Why your Business Continuity Plan May Need Shaping Up

Shaping Up Your Business Continuity PlanYou completed your Business Continuity Plan about 18 months ago, tested it, and everyone was trained on the plan, relieved to have it done, and find out that it could work. Since then, however, nobody has given business continuity planning another thought. Fortunately for your organization, there have been no incidents that required you to invoke it. But what would happen if the building flooded or burned, data was breached, or an active shooter got into the building? Would the plan still work? In all likelihood, it would not.

In any organization, a lot of changes can occur in 18 months. People leave, and new people know nothing about the plan. Systems change, risks evolve, and priorities change. So if a storm takes out your data center or communication center, what’s going to happen? Here’s a possible scenario...

An incident occurs, and the person or persons tasked with making the call to invoke the plan have left the organization. Everyone is looking to the people that took their places, but the new people were not assigned to those roles, and they don’t know anything about the plan. Someone on the original crisis team recognizes the problem and tries to step up into the role, but it’s been so long since the training that they’re not really sure what to do. In fact, they are not really sure how to access the plan or what to do if they could access it. They look to the C-Suite for some answers, but no one there is any help. Information about the problem is now coming to the CEO’s desk, but there is nobody who knows how to use it to help mitigate the situation. Chaos ensues. It only goes downhill from there.

Any organization would be lucky to recover from such a situation, never mind survive it. The very vehicle -- your Business Continuity Plan -- that was developed to avoid a disastrous outcome is nearly useless because nobody knows what to do, when to do it, and how to mitigate the risk or communicate properly. In the aftermath of this kind of disaster, you could suffer financially, but you would also suffer the loss of employee confidence. In addition, the organization’s reputation could be damaged, possibly beyond repair. It sounds like a nightmare, right? But there are things you can and should do to help ensure this outcome is only a nightmare and never becomes a reality.

1. Update, update, update...

Someone has to be in charge of keeping up with personnel. Did a key person leave the organization? Who’s going to assume their role? How will they be trained? Who is going to update this in the plan? And don’t forget that employees might have changed their cell numbers or email addresses; there has to be a way to capture that information in the plan as well.

2. Train, train, train...

Train new people as they are hired and train everyone at least once a year. At a minimum, new people should be informed that there is a plan and a crisis team. They should know how to access the plan, and what, if any, their role would be and what to do if they identify a potential problem. All employees should get refresher training on the plan because if they don’t use it after a year, they probably won’t remember what they are supposed to do. Also, don’t forget the crisis team – they all need to refresh as well. It’s also a good idea for the C-Suite to be included in some training.

 

3. Revisit the risks...

Identify changes in the organization that may have exposed it to new or emerging risks. Data breaches, for example, have become increasingly likely in recent years. The current Coronavirus may have implications for the organization as well. Maybe you moved to a new building and it or its location may present new risks. If you do determine there are new risks, discussing how to mitigate them will be important.

4. Test the plan...

We can’t say enough about how important it is to test the plan. In a crisis, it is said that everyone’s IQ goes to zero. This can be overcome by training and testing regularly. When people know what to do and where to go, they are less likely to panic. This was the premise for all those fire drills we had in grammar school. If you haven’t run any kind of test in a while, it’s definitely time. As with training, testing should be done at least once a year if not more often. If you can’t do a full-scale test, tabletop tests also can work. It’s also a good idea to test parts of the plan with the people who are most affected by a particular part of the plan.

A Business Continuity Plan needs regular attention and maintenance. This requires putting someone in charge who can make sure all the required activities occur on a schedule that will ensure everyone knows what is going on and how to use the plan. Keeping your plan in shape will help ensure you survive your first crisis or disaster.


Copyright (C) 2020 Attainium Corp - All rights reserved.