Paying lip service to BCP

Risk based testing from Acutest

Many companies that have a business continuity plan have one that will not work properly when it is invoked. At least companies with no plans know they will have to 'make it up' when there is a problem.

There are two reasons why a plan will not work after a disaster. First, the plan may not include information about the elements of the business that matter and second, the plan is not technically viable and could never have worked. Naturally, these are not mutually exclusive.

Thus there is a large community that pays lip service to BCP. They pay the costs of planning but are unable to get the benefits on the day that it matters. Worse still, it can cost more to pay lip service than to pay for a plan that really provides business continuity. Another way to put it is that they can tick the box to show they have a plan but there is no box to tick regarding the viability of the plan.

Trap one: No continuity for critical business elements

Some organisations have produced plans to satisfy the regulatory bodies, auditors, parent companies, shareholders, prospective clients or the directors of the company.

These organisations often re-use a generic plan and adjust it for their IT requirements, ignoring the business.

This is expensive when the plan is activated as there is no alignment between the systems available and those needed immediately by the business.

Some companies have plans that are several years old and refer to equipment that is no longer in use. We have seen one company who had been paying a contract to be supplied with equipment which was made obsolete four years earlier. Money was saved purely by cancelling this contract.

Trap two: Planned, but never proven - it could never have worked...

To engage the business, some companies take the business context into account once, at the start of the production of the plan, but have not adequately checked or tested the plan to ensure it will provide the business requirements when required.

This approach tends to result in a plan that may not work as the business side of the plan has not been maintained.

An independent health check will pay dividends in highlighting areas of omission and also looking at the areas which require testing (BCP Assurance) on a risk basis.

We have been into companies to discuss business continuity and found the only copy of the plan existed in a bookcase in the IT Directors office.

What's the answer?

Creating and maintaining a business continuity plan properly can be more complex than paying lip service and can also be more expensive. However, the cost of implementing the plan is often less, the risks are known and understood and the invocation is predictable.

There are two key aspects: (a) involve the business in identifying the risks to be mitigated and the risks to be taken (b) test that the mitigation can be invoked.

We see companies where someone has produced what they think is a foolproof plan only to have missed a vital point as they were so close to the plan they couldn’t see the wood for the trees.

It is important that an external body is used to vet the plan. By carrying out a health check the external organisation can identify obvious omissions in the plan and may also be able to suggest ways in which mitigating actions can be put in place in order to reduce the cost of business continuity for the organisation.

This health check also highlights the areas of risk where testing is required, in other words it also highlights the areas where testing does not add value.

For example, there are some processes in any company which are internal and could be delayed for a period of time. There is little point spending money testing a business continuity solution for these processes. Risk based testing is therefore the answer. Any health check should provide a risk based testing schedule. This will show the areas of testing in the context of business importance.

Few companies have the expertise internally to carry out a comprehensive business continuity health check, or to look at business continuity risk based testing. In these cases it is essential that a 3rd party organisation is employed to advise and guide the company towards a comprehensive business continuity plan.

Comments? Questions? Email Here

© HowtoAdvice.com

How to Advice .com