Author: Manu Steens
In this post I write my own opinion, not that of any organization.
The weakness is the familiarity of the term ‘BCP’ (Business Continuity Plan).
Often, when I talk to colleagues about BCM assignments, I hear that they are tasked with ‘writing a BCP (Business Continuity Plan)’. This is a huge risk for the organization that issues such an order. The focus is at least incomplete.
Where’s the catch?
Because a CEO gives the assignment to create a BCP for his organization, there is a real chance that exactly that document will become the goal. The assignment is recorded as a project. One quickly hires a consultant to write that document, and afterwards one can submit it to audit, who ticks it off the list. And that causes problems.
Contents
What problems are there?
The outlined approach has several systematic risks due to not implementing a business continuity management process (BCMP).
First, one should know that the process is a cyclical event that has several process steps. Problems can then arise with each of the missing steps to be taken. According to Joop Franke:
- Preliminary research
- Proposal BCMP Organisation
- Policy
- Realization of the BCMP organization
- BIA
- Risk Analysis
- Cost-Benefits
- Realization BCP and recovery plans
- Testing BCP
- BCMP Process Control
I now discuss the risks of omitting each of these steps.
Preliminary research
In the preliminary investigation, it is determined what kind of organization you are dealing with. This is important to know where in the organizational chart you should place the business continuity manager. If you do not know where he is optimally placed, he will not be able to perform his work properly. The BCMP (BCM Process) is then doomed to fail because it is not taken seriously.
Furthermore, the preliminary research determines how the organization is doing in terms of BCM. It determines, among other things, the sponsor. If this is not known, the BCMP has no right to exist.
In addition, it analyzes the stakeholders. If this analysis is not done, the BCMP will not give them proper attention. The BCMP then behaves as if the organization is in a vacuum. In the event of a crisis, the organization will not be able to count on them. Our own employees are also stakeholders. Without knowing their strengths and weaknesses, the BCMP will not be able to sharpen their skills in a targeted manner, preventing them from being used optimally during a crisis.
If the existing risk measures are not known, the BCMP may duplicate work, which amounts to a waste of man-hours and resources.
Without the thorough preliminary investigation, the risk appetite and capacity are also unknown. This means that the organization will not deal with risks in an appropriate way.
In addition, the applicable laws and regulations are important. If it is not thoroughly known and applied, the organization will make too many legal mistakes, and be plagued with lawsuits.
Finally, the prevailing BCM maturity must be estimated. If you do not do this, you will in fact not know what the growth poles of the BCM are and you risk standing still or getting stuck.
Proposal and realization BCMP Organization design
Without a thorough organization of the BCMP, there is uncertainty about the activities to be undertaken. The activities that one would know anyway will not have been assigned to employees. The necessary people, resources, coaching and training that people will need is then ad hoc or non-existent. As a result, there is a lot of waste, duplication of work and missing activities. How to work together is not defined and has no guidance. How to report and from whom to whom is not determined, not known.
BCMP-relevant consultation structures have not been determined.
Policy
Without a policy approved by top management, there is no ‘legal basis’ to have a BCM operation, let alone that a BCP could be embedded in a structured BCMP.
BIA (Business Impact analysis)
Without BIA, the organization will have no idea of what it can potentially lose in a crisis where a process, building, or part of the workforce fails. Nor will it know how much of what is needed how quickly to ensure the continuity of a service or an operational production. Those things are essential to a BCP. The company will have no idea which processes are the most important and why. Nor which tools are the most important. It has no idea of the maximum tolerable downtime of each of the critical processes.
RA (Risk Analysis)
Without risk analysis, the company has no idea which causes can be linked to which consequences of which events. It cannot assess the threats and will miss many opportunities. This means it does not know its vulnerabilities, nor how large they are, and which threat is the most important because of which cause-effect combination. Without a risk universe, the company is rudderless in determining the threats in terms of operational and enterprise risk management.
Bottom line: there is a problem to identify measures against the unprecedented risks.
Cost-Benefits
Without a cost-benefit analysis and without a ‘value on investment’ analysis of measures, the organization cannot determine which measures are useful and necessary. So, it will with a lot of chance make too many investments, or too little, or the wrong ones.
Realization BCP and recovery plans
By having a BCP made ‘out of the blue’, there is a very good chance that it will become a ‘unit sausage’ BCP. A chance of a BCP that is relevant in all its facets in use by the organization is nil. We will work with the opinion of the consultant regarding the interpretation of the ‘reasonably most serious situation’. It is not necessarily relevant to the organization. The approach to that situation also largely depends on the improvisation of that consultant because he does not have the time nor the order to set up a working BCMP. There will be no recovery plans as part of the BCP at all. At best, it includes several contact lists, which hopefully are complete and relevant to the company.
Testing BCP
Because the focus is on an ‘ad hoc BCP’, testing may not have been involved in the order. If there were to be a test of the BCP, this would indicate that it is in serious default and should be classified vertically. This puts the company as far ahead as it was before the outsourcing of the assignment.
BCMP Process Control
Because the process is not created, there will be no continuous improvement of the continuity guarantee of the organization. Management will not improve in its ability to handle crises. In the hands of an alert auditor, the organization will score an insufficient score.
Conclusion
It is pointless to order a BCP without it being able to be embedded in a fully working BCMP. It’s money thrown away, so you better not do it. By not embedding the BCP in a BCMP, one creates a false sense of security, so that everything goes right for a while, until it goes wrong. Then it will really go wrong. And not for a single reason, but for a multitude of reasons as I have outlined here. The reasons outlined may just be the lid on Pandora’s box.
Dag Manu
Top dat je dit artikel hebt geschreven. Ik hoor en lees regelmatig een vraag van organisaties: “Gezocht een stagiair die voor ons een BCP maakt”. Vaak staat er dan ook nog een termijn van 6 maanden bij.
Op de Linkedin post kan overigens geen commentaar worden geleverd.