Most companies that underinvest in business continuity can give you a reason why they do so, but those reasons are almost always ill-founded. In today’s post, we’ll look at the most common rationales organizations give for skimping on BC—and show you the reality behind those same topics.
Related on MHA Consulting: Weighing the Danger: The Continuing Value of the Threat and Risk Assessment
In working as a business continuity consultant, I’ve had the opportunity to become familiar with companies that come from across the spectrum in terms of the level of their BC planning. This includes many organizations with stellar programs and also many that do not fully implement their BC plan or have no BC program at all.
The companies that skimp on BC are almost always very articulate in explaining why they think it’s not worthwhile for them to develop a robust BCM program. However, the reasons they give are almost always based on false assumptions and incomplete information.
Below, I’ll lay out some of the most common rationales that companies give to explain why they don’t develop a strong BCM program. Then for each, I’ll give the reality behind the issue they raise.
Before getting into the rationales, I’d like to say something about the attitude that underlies the following discussion. At MHA Consulting, our philosophy is not that every organization should spend a lot of time and money on every aspect of business continuity. It’s that every organization should understand the threats it faces and make informed decisions regarding what to do about them—whether it’s to live with the risk, outsource the risk, mitigate the threat, or something in-between.
The important thing is that responsible people at the organization inform themselves about risks and potential impacts and make conscious, reality-based decisions about them.
If there is one approach to BC that we are against it is the “ignorance is bliss” approach. This is the approach most likely to lead to unexpected, significant impacts of the type that can cause lasting damage to shareholders and even put companies out of business.
Here is our list of the rationales we most commonly hear from companies explaining why they don’t bother much about business continuity, followed by the reality of that same topic, giving a more informed and productive way of thinking about it.
Rationale: “Our company is prepared because we just did well in our continuity exercises.”
Reality: Exercises can give a false sense of preparedness and capability. Tests are often scoped to facilitate success. Areas or applications with known gaps are left off because they are being “worked,” or workarounds are used that are not really part of the plan. Often, exercises do not simulate real events, or assumptions are made such as, “everyone will have their laptops” when the reality is only half the people take their laptops home.
Rationale: “There’s no sense in planning for something that probably isn’t going to happen.”
Reality: It’s not safe to assume. You should at least conduct a threat and risk assessment (TRA). Maybe the TRA will validate your assumptions regarding the low risks to various components of your enterprise. It might also uncover other important gaps that you overlooked.
Rationale: “We took care of this years ago.”
Reality: Maintenance is more important than initial development. Having outdated strategies, documentation, and lack of capacity is not much better than having nothing at all.
Rationale: “We have good people.
If anything happens, they’ll be able to figure out what to do on the fly.”
Reality: Maybe, maybe not. Usually, it’s not a question of, can our people figure out what to do to get us through this mess? It’s a question of, can they figure it out in time, before significant impacts occur?
Rationale:“IT has it covered.”
Reality: Maybe they do and maybe they don’t. Business Continuity is more than IT/Disaster Recovery. It also includes emergency management and business functions. When IT does recovery planning, they tend to base their efforts on the squeaky-wheel information and on day-to-day availability, rather than on the company’s actual IT/Data Recovery and Business Continuity needs.
Rationale: “We’re in good shape. We have everything documented.”
Reality: Documentation is a necessary but not a sufficient component of a functional BC program. If you can’t keep the business functions running or recover your technology and applications, all the documentation in the world will not help you.
Rationale: “Our customers are great. If we have a problem, they’ll understand and cut us some slack.”
Reality: Your customers and clients might be wonderful, but unless your emergency also impacted them (if you were both hit by the same storm, for example), they are not likely to care very much about your event or be very patient while you sort it out. This goes double if they know that you knew about your vulnerability ahead of time and didn’t do anything about it.
Rationale: “Business continuity is too expensive.”
Reality: The primary requirement of a good BC program is not money. It’s realism. The key thing is to look at your risks and make informed decisions about what you’re going to do about them (even if this is simply to live with the risk). To get the most value for money, focus on addressing the threats that are both high probability and high impact.
Did you hear echoes in the above list of things that you or others at your organization have said in explaining a lack of interest in business continuity planning? Does our discussion of the reality of that issue introduce you to some new approaches you might be interested in trying?
It’s never too late to begin strengthening your organization’s BC program and offering better protection to your stakeholders and their dependents.
For more on this and other hot topics in business continuity and IT/disaster recovery, check out these recent blog posts from MHA Consulting and BCMMETRICS: