Top Secret: Business Continuity Plans for Your Eyes Only

Sometimes I think there really are Parallel Universes.  There’s the one where someone creates a Disaster Recovery or Business Continuity Plan that no one else is allowed to see; and then there’s the universe I live in – where everyone who might need to participate in the execution of my Business Continuity Plan has a copy.

I’ve never truly understood the need for secrecy in Business Continuity Management.  In my first brush with Disaster Recovery (back in the early 90’s), everyone who needed one got a numbered copy of the DR Plan.  You had to sign for it, and surrender it when it was updated, or your position changed.  I always wondered why.  Yes there was some proprietary corporate information in there; it was all about restoring the mainframe.  This was before wide use of the Internet – when the mainframe might have been attached to a LAN (local area network), but not The Web.  So making dastardly use of the DR Plan would require breaking into the building, and then into the computer room (with its own mystical access system).  Why we had to sign for copies I’ll never know.

But that was more than 20 years ago.  Why do some organizations (or at least some individuals in them) feel that a Business Continuity Plan or a Disaster Recovery Plan is so Top Secret that only one person should have a copy? I’m not talking about one isolated, paranoid person.  This happens much more than you’d think (or at least a lot more than I ever expected).

Keeping the contents of a Business Continuity Plan a secret is a prescription for failure.  If only one person has a copy, Murphy’s Law will dictate that they are absent when the plan is needed.  And that’ s only one pitfall of a closely-guarded Plan.  Why does this happen?

When customer account information, corporate financial information, IP addresses, License keys, access codes, passwords and other sensitive data is contained in a Business Continuity Plan, security should certainly be of concern.  When security turns to secrecy, that’s paranoia.

Then of course there’s politics.  He who has the goods rules the game.  If I’m the only one with a copy of the Business Continuity Plan, I hold the fate of the organization – or my Business Process – in my hands.  I have power!  As long as we never have to execute the Plan, I can bask in my power.  I suppose this is just another form of paranoia, but then, I’m in Business Continuity Management, not psychology.

The point is this:  Unless those who will need to participate in the execution of the Plan have a copy in advance, they will have not familiarity with their responsibilities. Without that familiarity any attempt to execute the Plan is likely to fail.

So what’s the solution?  Rather than hide the Plan, because of its sensitive content – organize it better.  Put the sensitive information in an Appendix or Addendum (or a single Procedure) and give that portion only to those who truly need to know and can be trusted with its sensitivity.

If you expect a Plan to succeed when called upon, the participants must know what is expected of them.  They must have an opportunity to practice.  And they must have easy access.  If the boss has the only copy and is on vacation, he or she may return to a ruined organization.  Or find they no longer have a job.

Related blog:
Is that a Business Continuity Plan – or a Book of Lists?

SHARE:
Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…
Threats, Impacts, BCPs

Threats, Impacts, BCPs

Within Business Continuity circles there is ongoing debate about the…