The old conundrum “which came first, the chicken or the egg?” reminds me of an often-heard Business Continuity statement: “We’ve got a Business Continuity Plan, so we’re covered.”
Perhaps you don’t see the similarity. The chicken/egg question is largely unanswerable (although there are always those who believe they know the true answer). The other question is also unanswerable but for different reasons. That BC Plan might be enough to assure the organization can recover from a disruption of day-to-day operations; or not. It isn’t a question of the thoroughness of the Plan, or its adherence to ‘standards’, or its audited compliance.
The truly important question is: is the organization capable of recovery? Organizational capability isn’t dependent on a Plan. The Plan should be an aid to recovery capability. But a Plan doesn’t necessarily take the organization’s capabilities into account. The best looking, most in-depth, standard-adhering, audit-passing Plan in the world is useless unless the organization it seeks to help protect is capable of using that Plan to recover from a business disruption.
What, exactly, do I mean by ‘capability’?
- That the organization is aware of the BCM program – not just that it exists, but its purpose and objectives.
- That the goals and objectives of the program are understood and accepted by everyone– from the Board of Directors down to the average employee.
- That a Strategy has been agreed upon for responding to disruptions of day-to-day operations.
- That Tactics which have been devised to respond to a disruption align with the overall Strategy.
- That there have been sufficient Exercises (or Tests) to provide participants with adequate familiarity with their roles and responsibilities in the event of a business disruption. When an organization is confident in its Business Continuity capability, it doesn’t matter what happens, when it happens, how severe it is, or how long it lasts. A capable organization is ready to deal with whatever comes its way.
Confused about what separates Capability from Plan? Let’s suppose we plan to hike up the nearest mountain. We buy a map. We’ll get in the car, drive to the trailhead (it’s marked on the map!) and hike to the top. That’s the Plan.
But are we capable? Is everyone in sufficient physical condition? Do we have hiking experience? Does everybody have the right footwear? Know how much water to bring?
Just having a written Plan doesn’t guarantee preparedness. A Plan is just words on paper (or 0’s and 1’ on a hard drive). Without a capable organization behind it, no Plan is likely to succeed. But a capable organization – which knows its objectives, understands its strategy, and is sufficiently tested – is prepared to act effectively – even if its Plan isn’t misses the mark.
