Is Our Business Continuity Program a Sham?
You test, you plan, and you document, but is your business continuity program a sham?
It’s a question a senior executive of a client recently asked me. Sadly, the answer to his question was a resounding “yes!” In many cases, we find that the pretty picture painted by the BCM team is not what it seems when you get up closer and pull the covers back.
Why are so many programs in this state? Well, here are 10 reasons:
- Measurement. There is no measurement of any kind to validate program compliance, residual risk, testing, etc. If you don’t measure it, you can’t manage it.
- Size/Complexity. The size and complexity of the organization is simply too much for the BCM Office.
- BCM Program Direction. The organization has no clue about what direction the program needs to take today, tomorrow – or next year, for that matter.
- Documentation vs. Execution. The focus is on documentation, documentation, and more documentation – not the ability to execute.
- Audit Focused. The goal is to get plans passed by the auditors and third parties. Only then – maybe – will they worry about whether or not the BCM program really works.
- Time. There isn’t enough time to exercise at the right level, so the focus is on doing the least time consuming and invasive testing, just to get by.
- Too Big To Fail. There is a belief that the organization is too big to fail and can’t possibly collapse – they have the money to write a check if something really goes bad, so don’t worry.
- Outsourcing. Critical systems and processes are outsourced, creating an impression that the risk has been transferred along with the work.
- Resources. The organization doesn’t have the right resources (people, time, money) to get the BCM program in place.
- ROI. There is no return on investment on the BCM program, so why bother?
Now, to be fair, we work with many BCM programs that are the complete opposite. They have taken this war head-on and make progress day in and day out.
When we all start building our programs, much of what we have is a hope and a prayer. But over time, that hope and a prayer should be augmented by the proven ability to execute.
As BCM practitioners, we all know where a business continuity program is propped up by air – where we hope that nothing happens. It is important that we continue to work intelligently and decisively to build a BCM program that is “sham-free” so we can execute effectively when the time comes.
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.
