Skip navigation

Tag Archives: plans

I’m currently presenting the BCI’s 5 day Good Practice Guidelines course, and for the second time in 3 months have had one of the delegates express their concerns about the difficulties involved in keeping large numbers of BCPs up to date, and that a new approach to Business Continuity is required.

The concerns are twofold. Firstly, the administration and bureaucracy involved in keeping track of, updating, and distributing large numbers of BCPs to too time consuming and costly, but more importantly, the BCPs are not being kept up to date and are therefore not worth the paper that they’re written on. If the BCPs are not up to date, there’s no point in using them, so why don’t we all admit that the current approach isn’t working and look for another way that will work?

This “other way” might involve having a small number of BCPs addressing the recovery of an organization’s core infrastructure, with local managers being assumed to know what they need to do to recover their operations in the context of having this infrastructure available, and not having to write detailed BCPs that are never kept up to date.

Advertisements

I’m very pleased that I’ve managed to get my latest client, a small electronics company that actually decided by themselves to implement Business Continuity Management (BCM) rather than being told to, to think about the maximum scale of incident that it wants to plan to survive. Many organisations shy away from this issue, which makes it difficult when advising on safe separation distances for backups and recovery sites, but my client’s management team understands the issues and will be coming up with an answer.

I think that the factor that will determine the answer is the geographic spread of their staff. If there is some kind of natural or man made disaster that affects the homes and families of most of the staff then it is unlikely that they will want to come to work to help out their employer, particularly if their employer is asking them to work a significant distance from their families who may be evacuated.

If this is the case then we’re probably talking of their surviving an incident that has an effective radius of about 30km. Such an incident would take quite a catastrophic and unlikely event given that the client is nowhere near a nuclear or chemical facility, well away from the coast, and not in an earthquake zone or near an active volcano. The most likely wide spread event is a river flood, but that doesn’t usually last more than a few weeks in the UK.

The RBS systems failure should become a case study in Business Continuity, but I doubt that it will as the bank won’t want to advertise how it managed to not only get something seriously wrong, but how it took so long to fix and what it really cost. Every Business Continuity professional should be interested in this so that they can learn from any mistakes that were made, and see how Business Continuity Plans were used in response to a real disruption.

The first thing that I’m interested in though, is whether or not RBS activated its strategic level Business Continuity Plan, which may be known as an Incident or Crisis Management Plan. Presuming that RBS has such a plan, was it used, or did a group of senior executives just get together and decide what to do without reference to the plan?

Secondly, did the person who first identified that a software upgrade had gone wrong just try and fix it, or did they also escalate the issue up the management chain of command? If so, did it get to the top quickly, or did it stay hidden until the effect of the problem became widely known?

Being a UK taxpayer, I’m a shareholder in RBS. As a shareholder, I’d like RBS to undertake a thorough post incident review and publish the results so that we can all learn from what went wrong.

 

One of the more interesting ideas that has come out of the training course that I’m giving is to reduce the number of Business Continuity Plans, so making the whole process of developing and maintaining plans much simpler.

This idea was put forward by a large UK retailer that has realised that the current situation is just not in keeping with the company’s culture, is out of control, and will never deliver what was originally intended. The idea is to dramatically cut back on the number of plans and to get rid of the bureaucracy surrounding their development, maintenance, and the review process.

The sheer number of plans that need to be kept up to date is one of the many problems that Business Continuity Managers in large organisations face. If this can be overcome it will make their jobs much easier, and will probably result in having plans that are both up to date and known to work. Can it be achieved though? That’s the big question.

I’ve finally found time to update my company’s Business Continuity Plan. The current version is dated 24th February 2012, which means that it’s less than 6 months old. Congratulations are due, I’m updating it before the next scheduled review date. On second thoughts though, I should have updated it about a month ago when the company changed it’s bankers.

Now, if a company as small as Merrycon finds that its┬áBusiness Continuity Plan is out of date within three months, how much more likely it is that larger companies need to update their plans more frequently. In my experience, updating a plan once every three months is very unusual. Even every six months is not all that common, with once a year being more like the norm. An awful changes in a year, and this probably explains why so many people ignore their plan when they need to respond to an incident – they know that it’s out of date.