Search Our Blogs
A Business Continuity Planner’s New Year’s Resolution
The new year is often a time for making resolutions to improve personal health, productivity and wellbeing. Why not use that opportunity to make similar resolutions for your Business Continuity Management program? This year, make a pledge to keep your Business Continuity Plan trim, while still meeting Audit and Compliance requirements.
Business Continuity professionals often walk a fine line between perception and reality. The result is often a 3-inch thick ring binder with hundreds of pages of administrative documentation. Is it possible to kick the more-is-better habit and slim down those BCP’s from overweight to featherweight? It depends…
The Disaster Recovery Journal (DRJ) website recently included an intriguing article by Alex Fullick of Royal Bank of Canada. Entitled 12 Things NOT to Include in your BCM/DR Plan, the article championed the need to keep everything but action items out of a BC or DR Plan. He’d prefer that all the administrative information (overview, assumptions, distribution list, test results, etc.) be excluded from every plan – simply because they add no value to the purpose of the Plan: to respond to a business disruption.
I can agree with everything Alex espoused. But as I read the article, little voices in the back of my head were whispering a chorus of “Yes but’s”:
“Yes, but our internal auditors require that in every Plan”
“Yes, but our industry regulations say we must include that in our plans.”
“Yes, but BCM best practices say we should include that.”
“Yes, but my boss wants it in every plan.”
“Yes, but we’ve always written plans that way; if it isn’t harmful, I’m not changing it!”
These are all valid concerns (though possibly self-serving). In a previous BCM position, we were required to have a multi-part “Overview” at the beginning of every Plan. Knowing the information was useless for implementing the Plan, I put the Overview at the end of the Plan. The internal auditors wrote me up for it. My boss called attention to the audit write-up in my next performance review. Where do you think the Overview showed up from that point onward? Even though I knew it was administrative ‘fluff’. Other BCM practitioners face similar challenges: how to deal with Plan content that they know isn’t needed in the heat of battle – yet still comply with outside requirements?
There are several possible ways to create a slimmed down, highly focused Plan without going head to head with powers above your pay grade.
1) Put Administrative data in the Appendix or Addendum. Stack all that Administrative ‘fluff’ in an orderly manner at the end of the Plan – the very end – so it can simply be ignored and won’t get in the way of executing the Plan. Of course it may not be acceptable (see my previous example). Nor am I a big advocate of Appendices (see my earlier blog: Is that a Plan or a Book of Lists?). But am Appendix is a better alternative than a ‘fluffy’ front end.
2) Create two plans – the Administrative information Plan and the Action Plan. Merge them together (simply copy and paste in Word) for auditors and regulators, but use just the Action Plan for executing the Plan. OK, so you might have to futz a bit with the section numbering (Word is finicky about that), and creating a Table of Contents for the merged doc may be tricky – but it’s better than carrying around a 3 inch thick ring binder when all you really need is 30 pages of strategies, action items and checklists.
3) Buy software designed to manage BCM documentation. Create all the administrative ‘fluff’ you need but maintain a separation of the action plan. Table of contents? Automatic. Updates of contact information – automatic. Software can even automate updates of some or all of the administrative ‘fluff’ from a single central source. One of the many reasons BCM software can benefit an organization.
Like an exercise program combining weight training and cardio (where you’re more than likely to lose fat than bulk up) if you have dedicated business continuity software, you can have all the weight of the audit and compliance requirements, but at the time of an incident you can provide trim plans, containing only the necessary information needed by response and recovery teams.
You don’t even need to bother sending that Auditor a copy of the Plan – just give him or her Read Only access to the Plans online – and let the software keep track of what they’ve accessed!
Make a New Year’s resolution that benefits everybody : Give Recovery and Response Teams a Plan they can actually use – not a 5 kilo binder they’ll have to wade through just to find their action plan. Slimmer is better. And still meet your compliance and audit requirements.