Why write a Business Continuity Plan when they never get used?

There’s a trend at the moment that questions why we bother to write Business Continuity “plans” when they never seem to be of any particular use in an incident. Any BC professional who has conducted a business continuity plan test for an organisation will have encountered the common situation, where the plan documents are quickly discarded in favour of “winging it”. The natural conclusion then, is to ask “why are we producing, reviewing and updating these documents” when we can’t use them in a crisis (even when it’s a simulated one).

In this post I’m going to outline why we should not rely on doggedly following plans in the face of a major incident and why we do need to create documents that justify and outline our incident response and recovery capability.

Firstly, we should not rely on a “holy grail” document that will lead the organisation through a crisis. To capture every eventuality that can occur, would create a document that would be unwieldy and unusable in a fast-moving situation (does that sound familiar?). What trumps this by orders of magnitude is an organisation that is genuinely prepared for disruptive events.

Which, in a nutshell means:

• That people understand their roles (and, if they don’t have a specific role, know what they should do when a major incident is discovered or declared)

• Appropriate resources are available to support the management of an incident and those using the resources are proficient in their use

• The organisations infrastructure can be recovered or restored effectively, in line with the organisation’s exposure tolerances

• Third parties, including customers, regulators and auditors have confidence in the above

We achieve this by:

• Developing knowledge and capability within our organisation

• Making sure that knowledge and capability is embedded in the organisation, preserved and fine-tuned as circumstances change

Accepting that our people also have day jobs and need periodic support to “stay sharp”. It’s very tempting to draw parallels with elite armed forces with statements like “have you ever seen a Navy Seal or SAS member pull out a plan for operating a firearm in the heat of a firefight?”. Of course they don’t – because it’s their day job and when they are not “in theatre” they are constantly practicing one aspect of their skills or another - most commercial organisations don’t have that luxury and can’t operate that way.

So, in terms of developing our organisation along the lines of 1, 2 & 3 above, we are going to need to create, preserve and disseminate the knowledge and skills to create the capability. An important part of achieving that will be to create information content that facilitates their development. So, this is not the production of the Magnum Opus “plan”, it’s about facilitating the establishment of a capable organisation with the resources it requires to effectively manage the unexpected. The bedrock of this is information content that is referenceable, transferable and designed for purpose.

Types of content required to facilitate and maintain a practical & useful Business Continuity Plan

Educational – facilitates understanding of goals, roles and skills required to achieve an objective. This is not just the traditional business continuity awareness. It provides education and guidance to incident response and key role holders to provide them with knowledge and skills to fulfil their roles

Developmental – Embeds and preserves intrinsic capability with periodic practice and refreshers including tools and resources that may be required to effectively fulfil key roles

Guidance – Operating procedures for recovering or re-establishing the organisations infrastructure including information systems and physical assets

Managerial – processes to ensure that capabilities are relevant and remain fit for purpose

Confirmation – for the benefit of third parties seeking evidence of “due process” detailing the how the organisation manages its business continuity programme and its content including recovery priorities & capabilities, assurance and confirmation processes.

The concept of the “magnum opus” business continuity plan is flawed, and the current experience of many organisations underlines that. Nevertheless, knowledge content that is designed to be relevant, referenceable and transferable provides the foundation to establish and maintain a well-prepared organisation.

For practical, concise business continuity plans, take a look at our business continuity plan template