Sometimes I think there really are Parallel Universes. There’s the one where someone creates a Disaster Recovery or Business Continuity Plan that no one else is allowed to see; and then there’s the universe I live in – where everyone who might need to participate in the execution of my Business Continuity Plan has a copy.
I’ve never truly understood the need for secrecy in Business Continuity Management. In my first brush with Disaster Recovery (back in the early 90’s), everyone who needed one got a numbered copy of the DR Plan. You had to sign for it, and surrender it when it was updated, or your position changed. I always wondered why. Yes there was some proprietary corporate information in there; it was all about restoring the mainframe. This was before wide use of the Internet – when the mainframe might have been attached to a LAN (local area network), but not The Web. So making dastardly use of the DR Plan would require breaking into the building, and then into the computer room (with its own mystical access system). Why we had to sign for copies I’ll never know.
But that was more than 20 years ago. Why do some organizations (or at least some individuals in them) feel that a Business Continuity Plan or a Disaster Recovery Plan is so Top Secret that only one person should have a copy? I’m not talking about one isolated, paranoid person. This happens much more than you’d think (or at least a lot more than I ever expected).
Keeping the contents of a Business Continuity Plan a secret is a prescription for failure. If only one person has a copy, Murphy’s Law will dictate that they are absent when the plan is needed. And that’ s only one pitfall of a closely-guarded Plan. Why does this happen?
When customer account information, corporate financial information, IP addresses, License keys, access codes, passwords and other sensitive data is contained in a Business Continuity Plan, security should certainly be of concern. When security turns to secrecy, that’s paranoia.
Then of course there’s politics. He who has the goods rules the game. If I’m the only one with a copy of the Business Continuity Plan, I hold the fate of the organization – or my Business Process – in my hands. I have power! As long as we never have to execute the Plan, I can bask in my power. I suppose this is just another form of paranoia, but then, I’m in Business Continuity Management, not psychology.
The point is this: Unless those who will need to participate in the execution of the Plan have a copy in advance, they will have not familiarity with their responsibilities. Without that familiarity any attempt to execute the Plan is likely to fail.
So what’s the solution? Rather than hide the Plan, because of its sensitive content – organize it better. Put the sensitive information in an Appendix or Addendum (or a single Procedure) and give that portion only to those who truly need to know and can be trusted with its sensitivity.
If you expect a Plan to succeed when called upon, the participants must know what is expected of them. They must have an opportunity to practice. And they must have easy access. If the boss has the only copy and is on vacation, he or she may return to a ruined organization. Or find they no longer have a job.
Related blog:
Is that a Business Continuity Plan – or a Book of Lists?
