Debunked: 9 Common Business Continuity Myths

Richard Long

As with most fields, business continuity has its fair share of beliefs that are commonly held but contrary to the truth. In today’s post, we’ll look at nine business continuity myths and then debunk them and spell out the hard facts about how things really are.

 

 

 

A couple of years ago I wrote a post called “5 Myths of Contemporary Crisis Management” that many people seemed to find worthwhile. In the same spirit, I thought that today I would write about myths in business continuity more generally.

 

Common Business Continuity Myths

I came up with nine beliefs about BC that are held by many people in the field but which are ripe for debunking—for the simple reason that they are not true.

Each of these myths is something I commonly hear when I’m working with my clients. Some of them come from underestimating the amount of work required to achieve true resiliency. Some of them come from overestimating it. Both kinds of mistake are damaging.

Have you ever expressed any of these beliefs? Is your BCM program based on any of them? If so, you might want to reconsider. Navigating through the world under the influence of false beliefs is like driving a car when you lack a clear perception of the surrounding roads and obstacles. It’s likely to result in a crash, damaging property, and harming others and yourself.

 

BC Myth No. 1: If you’ve survived one BC event, you’re ready for any event.

This myth has grown since the COVID-19 pandemic. Many companies who got through the first year of COVID in decent shape have become overly confident regarding their overall resiliency. They think that because they managed the pandemic reasonably well, they’re ready for anything. This is false. The pandemic is only one of many kinds of event that might impact your organization. As I’ve discussed previously, the COVID pandemic has basically been a relocation event, in terms of its impact on organizations. Just because you got through a relocation event doesn’t mean you’re ready for a reputational crisis, cyberattack, regional power outage, or shortage of human resources. These events would stress your organization in very different ways than COVID has. To assume that because you got through COVID, you’re ready for anything is like assuming that because you survived a few rounds of pro-am golf, you are ready to run a marathon or go fifteen rounds with the heavyweight champ.

 

BC Myth No. 2: If your documentation is good enough for the auditors, then it’s good enough for everyone.

Auditors and regulators strike fear into the hearts of everyone. They’re so hard to satisfy, it’s natural to assume that if the documentation is good enough for them, it must be good enough for your BC program. However, auditors and regulators look for different things than is needed in BC program documentation. Auditors and regulators are often satisfied with a summary description of your recovery strategy and reports that updates occur. Your program requires an actionable, detailed plan of that strategy. It’s similar to the difference between a schematic drawing of a building and the blueprints of that building. The latter has a lot more detail.

 

BC Myth No. 3: Real BC pros don’t need documentation.

Many companies managed to get through the first year of COVID without the benefit of BCM documentation. They were able to figure it out. This has led some people to the conclusion that real BC pros don’t need documentation. This is an example of people experiencing a lucky break and learning the wrong lesson from it. An equivalent in regular life would be if someone won an amount equivalent to their weekly salary in the lottery and decided to quit their job and make up the lost income by playing the lottery every week. If you made it through the pandemic or other crisis without having a written recovery plan, congratulations. Every company still needs an appropriate level of BCM documentation.

 

BC Myth No. 4: Your documentation must be idiot-proof.

Just as some people think they don’t need any BCM documentation, others think they need more than they really do. These people often err in assuming their plans need to be so detailed, they could be executed by someone who walks in off the street. It’s not so. Your plans should be written at an appropriate level of detail that they could be put into effect by someone knowledgeable in the field. This does not mean starting off with an explanation of what a widget is. It does mean including any necessary proprietary information, company-specific information, or configurations that a competent individual outside your organization would need to know to perform the recovery.

 

BC Myth No. 5: If you do it every day, you can do it in an emergency.

Just because you do it every day, it doesn’t mean you’ll be able to do it an emergency. A family doctor and an emergency room doctor are both physicians, but it takes special training to be an emergency room doctor. It’s the same with responding to outages in an organization. By definition, an emergency is when the everyday solutions don’t work. Actions that need to be executed may be different due to things like access issues, specific people’s needs, or outside influences. It is not normal day-to-day work. Workarounds for critical functions need to be established ahead of time, and people need to be trained to perform them.

 

BC Myth No. 6: You can always figure it out on the fly.

Many business leaders have high confidence in the ability of their staff to handle business continuity events on the fly. This is one of the most common reasons executives give for not wanting to invest time and resources in BC planning. And the fact is, in almost every case, those executives would be right—if time were not a factor. Most organizations are capable of eventually improvising workarounds and recovering their systems even in the absence of a good BCM program. However, time is a factor. The longer a process or application is down, the greater the impact on the organization. BCM planning and training save time, money, business relationships, and organizations. This is why the idea that “You can always figure it out on the fly” is a myth. If it takes you two weeks to improvise a solution to your company’s outage, you might find at the end of that time that you don’t have much of a company left. This is the reason we plan and train for business outages.

 

BC Myth No. 7: It’s easy to predict how long things will take.

Many BCM practitioners are confident in their ability to forecast how much time will be needed for various recovery phases. However, most people tend to overestimate their skill in this regard and to underestimate how much time will be needed. It is common for people to assume that the best-case scenario will come to pass and to conveniently forget about the worst-case scenario. Moreover, in estimating how much time an activity will take, most people fail to factor in the time it takes for the organization to come to decisions. This hidden step is frequently one of the most time-consuming.

 

BC Myth No. 8: If we can recover in a reasonable amount of time, we’re golden.

Maybe in the old days, recovering in a reasonable amount of time constituted adequate performance. That’s no longer the case. Within the past few years, we have become a society of immediate need. Certain functions cannot be down for an extended period. Some can’t ever be down. While it may be true that certain functions may only take hours or days to be fully available, in order for that to occur dependent technologies, people, or workarounds must be available before a temporary solution will be viable. When it comes to resiliency and recoverability, the bar is higher and the margin for error lower than ever. Few companies today can afford to take a leisurely approach to recover their processes and technology.

 

BC Myth No. 9: Everything must be available immediately.

This is the flip side to the previous myth. Some people wrongly assume that everything must be available all the time. It is enormously expensive to try to achieve this, and it is not necessary. Some functions need to be available immediately, most probably don’t. Ensure you understand what is actually needed both from a functional business need and any associated dependencies. The ideal is to understand the relative importance of your various functions and processes and provide the appropriate amount of protection for each.

 

The Firm Rock of Reality

Every field has its myths and business continuity is no different. The nine myths discussed and debunked above are the ones I have recently been encountering most often in my interactions with my clients. Do yourself and your organization a favor by learning to see through these myths. Basing your program on the firm rock of reality is the best way to ensure your company is ready for every eventuality.

 

Further Reading

For more information on BCM myths and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:

About
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
vulnerable vendorsIT/DR roles