I thought I’d get back to some recent experiences in the next post or two; I had an interesting experience just the other day. I was having a conversation with a Senior Executive representing the local government where I live regarding their Technology Recovery Plan (TRP). He went on and on about how great the plan was and how they’d exercised it and things worked great. Any issues they encountered were captured and the learning’s used for the next exercise.
“Hey, that’s great,” I said. I went on to ask where they kept copies and who could see it (I secretly wanted to have a look at a plan that sounded so good). Then I found out through further talks that this documented and tested plan didn’t actually exist in the physical form; it existed only in the minds of a few Technology employees. However, they had assured their Sr. Management representative that it was a great plan and they knew what to do.
How can a plan work when it isn’t even documented? It doesn’t exist!! Sure, the people that were performing all the activities may know exactly what they need to do but what happens if they aren’t around; they’re sick or on vacation when the disaster occurs? How could this executive not understand that?
If a “plan” isn’t documented it doesn’t exist – plain and simple. Yes, it exists in people’s heads but you can’t see into people’s heads and pull out a plan (OK, if you’re Freud or Jung, maybe.). Still, if someone can’t show me a documented plan then it doesn’t exist in any form. You can’t see an idea. To “see” the idea you have to document it or build it or draw it. Then in the physical form of the idea become real. But if all they had were ideas and knowledge in peoples’ heads, then the plan didn’t exist – it’s not real. Not only that but they had a couple of Single Points of Knowledge (SPOK) that if anything should happen to them, the company would be in big trouble. You might know the SPOK as the Single Point of Failure but I see people as points of knowledge, not points of failure. People aren’t failures in my view.
I also found that the exercises were verbally discussed when it comes to scope and not actually summarized in any sort of Charter. They also didn’t create any Executive Summary document either. I said to the executive that by all accounts they hadn’t tested anything and never had. From an audit perspective, they wouldn’t be able to prove they did anything, outside of receipts for food but they wouldn’t be able to prove what they’d actually done over the past few years. How could they track their progress over the years if they had nothing to show for it; the Charter (the scope document in other words) or the Executive Summary (did they do what the scope said and how successful were they? What were the issue?). He was taken aback to say the least.
I mentioned that if they hadn’t documented what they said would be in scope for a test/exercise, how did he know it was actually done? Was he taking their word for it or was the exercise itself just a tick-box on someone’s report? That might be a reason why the documenting and tracking hadn’t been done for the exercises. How would audit know it was done if there’s some sort of external/internal audit performed on his BCM program? What did he have that proved an exercise was performed? He couldn’t answer, as I’m sure you guessed.
I also found that he was told by business unit representatives that IT knew exactly what they needed when they set up the end-user workstations. But he added they’d gotten it all verbally, as no Business Impact Analysis (BIA) had ever been done (let alone information being validated) and hardly any other discussions between IT and non-IT units had ever occurred. So, how would IT know what business needs or know the business need? I challenged him to validate the information he assumed was correct. (He then went on to ask questions about what a BIA can do for an organization…)
There hadn’t been any involvement by business units in these “exercises”, there was no way to tracking how effective these exercises were. How do they know they’re progressing and improving the ENTIRE program? How do they know that all the pieces are gelling together? They wouldn’t and they can’t know.
In fact, as we chatted, he was telling me many things he been ‘told’ they had ready for disaster and admitted he’s never actually seen any of the documentation, though he had been asked to sign off on things. (He didn’t say if he did or not but I could probably guess the answer…)
It makes me wonder how many other contingencies, recovery strategies and plans and processes ‘exist’ in the minds of those that have all the knowledge. There’s nothing wrong with having people with lots of knowledge, heck, your company will do great with intelligent people, but what happens when they leave? What happens if after an organizational restructuring they suddenly find themselves in a new role or worse – with no role at all? They’ll take those skill and knowledge with them, then where are all the BCM plans? All the work that was supposed to have been done over the years wasn’t actually done (by this I mean documentation) and the organization can be left with nothing – just ideas and memories.
Kinda makes you wonder why organizations – some, not all – simply decide to fly by the seat of their pants when a disaster occurs. If they do that, they’ll cause even more issues, as people stand around wondering what needs to be done, how to do it, who needs it and when does it need to be done. Based on what this poor executive was being told by his staff, I felt like walking up to his staff, tapping them on the head and screaming, “Hello? Anyone in there?”
The new book by StoneRoad founder, A.Alex Fullick, MBCI, CBCP, CBRA, ITILv3, “Heads in the Sand: What Stops Corporations From Seeing Business Continuity as a Social Responsibility.” Available at www.stone-road.com **