This week Charlie looks at some vital elements that are often missing from business continuity plans.
It seems as though the obvious thing for me to write about this week would be the situation in Ukraine.
At the time of writing Russia is in de facto military control of the Crimea region, despite Western condemnation of a "violation of Ukraine's sovereignty".
But the crisis seems to be developing faster than I can type!
For that reason I have decided to focus on something that is relevant to everybody who receives this bulletin – business continuity plans.
I will highlight ten things that I think should be found in plans but many people seem to leave out.
- Scope. On many of the plans I see it is not clear what the scope of the plan is. The name of the department may be on the front of the plan but it is not always obvious whether this is the whole of the department, which may cover many sites, or just the department based in one location. It should also be clear within strategic and tactical plans what part of the organisation the plan covers. Or does it cover the whole of the organisation? Where large organisations have several entities and subsidiaries it should be clear whether the tactical and strategic plans cover these.
- Invocation criteria. I believe it should be fairly clear what sort of incidents should cause the business continuity plan to be invoked. I also believe that this invocation criteria should be “SMART”, so as not to be open to interpretation. The criteria should be easy to understand so if you get a call at 3am in the morning and informed of an incident it should be fairly obvious whether you invoke or not. Focus should be on the loss of an asset such as a building or an IT system, not on the cause of the loss. There needs to be a ‘catch-all’ in the invocations criteria which says 'and anything else which could have a major impact on our operations’ so that the criteria is not too rigid if we need to invoke for an incident we have not yet thought of.
- RTOs. Defining and agreeing your Recovery Time Objectives is one of the most important items you set during the analysis and design stages of the business continuity lifecycle. There should be a list of RTOs relevant to your plans within the document so you can make sure that you are going to recover your operations at an agreed time.
- Strategy. I have looked at lots of plans which have lots of detail within them but having read them I am no wiser to the organisation’s recovery strategy or even whether they have one at all. I like my plans to have a written strategy which tells the story of how we are going to recover, containing details of outline activities, locations and timescales. Then it is clear to anyone implementing the plan what your recovery strategy is and how it will be implemented.
- Information from the BIA. I have seen lots of organisations which do very detailed BIAs and collect lots of information. This information, which could all usefully be used in the recovery, does not make it into the plan. It looks as if two separate activities have been carried out - the BIA and the plans - yet there is no visible connection between the information collected in one and the information in the other. If you cannot use the information in the plan then why collect it in the BIA stage at all? There should be a clear relationship between the information collected in the BIA stage and the information within the plan.
The second five items will be given in next week’s bulletin.