Almost every business continuity management program has gaps that are well-known to the BCM office but never addressed, usually because closing them would be hard. However, in many cases, tackling those BCM challenges is the best use you could make of your time and resources.
Related on MHA Consulting: The Most Important Part of Every Risk Mitigation Plan
Kicking the Can Down the Road
Our original plan for today’s blog was to talk about managing risk at financial institutions. But I’ve written a great deal about risk recently (see, for example, “The Risk Management Process: Manage Uncertainty, Then Repeat,” “The Most Important Part of Every Risk Mitigation Plan,” and “Know Your Gaps: Manage Residual Risk to Keep Your Company Safe”). Risk management is important (if you have not recently reviewed your organization’s risk, then I strongly recommend you read the blogs above and do so). However, I was ready for something new today and thought you might be also.
A related topic suggested itself based on some recent experiences I had with some of our consulting clients. It has to do with the importance of trying to close the significant gaps that exist in almost every BCM program. These BCM challenges tend to be the can that gets kicked down the road.
Significant and Persistent Gaps
Discussions of risk management typically start with the need to do an assessment of the internal and external risks facing the organization. This approach implies starting with a clean slate; however, very few organizations have one.
At most companies, the BCM office is well aware of a handful of significant gaps in their business continuity, IT disaster recovery, and crisis management planning that have been around for a long time.
These gaps tend to have two things in common. One is that closing them would be hard work, due to time constraints, budgetary restrictions, technical difficulties, and/or human-factor challenges. These are legitimately hard problems to solve.
The other is, solving these problems would often bring significant improvements to the organization’s resilience or risk reduction.
The Importance of Eating the Frog
It’s much easier to kick the can down the road on these issues—and to spend one’s time on easier activities—than it is to confront and solve them. But it is never wise to confuse effort with results.
If you want to fulfill your professional responsibilities, and make your program better and your company more secure, you should tackle these tough challenges.
In other words, you should eat the frog.
Productivity experts use the phrase eating the frog in talking about the benefits of doing the big, hard tasks first. Eating the frog might be distasteful, but once you’re done, the rest of the job is a cakewalk.
In BCM, eating the frog means closing the significant but difficult gap that you’ve known about for years instead of turning a blind eye to it.
Unlike fine wine, issues with your BCM program do not get better with age.
Examples of Common, Stubborn BCM Challenges
Every organization is different in terms of the persistent, significant problem that everyone knows about but no one takes on. What is it at your company?
Is it a case of a single point of failure (SPOF) that you have long been aware of and never addressed? There’s no time like the present to develop redundancy for that facility, piece of equipment, or person.
How about a situation where you know who the notorious clickers in your organization are—the people who routinely click on email links from unknown senders, increasing the risk the organization will be hit by a cyberattack? Now would be a great time to train those individuals out of their bad habits or potentially modify their responsibilities.
How about the fact that you’ve known for ages that your organization was vulnerable to a power outage, but you haven’t done anything about it because a generator would be costly or was initially thought to be unnecessary? (“We’ve never had a long power outage.”) You could put the matter on the back burner and turn your attention toward cranking out another BIA. But perhaps what you should do is start planning your campaign to get that generator.
Bringing Management On Board
If you do commit to tackling a stubborn, significant problem at your company, you might find that it takes away from the time you have to deal with such routine matters as updating recovery plans. You have to make an assessment about which activity would deliver the biggest benefits in terms of resilience. Very often, it is the tough, persistent issue you have been avoiding.
You might also need to get your leadership’s approval of the new approach. This is especially true if they expect you to accomplish a certain volume of work of a less-important type. Do they have an expectation that you will update all the recovery plans this quarter? Tackling a long-avoided but serious problem might make it so you can only get to half of the plans. You will need to explain to them why you think a shift in priorities is warranted. (This challenge in itself can be a frog you have to eat.)
If the longstanding problem you plan to address does indeed pose a significant risk to the organization, you will have reason on your side in making your case for a shift in priorities.
Biting the Bullet, Eating the Frog
Risk assessments, plan development, BIAs, and reporting are of fundamental importance to a sound BCM program. But the fact is, many organizations are weakened by serious gaps that are already well-known. Closing these gaps is typically very difficult. It also tends to be highly worthwhile.
When it comes to these kinds of problems, the conscientious BCM professional must overcome the natural human tendency to kick the can down the road. Instead, he or she should bite the bullet and eat the frog. Your BCM program will be better and your company more resilient as a result.
For more information on common BCM challenges, risk management, and other hot topics in BC and IT/disaster recovery, check out these recent posts from MHA Consulting and BCMMETRICS:
- The Risk Management Process: Manage Uncertainty, Then Repeat
- The Most Important Part of Every Risk Mitigation Plan
- Know Your Gaps: Manage Residual Risk to Keep Your Company Safe
- Checking It Twice: The Corporate Risk Mitigation Checklist
- A Sample Threat and Risk Assessment: The Case of Acme Widget Corp.
- The Top 7 Risk Mitigation Controls, in Order