A Business Continuity Plan (BCP) is a valuable tool for being prepared in the event of an unforeseen disaster which impacts your business. Most organizations will readily agree with this fact that a BCP is needed. However there is great disagreement within organizations when the question arises “how much planning is enough?”. A BCP is a great hedge against unforeseen business interruptions, but it does come at a cost. Creating, revising and testing a BCP costs both time and money; time of employees spent writing and testing the plan, plus money spent on contracts with backup vendors and consultants. This is when management begins to question the value of BCP and decisions need to be made to balance the scope of contingency planning against the cost. At what point are you spending too much for the value you are receiving?
Part of this question is answered in the risk assessment and business impact analyses phase of the BCP creation. If created appropriately, items identified to be of sufficient risk to the business need require contingency planning. The scope (and cost) of contingency planning should be proportional to the risk. For example, an informational website may not require the same level of redundancy and recovery time objectives as an order-tracking system. This is evaluated by the business and supported by results of testing the BCP.
But beyond this, how to you know if the BCP is appropriate? Is there more you can do… without doing too much? An excellent way to gain insight into the robustness of your particular BCP is to look at the most common types of BCP failures; situations where the BCP did not ensure the business recovery time objectives. Take a look at these common reasons why BCPs fail to meet objectives and then carefully evaluate your BCP against these areas.
So what are the most common reasons why BCPs do not live up to expectations?
1. The reasons for implementing the BCP are not supported at the top.
I have been involved in organizations where BCPs were being implemented because either it sounded like the right thing to do or someone thought it was a good idea because the auditors were rescheduled to show up soon. The problem was that senior management wasn’t really on board with this idea and therefore no one beneath them really believed this was worth spending the time or money on. The result of this is a great looking set of documentation with very little behind it. Example: BCP says “if the site is inaccessible, all employees work from home and we go to a contact manufacturing site.” This sounds great but is this feasible? If there is no IT infrastructure in place to enable everyone to work from home, and management in not willing to negotiate a contract for contingency services with a contract manufacturers, because both of these items have a cost, then the plan is doomed to fail if you really needed it.
2. BCP does not look at the entire business.
Many organizations confuse Disaster Recovery Planning (DRP) with Business Continuity Planning (BCP). DRP focuses on IT systems while BCP focuses on the entire business and organization. It is great to be able to recover the IT systems, but if people are not available to use them nor manufacture products nor deliver them to customers, then the plan is not complete.
3. Owner of the BCP is not clearly identified.
In order for the plan to be successful, there must be an owner who has the responsibility of managing the BCP. The owner must also have sufficient authority to make business decisions for allocating resources to BCP related tasks, evaluating risks, and authorizing spending for BCP. Hands-ion tasks such as documentation may be delegated to others but the owner has the responsibility to make sure the plan is maintained, up-to-date, and tested. In many organizations, the owner is someone (or worse, several people) in senior management whose objective is “Just get it done! And don’t bother me with the details” and then they delegate all the responsibilities of managing the plan to other folks who do not have the authority to implement the plan nor approve the associated expense. The result is similar to item #1 where you end up with a great looking set of documentation with no value behind it. Sometimes, the owner is an IT person and then we get into the issues described in item #2 where the plan is heavily focused on DRP rather than looking at the entire business.
4. Inadequate BCP training.
It is critical that all members of an organization are familiar with and have been trained on their role(s) within the BCP. Just reading the documents may not be enough. Some roles may require using different systems or accessing information from alternative sources or being familiar with alternate locations. You need to be sure that in the event of a real emergency, there is no confusion about what to do. Also with all the changes going on in businesses all the time, it is very important to train new people on BCP. This is an ongoing process that must be kept on the front burner at all times.
5. Inadequate BCP testing.
The effectiveness of the BCP is dependent on the level and frequency testing. It is not different than fire drills or emergency evacuation drills; you need to be familiar with the process and the best way to do this is to practice a simulated disaster drill. Organizations which do not fully embrace the concept of BCP typically do the minimum of testing to keep costs down and not take people away from doing “real work”. The result is that during a real emergency, you may find yourself in a situation which was not anticipated and as a result, precious time now needs to be spent figuring out how to resolve issues rather than executing the solutions. Pay now or pay later; the more testing is done up front, the better prepared you will be.
6. Documentation is out of date.
BCP documents are living documents which take time to put together and time to review for accuracy. This time needs to be invested at regular intervals to ensure the documents still have correct information. If the BCP is write, signed and filed away never to be looked at again until there is a disaster 5 years later, chances are that some if not most of the information is out of date. Organization trees, phone numbers, addresses, suppliers, customers, account IDs, passwords all change all the time. It is critical that as part of BCP, there is an allowance for time to be spent on a periodic review of the BCP to ensure it is current. This can be annual, quarterly; whatever your organization determines to be appropriate but it must done or the value of the plan quickly decreases over time.
7. Inadequate time spent in the planning and evaluating of the BCP strategy.
To create a truly optimized and value-added BCP requires time and effort to analyze and evaluate information from many sources. This is not something one person working by themselves can just zip out to get it checked off the list. Even a large team of expert consultants cannot do this overnight by themselves. They must follow a careful process of interviewing all the key information holders in the organization to ensure all the critical factors are considered before making any recommendations for an effective BCP. These factors include the critical business process, risk factors, impact analyses, recovery time objectives, costs, logistics, and people issues (not necessarily in that order). If any of these factors are skipped over or information is just assumed, then there is a real risk that the plan may not be adequate or it may cost more to implement that is really needed. Nether outcome is acceptable.
8. Inadequate assignments of responsibility.
One to the key success factors to an effective BCP is to assign and distribute responsibilities appropriately. If all critical responsibilities are assigned to one person, then the system will quickly get overloaded and the process will slow down, or worse some tasks will fail. If no one is clear who is responsible, then there will be conflicting and unclear direction or no one will be addressing key issues. There needs to be clear BCP leadership at a top level and then a logical distribution of responsibility at the tactical level. One key item to consider is where there are multiple locations involved; does it make sense to have the BCP structured by function even though the functions cross different locations? Or by site so that there is a local person available to provide direction as it is needed? Also for every assignment of responsibility, there needs to be a primary person and a backup assigned. This ensure coverage of this area in the event the primary person in unable to perform this function.
Having this knowledge provides very valuable insights to enable the creation of a robust yet cost-effective BCP.