Most businesses that claim to be prepared for the worst, are ready but only in the sense that they would do something different from normal, The essence of good continuity, however, is that everything is planned in advance down to the smallest detail such that there is no need to think when something goes wrong.
There are numerous reports on the actual percentage of companies who have plans and none of them make pleasant reading. The statistics run from 50 to 70 % that have no full plans and if we add ‘tested and current plans’ we would probably find that at least 80% of all European businesses are exposed.
There are sufficient regulatory texts in place and the catch-all of ‘due diligence’ so it cannot be that this situation is deliberate.
The key to business continuity management (BCM0 is simplicity combined with planning for keeping the key parts (not all parts) of the business running at service levels customers accept. This service level can be much less than customers contracted for if the right measures are taken in terms of communications. BCM should aim at doing as much pre-planning as possible for probable events and plan for alternative ways to continue in business rather than adopting a simple break/fix attitude. There is almost always an alternative – for example, if the invoicing application breaks down, it could be done by hand in some cases.
There are multiple reasons for this lack of detailed BCM planning so here are some, in no particular order:-
- Over-analysis of the business. Not every part of a business has the same importance but someone needs to decide what does matter. Traditionally this is done by the Business Impact Analysis – risk etc.
- Focusing on IT only. IT is clearly the basis of every business so it needs to be a core part of the equation but IT has managed to create an illusion that availability will solve everything even though this is demonstrably not true.
- Over-analysis of impacts and risks leads to paralysis and project plans lasting years - by which time the original project sponsors have changed and support may be lost. Multiple milestones and short term deliverables are the key to keeping attention and being seen to be of value to the organization.
- Financing BCM is always an issue and the traditional approach is to use big numbers of potential losses to justify doing something. This should be avoided since it is simply not credible. How many companies realize that they lose more money from the hundreds of small inefficiencies in everyday outages than they ever are likely to when the big disaster occurs? BCM wins when it is easy and improves overall business efficiency in a reasonable timeframe. I will scream the next time I see a presentation on BCM with either a burning building, or worse, reference to ‘9/11’.
- Let’s get certified to a standard. The kiss of death quite often. Standards cause as much damage as good. They are a reasonable checklist but none say how to actually do concrete things in a level of detail which is reasonable.
- It won’t happen to us. Yes, it will. The classic excuses are – it happened last year so it won’t happen again. If this were true then you could buy your car, wreck it and then drive uninsured for the next twenty years certain in the knowledge that you would not have another accident because you have already had your share.
- You only need this for disasters. A disaster is a very subjective concept so the use of the word within a continuity capability can lead to endless confusion and, worse, misunderstandings where one person thinks their disaster is covered and another does not. The worst problem with the use of ‘disaster’ is that it gives the impression that planning only needs to be done for these events and not for any other kind of outage. As a result, no money should be allocated to the others either. Some standards and a lot of the bodies of work on the subject of continuity planning imply that BCM is only for ‘serious’ events.