When you first tackle business continuity (BC) and disaster recovery (DR) planning, you may not have all the details and resources you need. Because of that, you may begin your program with assumptions about operational impact and plan effectiveness.
While less mature plans may have these assumptions, more established and resilient plans should test those assumptions for validation. This is crucial to develop a more mature BC program over time.
For the 75% of organizations that have invoked their business continuity plans in the past five years, one of the top lessons learned was that their plans had far too many built in assumptions.
So what are some common assumptions made in business continuity planning?
Here are 7 examples that can derail your plans and how you can mitigate them:
Assuming team members know their roles and everyone will help during a crisis
Many organizations fail to cross-train multiple people for critical roles. You can’t assume because you’ve written a good plan and designated roles that when a disaster or major disruption occurs, key team members will be able to respond and function as planned.
What if a disaster cuts off key employees from your location? What if the person is sick or has a family emergency? What if that person leaves your organization and a new team member hasn’t been educated on what to do?
Never rely on a single point of contact or a single point of knowledge for critical roles within your program. Always cross-train. Frequently review and update your plans as team members come and go or change jobs within your company.
Always have trained, informed back-ups available to step in to close gaps. When you conduct your routine plan reviews, tests or simulations, make sure those backups are fully involved. Train them so they are just as capable of completing requirements as your main point of contact.
Thinking you have a perfect communication strategy
Business continuity communication strategies are complex. From team member awareness and training, to stakeholder buy-in, to emergency notifications and public awareness, never assume a one-plan-fits-all approach will work for communication.
Start working on employee communication as soon as a new member joins your team. Throughout the year, conduct awareness campaigns to keep everyone in the loop about your BC and DR plans, their roles, and changes or improvements.
Do the same with your executive leadership team and key stakeholders early on. They can be important in helping to spread your corporate message and build a business continuity culture throughout your organization.
Also, be sure to involve multiple departments in your planning, whenever your do reviews and tests, and always solicit team feedback, especially from the people most directly affected by your plans.
Believing your employees know what to do when they get an emergency alert
Crisis planning comes with a lot of emphasis on criticality and because of that, it’s easy to assume your employees are listening and they know exactly what to do if they receive an emergency notification.
Like BC awareness, separate emergency notification system (ENS) awareness campaigns are important.
Don’t assume every employee will receive a notification just because you send it. Maybe someone’s phone was shut off or maybe someone doesn’t have wireless data or an internet connection. Have you made sure you’re delivering notifications across multiple communication channels?
Don’t assume every employee will read a notification as soon as you send it, no matter how well-crafted and bold your alert messaging is. And because of the prevalence of phishing and other related scams, you can’t assume they’ll know an alert you sent is real or from your organization.
Never fall asleep when it comes to the value of ENS awareness. Communicate often. Send examples. Get your employees to engage back with your system to see who receives and understands your messaging. Test, test, and retest your ENS before a crisis.
Hoping your plans will work exactly as expected
When you bring together team members from throughout your organization and invest time into careful planning, it can be easy to assume your plans will work as expected, especially if those plans haven’t failed or gone awry during testing and simulations.
An all’s-well-that-works-well assumption can be detrimental. Most organizations that have dealt with real disruptions will tell you something always surfaces that wasn’t considered or something expected to function properly did not. Here are a few examples of how BC plans can fail, so never assume they are fail-proof.
Implement success metrics and routinely score and analyze your program to help guide your plan updates and revisions as needed.
Your business is always changing and evolving, so remember you need a BC program that is scalable and flexible, too.
Believing you’ve addressed all critical infrastructure issues
Critical infrastructure issues and response are important for BC and DR plans. Maybe you have back-up generators for your operations during an extended outage. You’ve probably invested significantly in hardware to keep your team online and connected, but what about the impact of critical infrastructure disruptions outside of your organization?
What if your entire area has no water supply? Can your employees use the restroom on-site or wash their hands? What if the main roads to get to work are closed or damaged?
What if your employees can work off-site, like at home, but their remote sites don’t have access to critical infrastructure?
These infrastructure oversights can prevent you from getting your operation up and running quickly. Don’t be caught off-guard. Plan for all possible infrastructure issues—not just on-site—and know how your team can adapt so you can mitigate any roadblocks to get operational again.
Not including IT into BC plans because they have their own tech plans
When it comes to BC and DR, it’s easy to assume your IT teams know exactly what to do if there is a crisis or disruption.
By nature, these teams are accustomed to roadblocks. Networks go down, servers fail, computers and phones suddenly stop working. Because of that, IT teams tend to be among the most flexible and dynamic within your organization. Most have data back-up plans and they know what to do to roll systems so your team can function with setbacks.
But because IT may be more focused on day-to-day functionality, you could set your BC program up for failure if you don’t include IT in your overall planning.
Talk to IT about their existing plans and processes. Work together to integrate those into your overall strategy. Because of the intimate knowledge your IT team has about your organization’s technology needs, they can be critical for success.
And don’t forget your third-party IT vendors. For example, if you’re using a SaaS product, apps, department-specific software, or eCommerce tools, you’ll want to ensure they have their own BC and DR recovery processes.
Misjudging the disaster scale or large an impact it will have
Not seeing the bigger picture when planning can have devastating effects on your operations. Let’s say, for example, you’ve never planned for an earthquake because you’ve never had one. A few earth-shaking tremors and you could wonder why you never considered it.
Or maybe you’ve planned for a hurricane for your location that’s on the coast, but didn’t have plans further inland where storm damage could be more widespread and damaging than expected.
Or maybe you planned for a power outage and recovery for one location, but what happens if all your locations lose power simultaneously. Are you prepared?
Never assume you can predict exactly how long a disruption will impact your organization or even its full financial scope. The old adage—hope for the best but prepare for the worst—should guide your expectations here.
So Long Assumptions
When it comes to ensuring you have a successful BC program, try to avoid assumptions altogether when you can, but if you have to make them, validate those assumptions as soon as you can. Replace assumptions with actionable data and information, and continually work toward increasing the overall resiliency and maturity of your BC program.
Do you need help evaluating your current BC program so you can work through assumption knowledge gaps? Visit our website or contact an Assurance certified business continuity professional today. We will be happy to help.
Topics: Business Continuity
Written by Assurance Software
Assurance Software takes your company’s enterprise-wide business continuity and resiliency program to the next level. With Assurance as your go-to partner for continuity and resilience, you can confidently mitigate risk, manage recovery, and safeguard your employees, customers, operations and brands.