7 Challenges to easily assess your BC Program

What are 7 Challenges to easily assess your BC Program? There are assessments of BCM that are virtually free, and others that cost a lot of money. The difference is in the preparation, in the level of detail and depth. The key question people often ask is “How do I know I’m ready if something serious happens to my organization?” That question is not terribly difficult to answer. However, much depends on whether you want to put yourself into an area that you are not fully familiar with. And where, consequently, you usually don’t feel comfortable. That is why it is always about a challenge, rather than just answering some questions. There is a very comprehensive list of questions available from Virtual Corp that can be used to assess in detail your organization’s maturity for BCM. But these are simply too many to begin with in an initial start-up.In this contribution, I express my own opinion, not that of any organization.
Author: Manu Steens

That’s why I have 7 challenges to assess your BC Program here. Each challenge has a question or two as an appetizer. Each time with a brief discussion.

Do you know what to do if you discover a fire? Or if there is flooding? Or a violent intruder? A power outage or a prolonged failure of computer systems?

This is basically a short list of events that can affect an organization’s personnel or resources. People come first in this regard. After all, they are the most valuable with their knowledge and skill, and it is they and only they who are capable of getting the organization back “up and running.” So you need a set of simple and clear procedures so that your people know exactly what to do about such an event. And they need to know this ahead of time, not after everything has happened. They need to know it and be able to do it. No one benefits from a perfect procedure that’s in a book somewhere that no one remembers lying around….

Do you know the worst risks to your organization? Have you implemented measures to reduce/dodge/relocate those risks or have you accepted them?

This challenge strongly links to previous point. The events you should be waking up to are those with high probability and high impact. It is therefore good to take a step back, away from your daily existence of “that doesn’t happen to us” and “business as usual” and think thoroughly about what risks are realistic in your industry, in your environment, with your people, in your political and economic climate… To do this, you can keep a list of problems you have faced in the past, how likely they are, how big their impact is and could have been. And also consider what you already did to reduce them. It depends on the type of risk whether you should take action on probability, impact or both. You can’t change the probability of an earthquake, but you can change the probability and impact of a fire or burglary. For example, with badge systems, locks, backups in another location….

Have you already determined the minimum and initial tasks you need to do for your organization to survive after a long and extended hiatus?

The problem here is that you can’t get everything back up and running at once. You have to decide which are your time-critical processes, which are your essential processes, which are your necessary processes and which are the useful ones. Here you can use the 6 FORCES model. Consultants know much more complex methods for setting your priorities. But for a small or medium-sized business, a way of working like 6 FORCES is very manageable. The goals are simple with that: which process is most important to you and why? Take some time to work out a custom way for yourself, find for yourself the right questions.

Once you have been able to list the time-critical processes, the idea is to list what you need to get these processes back up and running as quickly as possible. How many people, what people, what computer applications? How many laptops, and servers? A network? What documents on paper? What information on computer? Which facilities? How many workstations? Etc. etc. Then determine how you are going to accomplish this. Where will people work if they can’t just “at the office”? What about emergency housing? Where are you going to get the necessary equipment? If you know all that, you are already quite a bit on the right track.

Do you have formal Business continuity plans that you and your people know and can implement if something interrupts your organization’s resilience?

“Formal” means no more and no less than “documented.” The characteristic of a plan is that it exists only if you can be pass it on, and thus you have to write it down. If it is only a page or two, it is also not a real plan. Then it is an idea. You have to think hard about what steps you all want to do if something serious happens, and write that down. You will sometimes have to make tough decisions in the process. And then implement those. Implementing here often has the meaning of “purchase.” And you have to pay for that. So you have to think carefully about what you need as a minimum and whether that is sufficient support to continue providing a minimum service to the customer or to other organizations. And as such survive as an organization. So “minimally needed” and “sufficient to survive” are the key words here are

Is your valuable data safe and secure no matter what?

The key words here are “no matter what.” Keeping vital paper documents in an archive and your digital data on a backup in another room of the same building is simply insufficient. You have to use some parameters for that: is it in the same switch-off zone? Is it in the same geological zone? Is it in an area with the same water issues? The same weather conditions? You have to store them in such a way that another event cannot prevent you from using your data. And by that I mean digital data as well as data on paper.

Is your staff competent to respond quickly and efficiently? Did they trained for it?

This is already a little more difficult. You may have plans written, and they may be based on good analysis, and good judgment. But if your staff does not know what is in them, how can you require them to know what you expect of them when you need them? A perfect plan that is gathering dust in a closet, is of no use. So you need to start a training program for staff. As a BCM puller, assure yourself that they know the emergency procedures, and certainly that they know what to do when the evacuation alarm goes off. It is then too late to go through the procedures to learn how they can use them to save lives.

Have you practiced the plans with the staff to see if it works? To see if you are ready?

In English, there is a saying, “The proof of the pudding is in the eating.” The best way to train your staff is to execute the plans. Practice makes perfect. Therefore, you should implement the plans at least annually. With sandbox exercises, with evacuation drills, with ICT simulations … Let it last an hour or two at most. Or build a team-building session around it. Look critically to see if they know what to do. Assess their reactions and also decide if you need to update the plans.

Conclusion

If you can positively affirm all of these challenges with a “ticked off” on a checklist, then I think it’s fair to say that as an organization you are ready when something serious happens. If you couldn’t check off all of these, you have for yourself a nice list of actions to taken that you can focus on in the near future to be “ready.”

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts