Wednesday 3 September 2014

Seven deadly sins of business continuity plans

Recently I helped plan and deliver a workshop for the Scottish Continuity Group. The theme of the day was to give the delegates ideas of ways to improve their plans. Presentations were given on a number of aspects of planning - including short plans, using business continuity software, the army way of planning and different ways to set out your plans. I gave a talk at the beginning of the workshop to set the scene. It was entitled 'The Seven Deadly Sins of Business Continuity Plans' and I thought I would share the main points with you.

Sin 1 – Unnecessary information

Many Business Continuity Plans I see seem to be full of unnecessary information which is not needed on the day of the incident. They contain policy information, details of when the plan was last exercised and how business continuity is managed within the organisation. I believe that the plan should only contain information which you are going to use on the day of the incident. All the other information should be kept in a separate document.

Sin 2 - Samey

“When something remains consistent when one would expect there to be more variation”.

This is where the plan initially looks good, with lots of detail, and it appears that lots of thought has gone into it. You then read a number of plans within the organisation and you find that almost all the plans are exactly the same. The call centre plan looks exactly the same as the finance plan, except for the name on the front. This says to me that business continuity within the organisation is not taken seriously and the organisation is happy for its plans to be cut and pasted from one department to the next. Of course there will be some parts that need to be the same in all plans, such as the incident management hierarchy, but make sure that your plan is properly tailored to your part of the organisation.

Sin 3 – Connection to the BIA

Many organisations have a large and elaborate Business Impact Analysis (BIA), which capture vast amounts of information. When you come to looking at the plan there is nothing in it recognisable in the BIA. The BIA has a vital part in informing the recovery strategy and key information such as the system recovery order, how many seats the department needs over a timeframe and most importantly what are the Recovery Time Objectives (RTO) of the different activities carried out by the department. Make sure you iron out the essential details which you need during an incident.

Sin 4 – Scope

With many plans I see it is not clear what the scope of the plan is. Is it just the Glasgow call centre or all three call centres across the United Kingdom? Perhaps the author knows the scope of the plans but has not put it into the document. I am never sure whether this is the case or if they have not really thought through the scope of their plan. I think within the plan there should be a very clear scope and the parts of the organisation which are outside of the scope should also be identified.

Sin 5 – No strategy

Many plans you have to read four or five times to actually work out what their strategy is and how they are going to recover their operation. Sometimes it is impossible to work out what they are going to do! There may be tables listing the number of staff to be recovered but no actual location where they are to be recovered to. Sometimes I worry that the organisation doesn’t really know what they are going to do and will make it up on the day, hence they have no strategy to actually write down. Within the plan, I believe, it should be very clear what the recovery strategy of the organisation is. Within my plans I write a paragraph describing the recovery strategy which makes it clear how the organisation will implement its plans.

Sin 6 – The Team

According to the Business Continuity Institute’s Good Practice Guidelines every plan must have a team to implement it. This seems to be missing from many plans and it is not clear who will implement the plan. Even if the plan will be implemented by a team detailed in another document, there should be reference to this within the plan.

Sin – 7 Medium to long term recovery

Many plans I see concentrate on the immediate response to an incident and recovery of the first activities to their designated RTO. After this they run out of steam and are vague on how to recover beyond that. I was guilty of this when I was responsible for planning for a large office of 1,600 people. I had a good robust plan involving a work area for 300 of the key staff but had no plan in place for the recovery of the remaining 1,300 people. Finding space and recovering a small amount for immediate activities is easy; what is more difficult is finding space for the remaining large amounts of people. The same amount of thought and planning should go into your medium and long term planning, especially if it involves large numbers of staff. Once you know how to recover the remaining large numbers of staff then this should be included within your plan.
Charlie Maclean-Bristol is a Director at PlanB Consulting in Scotland.

No comments:

Post a Comment