If you're thinking about buying software for your business continuity roll out, this bulletin discusses what you have to be aware of and be ready to deal with before you make the plunge.
I am a great fan of business continuity software, I love how your whole BCMS is in one place, you are able to see the status of your organisation at a glance and get reminders when things are due. At PlanB Consulting, we sell Castellan software. I know this software was written by people who actually understand business continuity, therefore I have great faith that how it has been written is reflective of contemporary business continuity thinking. We use Castellan to manage our own ISO 22301 certification. Recently, I have been exposed to three organisations with two different types of software, and can see the flaws in using this software and how it perhaps doesn’t solve all the issues it is supposed to.
My first learning point is not to use the software to roll out business continuity and believe that is a painless and easy way to do it. Without very careful thought in the configuration of the initial build, and smart ways to collect the information, you will end up in a bigger mess than if you had just saved your money. The same amount of thought has to go into the planning of the role out and configuring the system. Whether you use the software or not, if you have to roll out business continuity, don’t think the first thing you should do is get a budget and find the shiniest software to buy.
When I teach the CBCI course, on day two we talk about analysis and I describe to my students how to collect information to populate the BIA. We talk about the pros and cons of workshops vs. interviews, however, I always tell my students never ever send out a questionnaire and think that will be sufficient. Questionnaires are great for capturing numbers of staff and the IT systems used, but unless the person has had training trying to get them to give their MTPD and RTO it is usually a disaster. It is the same way with software, don’t email out the link to the BIA and get your new business continuity champion to fill in the form. On the whole, the information collected will not be what is required and you will have to do an interview as well as a workshop. To develop a fit-for-purpose BIA you need to do it in the same way as you would manually, which is just the information gathered typed into the software rather than a BIA document or spreadsheet. Software or a manual document can be effective in the ongoing updating of the BIA, you can send out the document or link and on the whole, in most fast moving organisations, the information in a BIA doesn’t change much.
Business continuity software usually has additional functionality so that you can model data, see recovery critical paths, do gap analysis against existing application RTOs and RPOs, and compare them against the organisation requested RTOs and RPOs. Castellan will also model recovery paths during incidents and you can use these to see a timetable for recovery. This is all fine, but in most business continuity software systems I have seen, the data entry is poor and so the assessment done by the system will also be poor. If the software was used like a financial system all day and every day then data flaws, poor quality data or miscalculations are quickly spotted. As business continuity software is not used very often, those who input the data are usually ‘volunteers’ who do this on a part-time basis and often have little interest in business continuity, and the quality of the data is so poor that the functionality built in cannot be fully used.
Software systems which are rarely used by the majority of users somewhat work. When reviewing the business continuity of an organisation that uses business continuity software, I first head to the list of users and see when they last logged on and how often they log on. Often there can be a large number of users who have never logged on or haven’t logged on for months. If the software is not regularly used, people forget their logins, what they are meant to be doing with the software or even where to find it.
One of the reasons for buying software is to cut down time spent on the admin. You are able to see at a glance who hasn’t updated their plans within the agreed time and the system will automatically send them a reminder. Although this functionality is great, you as the system owner have to watch the system like a hawk! You also need to be on the system every day. While the system may generate an email reminder, the person receiving it may choose to ignore it or claim it went to their spam inbox. You will need to call them or their boss to get them to update their plans for BIA. You need to keep on top of your champions or users, and make sure you are aware of when they leave or move on to another job, so that a new champion can be found and replaced seamlessly. Leave the system for a few months and it is a huge job getting everything up to date again. So although you think the admin time may be less, the same amount of work and virulence is required.
So my 5 golden rules for using business continuity software are:
- Don’t think that buying business continuity software is a shortcut to rolling out business continuity.
- You have to supervise the input of data and don’t assume that by sending a link to a BIA form you will get quality information.
- Remember that much of the functionality of the software is lost by poor data entry.
- Regularly check who has logged onto the system and if people are not doing this often enough, check why.
- Having software does not cut down on the need for administrative support and monitoring activity.
As there has been consolidation in business continuity software providers, the cost of the software has greatly increased. Previously, when you could get a system for a few users for under £3k, it didn’t really matter how you used the software. Now, as business continuity software is a considerable purchase, you should think through how you will implement it and use it. It is not an easy solution to the many existing issues you have, or a shortcut to rolling out business continuity.