Most Risk Management and Business Continuity ‘experts’ concentrate on documentation, not on actual implementation.
There’s too much focus on ticking boxes to please auditors, too much paperwork, too much effort to maintain documents, too little implementation, too little buy-in, too little enthusiasm from staff, too little incident readiness, and too little enabling staff to think on their feet when ‘it hits the fan’…
It affects entire organisations. Senior management ends up with false sense of security that everything is covered, risk is managed well, and that staff are ready if a Business Continuity (BC) event were to occur. Whilst in reality, only a few individuals (e.g. Risk Managers, BC Co-ordinators) keep themselves familiarised with the content of the plans and procedures, or even worse, they are the only staff who even know a plan exists.
Other staff are too busy ‘helping the business make money’ and, unless an immediate trigger like a real disaster event occurs, they don’t even think about all the things that could go wrong. Often, Risk Management and Business Continuity Plans (BCPs) only get written or refreshed for audit or other compliance related purposes. And if staff can avoid being involved, they usually will. When a BC test is taking place they take a holiday or simply don’t turn up.
The problem actually starts much earlier than that. Operational Risk Management and BCP consultants tend to work in a solitary way, or mainly involve those in an organisation who already have a Risk Management related role. At best they may try to have a bit of dialogue with senior management and sell them some beautiful stories.
It is often challenging to get buy-in, time and attention from middle management and the general workforce who are busy ‘doing their job’. And that’s where the ball stops rolling in many Risk Management and BCM implementation projects.
The result is that mountains of documentation may get produced including cumbersome Business Impact Analysis (BIA) documents, Risk Assessments and BCPs, but these quickly get out of date. If a real incident occurs, most staff are uninformed and confused. They don’t know their role, what to do, what activities to prioritise, how they will be contacted, whom they should contact, who has the authority to give them instructions. They’re far from ready.
These problems stem from the following seven mistakes…
1. Top management, whilst aware of risk and the need to comply with relevant regulatory requirements, doesn’t commit sufficient time to actively lead middle management and general staff, and doesn’t commit sufficient resources to embed BCP in the organisation.
2. Only a Risk or BC Manager is fully aware of the plan and this person becomes a‘single point of success’ without the broader workforce being ready at any time for an incident.
3. The Risk or BC Manager developing complicated BCP/Risk Assessment/BIA templates, sending them to business divisions, and expecting them to complete them without proper guidance. The divisions are often unclear about the purpose of these documents, which results in low quality information being captured and eventually creating resistance to revisiting/maintaining the information.
4. The BCP is built as a large document, which is centrally managed by the Risk/BC Manager, not regularly maintained, and impractical in real incidents because relevant content is difficult to find. Version control (if any) is impeded by only one person being able to edit the latest version at a time. And when internal systems are down, the document can’t be retrieved as it sits on the system that is now unavailable.
5. Broader staff awareness is low or non-existent, in particular amongst those who don’t have a BC role but who may think they do, thereby wasting space at alternate working locations or using recovery provisions intended for others.
6. Disaster tests being timed inconveniently, generally boring and having a ‘pass/fail’ flavour, causing participants to try to look good in front of management rather than trying to find areas of the plan that need improving.
7. BCP involvement being seen as a ‘nice to do’ addition to their role, falling in the same bucket as fire wardens, causing those involved to constantly prioritise their daily work at the expense of Business Continuity tasks.
I have seen clients spend hundreds of thousands of dollars on consultants, only to find they still make these mistakes. The resulting problems recur every few years when the documents are out of date. Or sooner – and this is much worse – when a real-life incident occurs and the BCP and other controls don’t work or nobody knows how to activate them.
Equipped with a short, sharp, dependable BCP, your business will be able to respond effectively to a disruptive event, protecting its brand and reputation, meeting its corporate social responsibilities, and ensuring the needs of its staff, clients and stakeholders are met. To achieve this, senior management needs to commit to BCP ‘all the way’.
If you want your BCP to work when you need it most, contact us at www.businessasusual.net.au.
And if you’re keen on training, you can also have a look at our upcoming courses in Business Continuity, Risk, Information Security and Supply Chain Security Management (incl ISO22301, ISO31000, ISO27001& ISO28000 certification exams).
See here a follow-up article I wrote about the seven ways to make sure your disaster plan actually works.Browse our upcoming Training & Events
Signup for our Newsletter