Staying Current: Why You Need to Keep Your BCM Plans Up to Date

Many organizations bring great energy to the job of creating new business continuity plans, then they put them on a shelf and allow the passage of time to make them obsolete. In today’s post, we’ll look at why you need to keep your plans up to date and how to go about doing it. 

 

 

How a Great BCM Plan Becomes a Doorstop

Lots of people like doing projects. It can be fun to create something new. In a lot of organizations, this impulse drives the creation of new business continuity plans. Or else a risk is identified or an audit is coming up, which compels the creation of new plans. There will be an initial kickoff phase: “I’m in the mood to do this, so let’s get cracking” or “We have to get this done before the audit,” and then they create the plans.  

Maybe they’re even good plans. Maybe they’re great.  

Then what happens, in all too many cases, is the plans get put in binders and put on a shelf—or saved on some shared storage location—and are forgotten about while the world and the business keep on changing. The structure of the organization changes. New functions and applications come in. New people arrive.  The threat landscape changes. 

But the plans don’t change. 

Let enough time pass and they stop being great. Let more pass and they stop being good.  

Let enough time pass, and they’re useless except as doorstops, or else no one remembers where they are stored. 

Sometimes even when people do make a gesture toward updating their plans, it really is only a gesture. They might fan through their binder, think, “Yup, looks good to me,” and change the date on the first page—then check “Update BCM Plan” off their to-do list until next year. 

The upshot of these habits is, if and when there’s an event, recovery will take longer than it should and be marred by mistakes, leading to greater impact on the organization.  

 

Doing BCM Plans is Not a Project

Obviously, your plans need to be updated regularly to do their job. And the whole process of BCM plan creation and maintenance needs to be thought of as an ongoing activity rather than a one-time project. 

Here’s what BCM plan creation and maintenance is not like: building a patio in your backyard, where once you do it it’s done. 

Here’s what it is like: flying an airliner, where every time you land, people’s lives are in your hands and you have to give the task your very best. 

 

A Distinction Without A Difference

Here’s the good news: If you have created a BCM plan then you have all the skills and knowledge needed to maintain one. Why? Because the steps are exactly the same. 

Maintaining the plan will almost certainly take less effort, but the steps are the same and the level of dedication should be the same. 

Just like with the risk management process, the plan development and maintenance process should be thought of as one ongoing activity that you go through over and over again, ideally on a yearly basis.  

This is the way to ensure your documentation is more than a doorstop. It will make sure it is current, functional, and actionable.

 

How to Develop-and Maintain-Your BCM Plans

For a detailed description of the steps needed to create a BCM plan—which as you now know are also the steps to maintain a BCM plan—have a look at this post from last year: “A Robust Business Continuity Plan in 20 Steps.” 

Here’s a bare-bones version of the procedure given in that post (with a few additions): 

  1. Communicate with management and gain their support. 
  1. Choose or identify who is responsible for the plan document.  
  1. Create an action items list to monitor and track progress.  
  1. Develop an understanding of your current state and your program requirements.  
  1. Determine your current technical and functional recovery capability and document any gaps.  
  1. Develop a mitigation plan for any technical or functional gaps.  
  1. Develop a recovery plan for each business unit.  
  1. Document the internal contact information.  
  1. Document the external contact information.  
  1. Develop a crisis management plan.
  1. Develop a crisis communication plan.  
  1. Verify your emergency notification capability. 
  1. Verify your status update capability.  
  1. Monitor the progress of the development of your BCM plan.  
  1. Develop an IT test plan and strategy. 
  1. Develop a business continuity test plan and strategy. 
  1. Perform regular mock disaster exercises for the crisis management and crisis communication plans.  
  1. Review and update the plans as developed so far.  
  1. Establish and use a common storage location for all documentation. 
  1. Develop a summary document of the recovery strategy.  
  1. Develop a schedule and criteria to keep the documents up to date.  

Again, these are the steps to follow to create a BCM plan. They are ALSO the steps you follow to maintain one. The only difference is, wherever the above instructions say “develop,” substitute the word “update.” 

Development and maintenance are the same process continued over and over on an ongoing basis.  

When we talk about creating a culture of continuity, this is the kind of thing we mean: getting in the habit of making plan updating a regular and respected part of your BCM life. 

 

Plan Maintenance and a Culture of Continuity

Many organizations do a great job of creating BCM plans but drop the ball when it comes to maintenance. Plans that are not subject to thoughtful, regular review can become obsolete quickly, rendering them of limited use in case of an event. It’s vital that your organization keep its BCM plans up to date. Fortunately, if you know how to create a BCM plan you know how to maintain one because the process is exactly the same.  

Strive to make the ongoing plan development and updating process part of your organization’s culture. And every time you review a plan, give the task your best effort. As with landing an airline full of passengers, the hundredth time you do it counts as much as the first time for the people who are depending on you. 

 

Further Reading

For more information on BCM plans, BCM plan maintenance and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS: 

About
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
corporate risk mitigationtabletop exercises