There are various common areas where business continuity plans fall down. Here, Colin Jeffs highlights some of these, providing his top tips to keep your business continuity planning on track, and to improve the quality of your plans.
1. Plan smart, not big!
Over the years, I’ve seen many organisations try to plan for just about every possible eventuality. But in reality, it simply isn’t possible to plan for everything that ‘might’ happen – so don’t try to. A good business continuity plan isn’t one that tells you what to do in a specific scenario, but one that helps and supports you in making informed decisions for ‘any’ scenario. A good plan is one that will be used because it is helpful, so consider when you create your plan(s) what information is vital in helping you make those decisions. Anything else probably isn’t required, it just makes the plan unwieldy and unusable. If you feel you need a plan that is for a specific scenario, make sure it only focuses on that scenario and most importantly, make sure that people understand its purpose.
2. Understand what is important and why
My simple rule of thumb here is, how can you hope to protect your business if you don’t understand what is critical in your business and what those critical things depend on? You might be focusing your efforts in the wrong areas of your business, or you could be overlooking other areas that have a dependency. Performing a business impact analysis (BIA) can be very time consuming and let’s face it, boring and tedious to those who have to take part. It is vitally important that anyone who participates in anything to do with business continuity or operational resilience understands why it is important and what it means to them to fully get their buy-in.
3. Board engagement is key
I’ve heard it said many times that management buy-in is critical to a successful resilience programme – this is 100 percent true. If the management hasn’t bought into the programme, how will you expect the rest of the staff to? It’s important that staff understand the resilience programme is sponsored and mandated by the board. It’s not something that people could do or take part in, but something they must do and take part in to protect the business. It becomes a part of the culture of the business.
4. You are only as good as your last test!
You can have the best plans in the world but if you have never tested them, how do you know that they work? More to the point, how do you know your staff will know what to do and when to do it? Do staff know the part they play during an incident? Do they know the process to follow? Testing is one of the best ways to ensure people feel included and to help them to understand the role they must play during an incident. It not only helps them to feel more comfortable with what is expected of them, but it also allows them to practice their response in a ‘safe’ environment without fear of messing up. Remember, it’s far better to find out that something doesn’t work, or some critical data is missing during an exercise than during a real incident, just at the point you depend on it.
Your suppliers play a big part in your success and many of them provide extremely critical or important services and/or data to you. Treat them as an extension of your own business or as an additional department and make sure you understand them in detail. Including them in your planning and testing is an important part of making sure the relationship is resilient and that you both understand the importance of what they provide to you. It’s also very important that you understand their resilience capabilities and how they will continue to provide services to you in the event they have an incident. Bring them into your programme and get to know them better.
This article was first published on Continuity Central and has been written by Colin Jeffs MBCI who is the Head of Business Continuity Management at Daisy Corporate Services.