You test, you plan, and you document, but is your business continuity program a sham?
It’s a question a senior executive of a client recently asked me. Sadly, the answer to his question was a resounding “yes!” In many cases, we find that the pretty picture painted by the BCM team is not what it seems when you get up closer and pull the covers back.
Why are so many programs in this state? Well, here are 10 reasons:
- Measurement. There is no measurement of any kind to validate program compliance, residual risk, testing, etc. If you don’t measure it, you can’t manage it.
- Size/Complexity. The size and complexity of the organization is simply too much for the BCM Office.
- BCM Program Direction. The organization has no clue about what direction the program needs to take today, tomorrow – or next year, for that matter.
- Documentation vs. Execution. The focus is on documentation, documentation, and more documentation – not the ability to execute.
- Audit Focused. The goal is to get plans passed by the auditors and third parties. Only then – maybe – will they worry about whether or not the BCM program really works.
- Time. There isn’t enough time to exercise at the right level, so the focus is on doing the least time consuming and invasive testing, just to get by.
- Too Big To Fail. There is a belief that the organization is too big to fail and can’t possibly collapse – they have the money to write a check if something really goes bad, so don’t worry.
- Outsourcing. Critical systems and processes are outsourced, creating an impression that the risk has been transferred along with the work.
- Resources. The organization doesn’t have the right resources (people, time, money) to get the BCM program in place.
- ROI. There is no return on investment on the BCM program, so why bother?
Now, to be fair, we work with many BCM programs that are the complete opposite. They have taken this war head-on and make progress day in and day out.
When we all start building our programs, much of what we have is a hope and a prayer. But over time, that hope and a prayer should be augmented by the proven ability to execute.
As BCM practitioners, we all know where a business continuity program is propped up by air – where we hope that nothing happens. It is important that we continue to work intelligently and decisively to build a BCM program that is “sham-free” so we can execute effectively when the time comes.