MSECB

Home → News & Resources → Experts Talk

How to create an effective Business Continuity Plan?

7 ways that actually work when you need it most

Introduction

The life of a Business Continuity Planning (BCP) professional is not always smooth sailing. Staff across an organisation tend to be all too busy helping the business ‘make money’ and, unless an immediate trigger like a real disaster event occurs, they do not even think about all the things that could go wrong. Often, Risk Management documentation and BCPs only get written or refreshed for audit or other compliance related purposes. Staff
will use any possible opportunity to avoid that task and responsibility. 

One might think that this has all gone ‘out the window’ with the current pandemic and that everyone is extremely aware that BCP is not a luxury, but rather a necessity. However, this effect tends to be neutralised by the illusion amongst staff and management that ‘‘we are now all BCP experts’ (and why would we need more BCPs?), now that we are managing COVID-19, have dealt with related lockdowns and work-from-home practices for the past couple of years… whilst COVID-19 actually gave us substantial notice. We were able to set ourselves up for the remote work situation for at least a few days or weeks, buy new laptops, arrange VPN connections and install video conferencing software. It was a ‘slow onset’ scenario so to speak, unlike a major flood, cyber-attack, connectivity outage, fire
evacuation, physical security incident or power failure. For such ‘fast onset’ scenarios, a well-practiced BCP process certainly comes in handy. 

However, most Risk Management and Business Continuity ‘experts’ concentrate on documentation, not on actual implementation.

Typical issues and how to overcome them

There is too much focus on ticking boxes to please auditors, too much paperwork, too much effort to maintain documents, too little focus on getting proper buy-in, too little enthusiasm from staff, too little incident readiness, and too little empowerment of staff to think on their feet when ‘it hits the fan’. 

It affects entire organisations. Senior management ends up with a false sense of security that everything is covered, risk is managed well, and that staff are ready if a Business Continuity (BC) event were to occur. Whilst, in  reality, only a few individuals (e.g. Risk Managers, BC Co-ordinators) keep themselves familiarised with the content of the plans and procedures, or even worse, they are the only staff who even know a plan exists. 

Engaging consultants also does not always work out as well as hoped. Too many Operational Risk Management and BCP consultants mainly liaise with the ‘already converted’, i.e., those in an organisation who already have a Risk Management or BCP related role and ‘mindset’. At best they could try to have some dialogue with senior management. Not all consultants have the courage to ‘get their hands dirty’ and delve into the details of a proper Business Impact Analysis (BIA), Risk Assessment and/or BCP development phase together with the operational staff.

Perhaps they are nervous about the potentially conflicting requirements between business units or are just not able to truly think laterally and fully understand the end-to-end business processes. 

Furthermore, it is often challenging for consultants as it is for internal BCP professionals, to get buy-in, time and attention from middle management and the general workforce who are busy ‘doing their job’. And that is where the ball stops rolling in many Risk Management and BCM implementation projects. 

The result is that mountains of documentation may get produced, including cumbersome BIA documents, Risk registers and BCPs, but these can quickly get out of date. If a real incident occurs, most staff are uninformed and confused. They do not know their role, do not feel confident in responding to the incident, do not know which activities to prioritize and how their peers and staff will be contacted, whom they should contact themselves, who has the authority to give them instructions. They are far from ready.

Typical issues and how to overcome them

There is too much focus on ticking boxes to please auditors, too much paperwork, too much effort to maintain documents, too little focus on getting proper buy-in, too little enthusiasm from staff, too little incident readiness, and too little empowerment of staff to think on their feet when ‘it hits the fan’. 

It affects entire organisations. Senior management ends up with a false sense of security that everything is covered, risk is managed well, and that staff are ready if a Business Continuity (BC) event were to occur. Whilst, in 
reality, only a few individuals (e.g. Risk Managers, BC Co-ordinators) keep themselves familiarised with the content of the plans and procedures, or even worse, they are the only staff who even know a plan exists. 

Engaging consultants also does not always work out as well as hoped. Too many Operational Risk Management and BCP consultants mainly liaise with the ‘already converted’, i.e., those in an organisation who already have
a Risk Management or BCP related role and ‘mindset’. At best they could try to have some dialogue with senior management. Not all consultants have the courage to ‘get their hands dirty’ and delve into the details of a
proper Business Impact Analysis (BIA), Risk Assessment and/or BCP development phase together with the operational staff.

Perhaps they are nervous about the potentially conflicting requirements between business units or are just not able to truly think laterally and fully understand the end-to-end business processes. 

Furthermore, it is often challenging for consultants as it is for internal BCP professionals, to get buy-in, time and attention from middle management and the general workforce who are busy ‘doing their job’. And that is where
the ball stops rolling in many Risk Management and BCM implementation projects. 

The result is that mountains of documentation may get produced, including cumbersome BIA documents, Risk registers and BCPs, but these can quickly get out of date. If a real incident occurs, most staff are uninformed and confused. They do not know their role, do not feel confident in responding to the incident, do not know which activities to prioritize and how their peers and staff will be contacted, whom they should contact themselves, who has the authority to give them instructions. They are far from ready.

A practical, actionable BCP approach includes the following elements:

  1. Top management are involved in collaborative Risk Management workshops to determine their shared views on Risk appetite and Risk evaluation criteria, from which follows the commitment to BCP from the top.
  2. A ‘superhero’ team should be established, consisting of around 4 or 5 BC Facilitators from across the business, to assist in creating the plan, liaise with other staff, and plan/deliver training sessions and rehearsals. 
  3. Middle management and general staff need to be engaged in one or more efficient, highly interactive workshops (tackling Risk, Business Impact Analysis (BIA) and BCP strategies), so they start developing buy-in for the process and contribute to optimal, easy-to-maintain documentation, practical workarounds and realistic continuity procedures.
  4. BCP documentation should be simple to maintain (e.g., by using colour coding and bullet-style checklists) and based on a top-down holistic approach (e.g., by working with a small number of ‘core consequence scenarios’). It resides on an interactive, common platform such as the organisation’s SharePoint/network/Intranet site (i.e., one that the broader workforce already uses in their daily life) and has a remotely accessible copy in case live systems are down.
  5. Staff awareness campaigns need to focus on engaging everyone, which also means informing those who do not have a BCP role that they should not claim recovery provisions such as laptops, workspace and connectivity (and even vacate their existing place of work to accommodate others who have a more time-critical role). 
  6.  Disaster rehearsals/simulations should be fun and strongly encourage participants to make mistakes and identify BCP gaps instead of covering them up (only for these gaps to then show up during a real incident). Exercises include audio-visual tools and a range of practical assignments (including hands-on validation of decision-making processes and notification systems) in order to ensure management and staff develop a true readiness for incidents.
  7. Key staff (e.g., BC Facilitators) need to be recognised for their contribution (e.g., during performance appraisal time) and to be provided with highly interactive training (including practical exercises and the opportunity to learn from other organisations) and ideally have the option to certify their skills in related standards such as ISO 22301 and ISO 31000.   

The goal is for everyone to be able to sleep soundly at night knowing that, not only are good plans in place, but also that they are up to date, and that the right people know what to do should an adverse event occur.

 

About Author

""

Ms. Rinske Geerlings is an internationally known, award winning consultant, speaker and certified trainer in Business Continuity, Security, Disaster Recovery and Risk Management with over 20 years global experience.   Since 2019, she has led many audits against ISO/IEC 27001 and ISO 22301 as an MSECB Auditor. She founded Business As Usual (www.businessasusual.com.au) in 2006.

Other Articles