Many companies have Business Continuity Management (BCM) programs and believe that since they have a program in place, it must be great; after all there haven’t been any situations where they’ve had to activate any of the program components. But not using any of the program components doesn’t mean that the program must automatically be in good shape. What can an organization do to know – even without utilizing any of the components in a real disaster – if it’s got a good program or not.
Here are a few things that executives can look at to know if their program components would be effective if a disaster situation occurred in their operations. These are things to help identify if the program is even on the right track – or heading in the wrong direction.
- No Program Owner & Support (Executive) – If no one supports a program or an initiative, will it be successful? No. A good organization will assign ownership and responsibility for the BCM program, which will ensure that it receives the level of focus and support needed for success.
- Allocation of Time & Resources – Its one thing to say you need a BCM program but it’s another to dedicate resources to it. This can include financial resources for procurement purposes (among other things) and physical resources – or rather people – who are assigned to help develop, validate and maintain the program. If no one is allocated to oversee the program or work on the various components in the desire to keep it relevant, then its doomed to fail and not meet corporate needs.
- No Exercising of Plans – Plans are only good if they are validated, otherwise they are just plans. Exercising them can help find ‘gaps’ in processes and procedures and challenge assumptions. Exercising plans is what makes them workable because people will actually be challenging, and working with, the plan contents.
- Too Narrow in Focus – A business continuity program needs to encompass communications, department continuity strategies and emergency response procedures, such as evacuations and assembly points for staff. All to often corporations will believe that a good program is to focus on technology components only. However, without the other components in place all that exists is a technology recovery plan not a Business Continuity Management (BCM) program.
- ‘Scenario’ Based – Often, an organization will develop a plethora of plans to deal with dreaded “What if…?” scenarios. A scenario is defined as ‘an imaginary sequence of events,’ so you can imagine how many millions of related situations (and plans) may need to be developed. Using this approach would mean that continuity strategies and the related documentation, would go on forever and ever, only to have someone think they have finished years later and experience a situation that isn’t covered by the thousands of “What if…?” plans. All disasters and disaster situations will fall into three categories; people (i.e. employees, public…), places (i.e. the facilities) and things (technologies and other physical assets). An organization should focus on what they’d do with these three situations rather than dreaded “What if…?” questions.
- No Employee Participation or Awareness – Everyone has a role to play when a crisis or disaster occurs; from the executives to the Crisis Management Team (CMT) (or whatever name an organization uses) and its employees. Often employees are left in the dark when it comes to BCM or they are quickly given an ‘awareness’ session to tell them what BCM is. This doesn’t stimulate communication with employees – as it’s a monologue approach, not a dialogue approach. Its well known in many facets of life that if people know and understand – clearly –what they need to know and what actions they are to take, the better they will be able to respond to situations. The same is true in BCM; the more employee know and understand the better prepared they’ll be in a disaster situation and be able to assist the corporation recover from a disaster, rather than possibly causing additional problems.
- Pre-Planning Exercise Results – If a corporation is ‘testing’ its technology recovery plan or its department business continuity plans, you only have two outcomes; pass or fail. Since no one wants to fail, companies will do all it can to ensure it passes, including pre-planning activities that would normally be done during a restoration and recovery effort but not done for the actual test, because there is a concern it might not work. Instead, the corporation should be trying to actively find ‘gaps’ in their processes so that issues are proactively investigated and resolved before a disaster occurs. By testing, many just want to get the positive head-nod from executives, so won’t try to find the potential ‘gaps’ in plans and will – in some cases – hide issues and problems so that everything is seen as being in good working order. This can be detrimental when something really does occur – and it will.
- Use of a Methodology Over ‘Good’ Business Practices – Best practices is a misnomer. Every vendor organization says it has the best product – let’s face it who wants to say they don’t, right? However, some best practices aren’t suited to every organization, as the politics and the culture of the corporation may not suit the ‘best practice’. The practices – what gets developed in a BCM program and how it’s developed – should be adapted to the company, not the company adapt to a specific way of doing things. In other words, the strategies and processes created should meet organizational need not ‘best practices’ need. Of course, if any organization is seeking to obtain a specific standard, it may not have a choice on how it creates its program; it will have to follow specific actions if it’s to gain certification.
- No Training for Professionals – To keep current in new methodologies or new methods to perform and develop BCM components, professionals within the organization – those responsible for the program development – must receive appropriate training. This isn’t just for the sake of training but to learn new skills and enhance new ones; to gain new ideas and to bring ideas back to the organization to make their own program stronger and to learn from other professionals.
- No Reviews or Maintenance – Simply put, BCM must continue to evolve with the company. Over time strategies, visions and missions change, so too should the BCM program. It can’t be left to collect dust in a multiple set of binders that are never updated or validated. If a plan is left idle for even a year, when its needed it is only a reflection of the company as it was a year earlier. It needs to make sure it reflects the company on a consistent and timely basis; reviewing and maintaining all the components will help keep the program ‘alive’.
If any numbers of these things are occurring in an organization’s BCM program, it may be time to take a timeout and re-evaluate the situation; there’s a chance the program is wandering down a dangerous road and might not meet the needs of the organization. In other words, if a disaster actually occurred, the believe that the program would be of assistance won’t come to pass; the program will end up being a hindrance more than it would be a help.