Throughout its history, the Business Continuity industry has maintained a steady focus on Preparedness – understanding the organization’s most critical business functions (both technological and operational) and development of Plans to respond to any disruption of those critical functions. That makes sense. How that can be accomplished has been refined and tweaked over time through various ‘standards’ and ‘best practices’. Those activities answer some basic questions:
- What do we need to protect?
- How will we prepare to respond to a disruption of those critical functions?
What has always been omitted in that analysis has been the third major question:
- How will we manage that response?
If you ask 20 BCM practitioners that question you will get a wide variety of answers:
- Our Crisis/Incident Management Team is responsible for managing it.
- We have an ICS program in place and have trained our response teams to use it.
- We’ve had disruptions before, so we know how to handle them.
- We have an Incident/Crisis Management Plan that takes care of it.
- Or, occasionally the question is met with a blank stare.
Most of those are very hopeful responses, but none of them actually answer the question. How will we manage the response? Not who, but how. When something disrupts your business (private or public) time is crucial. To react quickly, analyze the situation, implement an effective response, deploy the resources required to implement that response, and monitor the progress of that response effort (and the issues that will inevitably arise) all require access to various forms of information. Will you have access to that information? Let me make an analogy. Suppose you know you will need to get from Point A to Point B frequently. You decide to buy an airplane. I have one I’m willing to sell you. When you go to inspect it, here’s what you realize: there are no controls – no joystick, yoke, or rudder pedals – and no altimeter, compass, airspeed indicator or radio. Would you buy it? Of course not – because you couldn’t manage it, monitor your progress or communicate from within it. That’s the same crucial defect in most Business Continuity Management programs: no real capability to manage information or resources, no means to monitor the progress or needs of their response, and limited ability to communicate with responders and stakeholders. So why don’t most BCM programs have a real Incident Management capability? Usually for one of two simple reasons:
- They’ve never had a disruption of any great magnitude, so they don’t know what to expect – or what they’ll need.
- They simply believe it will never happen to them, so they choose not to spend the time, money or other resources needed to develop that capability.
Here’s one last question: why would you spend time, money and resources developing plans but not the capability to manage their response to a business disruption? (You wouldn’t have bought that airplane from me, would you?)