What can you do when Business Continuity Plan owners fail to update their Plans?
I previously discussed why some organizations struggle – or simply neglect – to update their BIA data. A BIA can be like a Platypus (an Australian mammal – part duck/beaver/reptile – that lays eggs). Designed by a committee, a BIA may have so many components its purpose is no longer clear. It takes so long to complete –and often with great difficulty – that people spend more time avoiding it than completing it. Over time, that top-heavy BIA survey/questionnaire topples under its own weight. I get that. I’ve long been an advocate of short, targeted BIA’s (see this earlier blog). But when the BIA doesn’t get updated, it’s a short path to Business Continuity Plans not being updated.
Sure, you update the Call Tree (especially in Plans so old they still use Call Trees – and we’ve got a blog on that too). Does the Plan ever really get updated? If the annual ‘test’ is always the same, it’s a simple task to sleep walk through that exercise without ever considering whether the Plan retains any real value or validity. It reminds me of a friend whose father always told him he’d be leaving his children a million dollar insurance policy. When Dad finally died, the siblings found the policy; and discovered Dad had stopped paying the premiums years ago. Yes, he left them a Million Dollar Insurance Policy – but it was only paper.
There are plenty of excuses why a Business Continuity Plan (BCP) hasn’t been updated: no time, no resources, no priority, etc. Sometimes the problem is more perception than reality. Most BCP owners don’t have full-time Business Continuity responsibility; many only have responsibility for ‘owning’ a Plan (not maintaining it). Their budgets don’t account for maintaining that Plan – so their priorities don’t either.
Their decision to avoid updating is really a Risk Management function:
- The Process/Function/Plan ‘owner’ understands the risk (“If we have a problem and my Plan fails, I might lose my job.”).
- Of the 4 options available to deal with the risk (Avoid, Mitigate, Transfer, Accept) there are only two valid choices: update the Plan (Mitigate) or not (Accept).
- It then becomes a matter or deciding whether a disruption is likely. It’s a guess, but we all guess about things every day.
- For some, that equation is influenced by their belief that – as long as there’s an up-to-date Contact list – experience and leadership will make up for the lack of a valid Plan.
If the Business Continuity Management program is driven from the top down (Championed at the Executive level and supported by each successive level of Management), there’s no way to avoid Plan updating.
If, as is often true, C-Suite support is elusive, and accompanied by lack of support among operational managers, Plan owners are more likely to seize their risk assessment opportunity and not bother to update their plans.
So what’s a Business Continuity Manager to do?
- Challenge – Start by conducting more interesting Plan Exercises. If you run the same exercise every year, it’s easy to bluff one’s way through it. Changing the ‘scenario’ each time makes it much harder – but not impossible – to fake one’s way through the exercise without current information.
- Record – Take notes during the Exercise. If you see, hear or sense hesitation you might assume a need for correction, addition or change. Upon completion of the Exercise, use your notes to question the Plan owner/recovery team regarding those possible issues.
- Follow-up – You can’t ‘shame’ someone into updating their plan (you can try, but the act may have unintended consequences). But by requiring them to provide an updated Plan (including responses to your noted ‘issues’) by a certain date, you may spur them to action. Just remember that this isn’t their only job; give them sufficient time to complete the task.
- Escalate- You’ve set a date for returning the updated Plan – and set content expectations. If the deadline is missed, or the content inadequate: First notify your superior (and copy the miscreant). Provide a ‘grace period’. If they miss that data, then also notify their superior.
You may not win every battle, but neither did Hannibal, Napoleon nor Eisenhower. A BC Manager’s job is to constantly improve the ability to respond to adversity. Even small steps count.