Your business continuity team has brought you the company’s new, improved, revised, or updated business continuity (BC) plans. Nice plans – comprehensive, lots of information about assignments, call trees, contact lists, etc. and they’re all up-to-date. Your staff assures you that they have addressed all of the priorities and requirements defined from your business impact analysis (BIA) and involved every key stakeholder, so that the company is ready for the worst case scenario. You can hand out the kudos and get on with the next task.
Not so fast. Before you give those kudos, you have some questions to ask! There are three important elements that too many business continuity plans are missing – even plans that are well-developed based on traditional good practice. So, take the time to ask your plan development folks the following critical questions:
1. Have we addressed the fourth building block of business continuity: our vendors?
Every business continuity plan needs to address four things: disruption in the workplace, reduction in the workforce, interruption of IT services, and stoppages from your third-party product and service vendors. Most companies handle the first three. But vendors? They are too often left off the list and sometimes not even considered during the BIA.
On the one hand, it’s easy to understand why vendors are omitted in BC planning. They’re not part of your company, and they are supposed to be handling their own business continuity. Nice thought. But since your company is on the line if your vendors fall short, you continue to own the risk of a vendor failure or breach. For that reason, you need to vet your vendors with the same rigor that you use to address your own BC plan. You need to know – to the best of your ability – that your vendors are agile and resilient, and that they will keep supplying you with products and services, even when the bottom falls out of their universe. You also need to know how your organization will respond if they do fail.
2. Have we organized the plan using situational relevancy to make it easy to use?
Sure, your BC plans contain tons of information … the correct response to the situation at hand must be in there if you look for it. Unfortunately, although plans contain a lot of stuff, they are often not organized for actual use – they are organized to simplify initial plan development. In essence, they are not organized for effective use at time of need – when it counts. It is prudent (dare I say, vital) that they be structured to help your teams quickly and efficiently get focused on responding to what has actually happened.
So, how about segmenting those plans according to disruption scenario? Consider these four: the loss of IT services and/or data, the loss of services from individual vendors, the loss of individual workplaces, and a reduction in available staff. Segmenting by disruption scenario will help narrow down what to do, since it is highly unlikely that all of these (the elusive “worst case scenario” that so many people try to plan for) will occur at the same time.
A good BC plan is overflowing with scenario-based strategies, tasks that are aligned with those strategies, reference information, and all the rest of it. Not all of it is relevant all of the time. You need to be able to quickly and efficiently navigate through the morass to find the gems that are critical to this situation at this moment in time.
3. Does our BC program provide us with decision support in time of crisis?
Great; now you have the basics, but what about rapid situational analysis and decision support? I can pretty much assure you that a typical static business continuity binder isn’t going to help you decide on an appropriate response strategy (paper just isn’t interactive!). How about if you use BC software? Well, that depends on your software. Business continuity software can be as non-responsive as a BC binder sitting on a shelf. Or, it can be your go-to tool when the proverbial fan is hit. Situationally effective BC software is going to help you:
• Determine the overall impact of the incident.
• Make appropriate decisions about the incident.
• Alert the relevant people to handle the incident.
Remember, you can’t mount an effective response and determine the right course of action until you have done all of the above! You have to have a firm grasp of the incident itself and its ramifications for your business at every level, i.e., What’s the geographic scope of the incident? How severe is it and how long will it last? What’s important to me within that geography? Who do I need to alert and advise? What specific actions do I authorize?
How do you do this? Essentially, you have to be able to mine your BC plan. Nobody wants to flip (or scroll) through dozens or perhaps hundreds of pages to figure out what is or might be at risk given the evolving situation and what to do about it now. Your BC software should be able to select key elements from the plan for the particular situation you find yourself in.
When your business continuity plans have been bolstered to address vendor risks, scenario-specific responses, and decision support capabilities, you can then hand out the kudos and cross “BC plan” off your task list. At least for a little while. After all, you may soon be called to action by the next disruptive incident or the next significant business change; but that is another topic for another article…