Get The Business Continuity Operating System Book by Brian Zawada
Avoid the 9 Ways a Business Continuity Plan Can Fail
When catastrophe hits a fighter pilot’s aircraft, his parachute is his backup plan, his means to get back on the ground without further injury. But if his parachute is poorly maintained, incorrectly packed, not easily accessible, or is too complicated to deploy, it may fail him. The same concept can be applied to an organization’s business continuity plans (BCPs).
BCPs are like an organization’s parachute. They work to carry an enterprise to safety and diminish further loss and damage in the event of a crisis. But if a BCP is insufficiently maintained, haphazardly developed, difficult to interpret, and not easily accessible to personnel, your enterprise may crash.
- Inadequately Assessing Risks
Risk assessments are the nucleus of a BCP. You should know your threats and vulnerabilities in order to plan for battling and remedying them. If a comprehensive risk assessment is not performed, a comprehensive plan is not created.
Solution: Resist the urge to step into the “it won’t happen to us” or “we can handle it without a plan” trap. Be realistic in your estimation of the probability of an incident and its impact. Underestimating this will only cripple your ability to properly plan. This is where full organizational collaboration can help. Get everyone thinking about potential threats and their impacts on each and every department.
- Creating Single Points of Failure
This is where many businesses go wrong. Examples such as:
Storing data mains and backups on the same servers. If that server goes down your backup goes with it.
• Neglecting to create hardcopies of your plans. Most BCP software solutions allow users to store their plans electronically within the software, but again, if the host server fails, so does your plan.
• Assigning only one method of emergency communication. If that option is encumbered, you cannot communicate your plan.
Solution: Assess your plan to reveal single points of failure such as these and others. Never take for granted that every responder, process or system will be available or operational as planned.
- Failing to Update
What good is your plan if your responder contact information is out of date? Or if the software you use has changed? A plan that’s been collecting dust in a binder for the past 11 years is not a reliable plan.
Solution: Update your BCPs frequently. And conduct regular risk assessments to help gauge its real-life functionality. Organizational needs shift. Technology evolves. Personnel changes. Keep abreast of all internal and external changes: industry threats, regulations, staffing, etc., and modify your plan accordingly.
- Refraining from Sharing
What if top management or key responders are out of the office when an incident hits? Will others know what to do in their absence? And even if all personnel are present, will all employees know what to expect?
Solution: Distribute copies of BCPs to all personnel. If executives and responders are unreachable or absent, others must be able to respond quickly and effectively. Additionally, all employees should have a basic understanding of your BCPs to facilitate efficiency and to avoid becoming hinderances rather than helpers. Indecision and confusion can clog your otherwise well-oiled plan.
- Avoiding Customization
BCPs are not one-size-fits-all. Though BCP templates offer a solid starting point, particularly for those just getting their BCP toes wet, organizations shouldn’t stop there. What works best for a grocery retailer may not fit the needs of an auto manufacturer.
Solution: Customize your plans for your company’s specific requirements to be most effective. This is where a thorough risk assessment can truly help determine your entity’s most probable threats and the most effective processes and protocols for individual enterprise. Denominators such as industry, location, size, etc. all play a role in developing your most appropriate plan.
- Neglecting Crisis Communication
If you cannot communicate, you cannot carryout your plan. Reliable and communal communications are the most imperative factors in any plan. If your designated method of communication is wiped out, what will you do?
Solution: Develop a documented crisis communication plan for your BCP to ensure all staff can stay connected during and after an incident. The plan should include contingency options, more than just one method. If one and two fail, then you have a third…
- Forgoing Testing and Exercising
A real-life incident should not be the testing ground for your BCPs. What if Recovery Time Objectives (RTOS) are wrong? What if you have no cell coverage at your alternate site? What if staff misinterpret the plans or terminology? So many things can go wrong and weaknesses realized when carrying out a plan. It’s better to discover those frailties before they lead you to greater disaster. And carrying out a plan without first exercising it is like putting on a Broadway play without rehearsals. Everyone thinks they know their lines and positions, but do they?
Solution: Test it before you need it. Table top testing helps reveal oversights and vulnerabilities in your plans and in time enough to remedy them. Exercising the plan affords you the opportunity to refine and perfect what does work. Afterall, practice makes perfect, yes? It gives everyone the opportunity to experience how they will actually respond, to better understand the reasoning behind the processes and protocols, and to ask questions and suggest improvements.
- Failing to Finish
A partially completed plan does not deliver a fully protected enterprise. Underdeveloped plans are just as bad as no plan at all.
Solution: Make every effort to complete your BCP. Do you know who is in charge? Who are the first responders for various incidents? Have you designated backup responders in the event the key players are unavailable? Have you planned for all potential threats and disruptions? Have you documented and distributed all plans?
- Expecting Things to Go as Planned
Murphy’s Law: if something can go wrong it will. Far too often organizations don’t plan for deviations from plans, no contingencies. What if all your communication options go down? What if you run out of supplies? What if your data can’t be restored in the expected time frame?
Solution: Formulate backup plans for your plans. Consider what your next step would be if certain portions of your plan go awry and make a plan for those.
Preparing and Preserving your BCP Parachute
Recognizing these BCP pitfalls and adhering to the respective solutions can increase your chances of successfully navigating crises, avoiding greater damage and loss, and landing on your proverbial feet. Your business, reputation, and customers depend on it.
Get business continuity insights delivered to your inbox.