Is That a Plan Update – or a New Cover Page?

What can you do when Business Continuity Plan owners fail to update their Plans?

I previously discussed why some organizations struggle – or simply neglect – to update their BIA data.  A BIA can be like a Platypus (an Australian mammal – part duck/beaver/reptile – that lays eggs).  Designed by a committee, a BIA may have so many components its purpose is no longer clear.  It takes so long to complete –and often with great difficulty – that people spend more time avoiding it than completing it.  Over time, that top-heavy BIA survey/questionnaire topples under its own weight.  I get that.  I’ve long been an advocate of short, targeted BIA’s (see this earlier blog).  But when the BIA doesn’t get updated, it’s a short path to Business Continuity Plans not being updated.

Sure, you update the Call Tree (especially in Plans so old they still use Call Trees – and we’ve got a blog on that too).  Does the Plan ever really get updated?  If the annual ‘test’ is always the same, it’s a simple task to sleep walk through that exercise without ever considering whether the Plan retains any real value or validity.  It reminds me of a friend whose father always told him he’d be leaving his children a million dollar insurance policy.  When Dad finally died, the siblings found the policy; and discovered Dad had stopped paying the premiums years ago.  Yes, he left them a Million Dollar Insurance Policy – but it was only paper.

There are plenty of excuses why a Business Continuity Plan (BCP) hasn’t been updated: no time, no resources, no priority, etc.  Sometimes the problem is more perception than reality.  Most BCP owners don’t have full-time Business Continuity responsibility; many only have responsibility for ‘owning’ a Plan (not maintaining it).  Their budgets don’t account for maintaining that Plan – so their priorities don’t either.

Their decision to avoid updating is really a Risk Management function:

  • The Process/Function/Plan ‘owner’ understands the risk (“If we have a problem and my Plan fails, I might lose my job.”).
  • Of the 4 options available to deal with the risk (Avoid, Mitigate, Transfer, Accept) there are only two valid choices: update the Plan (Mitigate) or not (Accept).
  • It then becomes a matter or deciding whether a disruption is likely.  It’s a guess, but we all guess about things every day.
  • For some, that equation is influenced by their belief that – as long as there’s an up-to-date Contact list – experience and leadership will make up for the lack of a valid Plan.

If the Business Continuity Management program is driven from the top down (Championed at the Executive level and supported by each successive level of Management), there’s no way to avoid Plan updating.

If, as is often true, C-Suite support is elusive, and accompanied by lack of support among operational managers, Plan owners are more likely to seize their risk assessment opportunity and not bother to update their plans.

So what’s a Business Continuity Manager to do?

  1. Challenge – Start by conducting more interesting Plan Exercises.  If you run the same exercise every year, it’s easy to bluff one’s way through it.  Changing the ‘scenario’ each time makes it much harder – but not impossible – to fake one’s way through the exercise without current information.
  2. Record – Take notes during the Exercise.  If you see, hear or sense hesitation you might assume a need for correction, addition or change.  Upon completion of the Exercise, use your notes to question the Plan owner/recovery team regarding those possible issues.
  3. Follow-up – You can’t ‘shame’ someone into updating their plan (you can try, but the act may have unintended consequences).  But by requiring them to provide an updated Plan (including responses to your noted ‘issues’) by a certain date, you may spur them to action.  Just remember that this isn’t their only job; give them sufficient time to complete the task.
  4. Escalate- You’ve set a date for returning the updated Plan – and set content expectations.  If the deadline is missed, or the content inadequate:  First notify your superior (and copy the miscreant).  Provide a ‘grace period’.  If they miss that data, then also notify their superior.

You may not win every battle, but neither did Hannibal, Napoleon nor Eisenhower.  A BC Manager’s job is to constantly improve the ability to respond to adversity.  Even small steps count.

SHARE:
Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

A Toolkit to Build Enterprise Resiliency

A Toolkit to Build Enterprise Resil...

A well-rounded Enterprise Resiliency Toolkit (𝗧𝗼𝗼𝗹𝗸𝗶𝘁) would provide key tools…
Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…