strikes.    Monitor the landscape and respond to trends where appropriate.  Develop a clear social media strategy to be   implemented in the event of a disaster.    This strategy should be part of your business continuity plans and   should include actions and persons responsible for monitoring trends, communicating   messages and rapidly addressing non-compliance to policies.
8     “Our insurance policy gives us adequate   cover”
	This may indeed be true, but financial support might not be all you   need from your insurer.  Rapid response   (minimum red tape, quick decision making, and fast release of cash) is not   always forthcoming from insurers and this may be the difference between survival   and failure for your organisation.	In your business continuity plans address   how re-imbursement occurs (how and when will loss assessments be done and how   quickly will payments be made).    Wherever possible and relevant, pre-agree scenarios and decisions so   that you can take action without seeking approval.
9     “Business continuity management does not   affect our business insurance premium”
	It is not unheard of but is unlikely that implementing business   continuity management will lead to an agreement from an insurer to reduce you   current premium.  What is likely is   that when next your insurer assesses your business your premium will not   increase as much as it would have done.    Some insurers will even pay for or contribute to your cost of implementing   business continuity management.	Discuss with your broker the impact of   business continuity management on their assessment of your business’ risk.