The Best Policy: The Core Element of a Good BCM Program Is Honesty

You can’t have a good business continuity management or BCM program without the core elements of BIAs, TRAs, recovery plans, and exercises, but it’s possible that the most important element of all is intellectual honesty. If you aren’t honest with yourself about your ability to achieve functional recovery, everything else you do might be nothing more than make-work.

A Frequently Asked Question

At MHA Consulting, we are often asked some version of the question: What are the core elements of a good BCM program?

A conventional answer is that the core elements of a BCM program are the following:

  • BCM governance to establish budgeting, reporting, documentation, and standards.
  • Business impact analyses (BIAs) to identify your most critical business processes.
  • Threat and risk assessments (TRAs) to identify the greatest risks to the organization.
  • Recovery plans that lay out what to do in the event of an outage affecting various processes and assets in the three primary areas of crisis management, business continuity, and disaster recovery.
  • Recovery exercises, in which the organization practices implementing its recovery plans.

This answer is valid as far as it goes; the problem is, it doesn’t go far enough.

In fact, there is a potentially large gap between having all of those things and having a functional business continuity program.

The problem lies with an issue that is not unique to business continuity, but which is regrettably common within it.

Confusing Effort with Accomplishment

The root of the problem is the tendency to confuse effort with accomplishment. 

In BCM this shows up in the common practice of touting the number of BIAs conducted or recovery plans written as if this is a meaningful measure of the solidity of the program. 

We often hear people say, “We did 100 BIAs!” or “We’ve written 50 recovery plans!”—the suggestion being that this shows they are functionally prepared for an event. 

But all this proves is that they have pushed a lot paper, or moved a lot of megabytes. It doesn’t show anything about their true ability to recover their business processes in the event of an outage.

What’s missing here is a dose of realism—or, to put it another way, intellectual honesty.

Intellectual Honesty and BCM

Honesty in this context means looking at your efforts with a clear eye and assessing, truthfully and realistically, whether a given piece of work really has a bearing on your organization’s ability to achieve functional recovery.

The fact that you’ve done 100 BIAs doesn’t mean a thing by itself. It only helps you if you go on from there and make sure that, for the processes you’ve identified as critical, you would actually be able to recover them promptly if you suffered an outage.

The fact that you did a detailed TRA doesn’t mean anything unless you’ve mitigated or made plans to recover from the most likely and impactful threats you identified.

By themselves, BIAs and TRAs are just data, and data alone never recovered anything.

It doesn’t matter that you’ve written 50 plans if those plans are merely policy statements (full of talk about purposes, roles, and definitions) rather than actionable, checklist-type plans that have been proven to be sufficient to guide the organization’s employees through implementing a recovery.

Regarding recovery exercises, you can conduct an exercise every day of the year, but if you always conduct the same exercise—or your exercises are engineered so they can’t fail—then it doesn’t matter how many you conduct. The validation they provide into your ability to truly recover the business will be minimal.

Like Shopping for a Cell Phone

An example might make the issue clearer. The smartphone in your pocket or purse provides a good one. 

Imagine if, when you were shopping for your phone, the manufacturer tried to persuade you of how good it was by telling you how many meetings the design team held and how many thousands of pages of documents they produced while making it. You wouldn’t care. None of that matters to you as the end-user. What you care about is what it can do and how well and reliably it can do it. 

Your BCM program is—or should be—the same. The effort that goes into it is secondary. What matters is the results. Talking about how many BIAs you’ve conducted or plans you’re written is the equivalent of the cell-phone maker talking about how many meetings they held in creating their latest phone. No one cares. It doesn’t matter. What matters is, can you functionally recover the business in the event of an outage.

Shifting from a focus on work done to results achieved takes intellectual honesty. You have to avoid fooling yourself about what your efforts have accomplished and what your program can do. You have to learn to focus in a realistic, disciplined manner on the practical value of your efforts, not the volume of work done. 

This can be uncomfortable because it often shows that your program is not as far along as you think. But it is the only way to get it to the place you want it to be.

That’s why honesty is the best policy, and the core element of a functional BCM program.

A Difficult But Essential Commitment

In conventional terms, the core elements of a solid BCM program are governance, BIAs, TRAs, recovery plans, and recovery exercises. But the most important element of all might be intellectual honesty: the willingness to measure practical accomplishment rather than the volume of work performed. 

Making a commitment to being intellectually honest with yourself about your program’s capabilities can be difficult, but it is essential if you wish to ensure that you can functionally recover the organization in the event of an outage. 

Further Reading

For more information on the core elements of a BCM program, check out these recent posts from MHA Consulting and BCMMETRICS:

About
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
BCM Plans Up to Datesample threat and risk assessment