At a recent Business Continuity Management conference, one speaker spoke about his experiences and the theme: “the value in the BCM program”. He had worked at a retail supermarket chain that had a robust BCM program with both management buy-in and excellent business user participation. They had created Business Continuity, Disaster Recovery and Crisis Management plans and tested them frequently. Their BCM culture was very solid, with wide-spread internal awareness of the Business Continuity program.
Then they had an operational disruption. The event impacted their distribution centre. Their Incident Management team was able to respond quickly & effectively, without ever informing or invoking the BCM team. The speaker was patting himself and his team on the back for having created a valuable BCM program. (Yet they never used his program’s plans½) He no longer works for that organization.
At another organization, during facility maintenance in their datacenter, welding near a sprinkler head triggered a total shutdown of the company’s IT services. Although well-tested Disaster Recovery plans existed, the recovery process did not reference them, nor were the Disaster Recovery coordinators asked to participate. The post-mortem analysis meeting became a turf war – but IT Management insisted that the incident was not a “disaster”, calling it instead an “incident” for which standard operating procedure applied.
Elsewhere, a power outage took down the datacenter of an Insurance company when their standby generator did not start due to faulty electrical controls. All IT Services were restored within 10-12 hours after the power was resumed to the datacenter. Yet the RTO for critical Applications was 2 hours. In that instance no Disaster Recovery plans or recovery teams were invoked and this event too was treated as an “incident” (despite the failure to meet Business RTO’s).
What event constitutes a “Disaster”? When do Disaster Recovery Plans get invoked? When does the Recovery Time Objective clock start ticking?
The classification of an event as a disaster, requiring invocation of DR plans and their recovery teams, is a subjective decision at the discretion of Management – either IT Management or Senior Management (or both). Very often -and for a variety of reasons – Management prefers to treat less-than-catastrophic disruptions as operational incidents, leaving the BCM & DR teams (and their plans) out of the equation and the response.
Responders in a “disaster” event and responders to an “operational” event are often the same people. When a disruption occurs, where does their loyalty lie: to a Business Continuity manager or to their everyday operational managers? Regardless of what might be the most effective response, the decision is sometimes based on factors that don’t result in the most prudent response. Not declaring a ‘disaster’ may be perceived by Management as more important than recovering as quickly as possible.
Management’s perception of Business Continuity and Disaster Recovery plans as only for ‘smoke & rubble’ scenarios is the root of those turf wars. Those perceptions must change if BCM is to demonstrate value and relevance. There are simple ways the BCM program could achieve more traction:
Create awareness: First, Senior Management needs to understand that an IT Recovery Plan isn’t only for a smoke and rubble ‘disaster ‘ (unless, of course, that is the only scenario under which the plan will function). Plans should exist to deal with all disruptions, and teams should train for the responsibility to deal with multiple events. Unless Management is aware of the scope of the plan, they will be reluctant to invoke it. Senior Management must be frequently reminded of this capability (perhaps by involving members in tests and exercises). Generally, BCM awareness programs are targeted at downstream business users – but more of the awareness program should be focused upstream, targeting the Senior Managers.
Auditors as champions: Auditors usually have some oversight when it comes to the quality and scope of the Business Continuity and DR program. They should have concerns when Business Continuity and Disaster Recovery plans are ignored in response to major disruptions. They should be encouraged to express those concerns to Senior Management. BCM practitioners sometimes view Auditors as enemies. In truth, they can be comrades in arms – both working toward securing the company against vulnerabilities.
The squeaky wheel always gets the grease. BCM practitioners – especially those responsible for IT/DR planning – need to beat their drums more, and perhaps add a trumpet when advertising their program and its capabilities.
There are other factors that play roles in these Turf Wars. More about those factors in a future blog.
Related blog:
Do you have a plan for when disaster strikes?
