Recently, after conducting yet another exercise where the participants were clearly finding the business continuity plans hard-going, it became clear that, often, people seem disinclined to actually use their plans? You would think that, in an unfamiliar situation, people would be grateful for any useful guidance, so maybe it’s the way the information is presented to them. BCP Plan
To see why plans can end up being hard to use, it is useful to start by looking at what a Business Continuity Plan is. In its essence a plan has four main uses: Business Continuity Policy
1. To maintain a record of our Business Continuity (BC) processes;
2. As a repository for recovery objectives, requirements, time frames etc, collected during the BIA phase of our programme;
3. To ensure consistency of approach to business continuity;
4. To assist in coordinating our response to an incident.
It is clear that a BC plan isn’t a homogenous whole, rather it’s a collection of elements, many of which have entirely different purposes and are, therefore, likely to be entirely different in format and approach. The trouble is that all the good practice guidelines and standards tell you that you must have a policy, version control, distribution lists, glossaries, organisation charts, incident management processes etc. and so many people think that each individual plan module must have all of these elements. However, as discussed above, if you are an operational recovery (Bronze) team leader, do you care about this stuff when you are trying to manage the immediate response of my business function to a major incident?
Obviously, somewhere in our body of BC documentation, we need all the things mentioned above, but we may be making the mistake of trying to be all things to all people in every individual document. Throw into the mix the fact that, in many organizations, the plans are created and maintained by the central BC function whose principal interest is, naturally, in the administrative detail and it’s hardly surprising that the person responsible for recovering a critical business function often has to search for the information he or she needs immediately following an incident, at which point, he/she is likely to give up on the plan.
What should drive the content of any particular part of a plan is; who’s the audience for this and what do they need to do with it? Obviously, the requirements of the plan administrator and those of the recovery team leader are not alike and are unlikely to lend themselves to the same style or format and there’s no reason why they should. The Incident Management Team doesn’t need the detailed actions for all the business teams or vice versa, they simply need to understand how and where their actions fit together. Practitioners all emphasise in scenario exercises and training programmes that, following an incident, people are likely to be stressed, disorientated, confused and operating at a level far below their norm, so surely at that point we should only be presenting them with information that is strictly relevant in a simple, easy to understand format.
So what are the top tips for what should be in a business continuity plan?
- A BCM Code of Practice with the policy, roles and responsibilities, maintenance and testing schedules etc.
- An Incident Management Plan which takes you from the incident point through the escalation process to invocation of the BC plans and briefing team leaders
- An overview section showing how the response / recovery process works and how all the elements fit together
- Individual modules for each recovery team, including the management / coordinating team and support teams, containing team-specific recovery information, team objectives, resources, contacts etc
- A Plan Control Appendix containing the glossaries, change history, distribution list, consolidated resource requirements and any other common or centrally-maintained information
You will have noted that there’s nothing new in any of this. This is what should be in plans that exist to be used, rather than the ones that just exist to satisfy an audit / corporate governance / regulatory requirement.
D Cockram is the Managing Director at Steelhenge Consulting, offering businesses around the World crisis management solutions [http://www.steelhenge.co.uk/services/crisis-management] in preparation of an emergency or disaster. Steelhenge offers emergency planning training courses [http://www.steelhenge.co.uk/emergency-management-training-courses] as well as consultancy and training offers.