Many organizations engage in business continuity and disaster recovery planning; few organizations are prepared for a business interruption event or a disaster. There is a difference.
My wife is a terrific party planner. We just threw a birthday party for our youngest son who turned eleven years old this past Sunday. My wife “planned” his party weeks in advance, but, until we got the invitations sent, the supplies purchased, the house cleaned, the balloons and decorations put up, the gifts wrapped and the cake baked, we were not “prepared” for the party.
The Allied Forces “planned” the D-Day Invasion months in advance; but, until they recruited for, trained, transported the forces and equipment to where they were needed, ran simulations, drills and practices, monitored the weather, performed reconnaissance, set up Command Centers and established communications channels and protocol, they were not “prepared” for the invasion.
Simply going through the motions of creating Business Continuity and Disaster Recovery Plans does not necessarily mean your organization is prepared to respond to, operate through or recover from a business interruption event or disaster. There are many organizations who have followed the standard and accepted business continuity planning methodology, resulting in numerous, well-documented plans, that are NOT prepared for a disaster. How can this be? Here are some contributing factors that can result in that kind of dichotomy:
Invalid Planning Assumptions. Almost every plan written includes a list of planning assumptions in the Introduction or Overview sections. Many times these “assumptions” are really planning requirements, caveats or downright erroneous assumptions that invalidate the plans and continuity strategies in place.
- A plan might include the assumption that employees are trained and have copies of the plans in their homes. This should not be a plan assumption; this should be a program requirement. This requirement is auditable and should be tracked. Your plan should not “assume” this to be true; your program should “ensure” that this is true.
- A plan that utilizes a work from home solution might include the assumption that employees routinely take their laptops home with them every night. Again this is an example of a program requirement, not a plan assumption. If your business continuity solution relies on corporate assets, such as laptops, being available in certain employee’s homes at time of a disaster, you need to ensure that these assets are there when needed.
- Sometimes, plans “assume” that the disaster impacts only the facility that the plan is written for. In cases when the continuity or recovery strategies rely on alternate sites (or employees working from home) that share a common footprint of known risks and threats in the area; that may not be a plausible assumption. In these cases, it is important that management know “what” they are prepared for. For example, management might be told that you are prepared for a building outage but not a wide-area outage caused by an earthquake or flood or hurricane. This could be important information to know if you are in an earthquake, flood or hurricane zone.
- Many plans include the “assumption” that the strategies and technologies the plan relies upon are available, functional and usable at time of need. Many times, management reads this “assumption” as a “given” when, in fact, these solutions are yet to be implemented, contracted for or proven reliable.
When assessing an organization’s level of preparedness, plan assumptions should not be glossed over nor should they be accepted as being “givens” or truths. If the viability of your plan is dependent on these assumptions being true, you must have policies and procedures in place to ensure these conditions exists and protocols in place to measure the level to which they are being met.
Dependencies That Can’t Be Depended Upon. In a related situation, some plans include a list of dependencies that the plan’s execution relies upon. Sometimes, the reliability of these dependencies are also listed in the plan’s assumptions.
- The successful execution of the strategies outlined in the plan might be dependent upon external, single-source suppliers (of services, information or raw material) remaining operational. If these organizations are also at risk of being impacted by the same business interruption event, this might not be a reliable requirement. You should include the examination of these organizations’ recovery plans in your programs’ activities or eliminate this dependency as a single point of failure within your environment.
- Plans are often dependent on certain individuals or subject matter experts being available to participate in the recovery effort. “People” are often overlooked as single-points-of-failure. If the successful execution of your recovery solutions rely on one or more particular individuals being available to execute the plan, you are at risk of failure during events that impact the availability of your work-force. Many companies that have this dependency also state that their plans could be used during a Pandemic event – this is just one type of scenario that puts that dependency at grave risk.
- Many plans are also dependent on certain technologies and/or applications being accessible at time of an event. Sometimes, the recovery or continuity of these technologies and applications are within the scope of your plans and sometimes, they are not. In either case, whether or not this dependency can be relied upon is something that can and should be proven.
Failure to Socialize the Plans. Even companies with spectacular plans and solutions in place can be unprepared for the events they have planned for due to the lack of training and education of the people who must execute the plans. Well written plans and fully enabled solutions can fail to protect the organization from devastation if the people relied upon to execute those plans or utilize the solutions have not been trained in and practiced their roles for time of implementation.
None of Shakespeare’s plays would be successful if the actors were reading the scripts for the first time on the night of the opening performance. Documented plans should be treated like scripts; the lines should be memorized and rehearsed well before they are needed. If your organization is dependent on the documented plans at time of a disaster, then it is quite possible that you are not “prepared” to respond and recover.
Unreliable Testing Practices. And then there are companies that do routinely practice and rehearse for the event, but are still not “prepared” because of some unreliable testing practices that are commonly used.
Most business continuity and disaster recovery plans are designed to allow an organization to respond to and recover from an incident that occurs without warning demanding immediate response, yet, it takes them months to plan for a test.
If the advanced planning for a test is more than an exercise in scheduling resources, your organization may not be prepared for the real deal. Too often, the time needed to prepare for a test is used to create special back-ups; install or provision equipment; order supplies; coordinate resource availability; or a number of other logistical activities that require time to complete – none of which you will be able to do at time of a disaster that hits without warning.
If your organization plans its tests weeks or months in advanced, you need to scrutinize the actions being taken to prepare for the test and question whether or not that activity would be required at time of a real event.
And, too often, organizations execute these tests or rehearsals utilizing a small set of understudies and not the people who will engage at time of the real event (thus, not achieving the socialization mentioned above). This, too, is something that can be audited and tracked. Your program should identify anyone who has the potential of being engaged at time of an emergency response, continuity and/or recovery event and ensure that they are trained and routinely participate in recovery tests and exercises.
So, yes, there are many companies that “plan” for a business interruption event but are far from being “prepared” for a business interruption event. The ultimate goal is being “prepared”; do not allow yourself to be lulled into a false sense of security just because you have a “plan”.