Nine Errors of Process with BCM


When needed, a good business continuity plan is the single most important asset a business organisation has to ensure that it recovers quickly from an incident.  It can be the difference between an organisation surviving or going under, and it can be the difference between an executive enhancing their reputation or completely ruining it.  A good plan well executed will ensure that people, brand, property and profits are protected as well as can be.  Unfortunately many plans are seriously flawed.  Sometimes this is discovered during or after an incident and leaves nothing but regret, and sometimes this is never discovered but is unnecessarily draining the organisation of valuable resources.

There are plenty of common mistakes made in BCM but, from our experience of providing business continuity, disaster recovery, high availability and resilience solutions to our clients we have selected nine of the most common errors of process, and potentially the most damaging.  The good news is that if you are concerned about your plans these errors are all simple to correct.

There are a series of essential steps in implementing business continuity management, this includes development, maintenance and implementation of business continuity plans.  Errors of process are evident where there is no framework used to guide the implementation of business continuity management, where experienced business continuity professionals are not called upon to share their experience, and where the organisation loses focus.  This can give rise to errors such as:

  1. “We’ve got business continuity plans… now let me see, where are they?”
  2. “Head office created some plans last year so I think we’ve got it covered”.
  3. “I’m not sure who’s in charge during an incident… it’s the CEO isn’t it?”
  4. “Great communication plan, but what happens when your communications infrastructure is lost?”
  5. “Jimmy and Dave know the passwords to all our systems, plus they’re stored in a key-code safe in the server room”.
  6. “We back up our data regularly but have never tested the backups in anger”.
  7. “We’ve got very strong IT security controls in place”.
  8. “We invested in a fantastic DR facility about 5 years ago”.
  9. “A grab bag is a waste of money”.
  Fallacy

Fix

1     “We’ve got business continuity plans…   now let me see, where are they?”
Plans that are created and then left to gather dust will quickly be   out-of-date and forgotten.  If they’re   not relevant and readily available you might as well not bother having   them. Make business continuity a consideration   in every strategic decision that you make.    In addition to highlighting the importance of business continuity,   because considering business continuity involves the identification of   organisation weaknesses, points of potential failure and dependencies that   affect an organisation’s ability to manage and recover from incidents it will   result in more robust strategic decision-making.  Review the plans quarterly. 
2     “Head office created some plans last   year so I think we’ve got it covered”
Planning that does not involve the staff affected and plans which are   not tested are usually flawed.  They   are not ‘owned’ by the people who may have to implement them and they will   have key procedural weaknesses.  Engage relevant staff in the planning process   and test the plans either in a desktop or blue-light exercise.
3     “I’m not sure who’s in charge during an   incident… it’s the CEO isn’t it?”
Unclear and un-communicated roles and responsibilities result in   confusion and delays during an incident. Identify, document and communicate the   incident ‘command structure’ and the associated roles and responsibilities. 
4     “Great communication plan, but what   happens when your communications infrastructure is    lost?”
Communication is often a serious challenge during an incident.  There are numerous scenarios where things   go wrong.  If you lose power on an   unmanned site or when no one is in, how will you be informed?  If your telephone network goes down   (including mobile as can happen in some companies and some disaster   situations), how will you communicate? Document your communication plan and think   through numerous, relevant scenarios.    Depending on your circumstances there are options available for every   situation; like installing a failover system or contracting with a third   party to monitor your unmanned site; and giving alternative communication   tools to key staff members. 
5     “Jimmy and Dave know the passwords to   all our systems, plus they’re stored in a key-code safe in the server room”
Unfortunately Jimmy, Dave and the server room might all become   unavailable at the same time and in an instant your business is   crippled. Store passwords in at least two   geographically distinct locations and make sure details of those locations   and access to them is known to people who don’t usually work in the same   place together. 
6     “We back up our data regularly but have   never tested the backups in anger”
Unfortunately backups do fail, and so do recovery procedures.  Also, backups can be lost or inaccessible   during a disaster situation. Design a thorough backup testing procedure   that covers all of your systems and run tests at regular intervals.  Also test scenarios where backups from your   normal backup site are not available. 
7     “We’ve got very strong IT security   controls in place”
These days this is indeed the case in most organisations.  It is important though not to take your eye   off the ball during an incident; when you are vulnerable you are likely to be   attacked, and the threats may be internal and external. Include in your business continuity plans,   plans to maintain high levels of IT security during an incident.  Appoint an IT security officer to your   disaster recovery team and make sure that you continue to monitor your systems for threats. 
8     “We invested in a fantastic DR facility   about 5 years ago”
Disaster Recovery facilities need to be kept up-to-date just as any   other normal office facility does.    Outdated assets like computers, printers, electronic screens and   telephony systems might not work when you need them – either because they’re   old or they’re no longer compatible with your infrastructure.  Keep an inventory of DR facility assets,   update and test them on the same schedule as all other office equipment.
9     “A grab bag is a waste of money”
Incidents can happen at any time of the day or night and whether or not   key business continuity people are in the office.  Even with the advent of mobile technology,   hard copies may come in handy.  The   important thing is that somebody will need to ‘grab’ a copy of the business   continuity plan, essential contact details, directions to recovery sites and   other emergency reference material and supplies so that your well thought out   plans can be implemented. Put a grab bag with all the contents   mentioned above next to the main emergency exit of every building.

Leave a Reply