Five Common Mistakes Made in Business Continuity Management
Imagine an unexpected disruption to your company’s business activities. It could be a fire destroying a warehouse filled with inventory, an IT incident that compromises the network, or being flu season, picture a flu epidemic that takes 20 percent of your workforce offline.
Every minute business operations slow or stop costs the company money. That’s why organizations employ business continuity management (BCM). BCM is defined as the planning and preparation to ensure the company overcomes serious incidents or disasters and resumes normal operations within a reasonably short period.
Companies consult their BCM plans for any number of reasons, including natural disasters, severe IT incidents, vendor mishaps, even cases of employees committing fraud or embezzlement. However, accessing the plan isn’t the time to discover the plan’s shortcomings. It’s better to get it right during the development process.
Read on to learn the five common mistakes made with business continuity management.
The BCM plan collects dust
The BCM plan was created in a flurry of activity, documented in a three-ringer binder, and filed away on a shelf that’s rarely if ever visited.
That’s a mistake because BCM plans involve people, procedures, and scenarios that change over time. People change roles or leave the organization. Procedures update and often because of new technology. Scenarios frequently change with mergers and acquisitions.
Whether your plan lives on paper or in the cloud, it needs continuous review and updating. In the event of a major incident or disaster, your BCM plan must be current and the go-to resource for guidance.
The BCM plans and teams are never put to the test
BCM plans are developed and updated regularly based on new information and changes. However, the plan and the people involved in carrying it out are never put to the test. If an adverse event occurs, team members are placed in high-pressure situations without scenario training. Lack of testing also means missing out on learnings to create a better plan.
It’s a mistake to use an untested BCM plan. Many organizations use tabletop exercises that bring together participants to discuss their roles in an emergency for one or more scenarios. It’s best practice to test your BCM plan every six months or at least annually.
The BCM plan is managed by one person
There’s nothing wrong with having a point person for a BCM plan. It’s a better idea to have a diverse group of people across the company to account for everything. It’s a mistake to empower one person who lacks visibility into the risks and processes across the organization.
A better approach is to form a BCM team that encompasses multiple departments and functions. A cross-functional team brings a company-wide perspective to BCM planning. Diverse views help address issues and contribute to a better BCM plan.
The BCM plan fails to account for third parties
BCM plans cover scenarios involving IT security, weather calamities, and other possible adverse events, but plans often miss scenarios involving third parties. Case in point: the medical supply chain disruption in Puerto Rico in 2017 when hospitals could not source IV bags due to a concentration of manufacturers on the island. BCM plans that don’t account for third parties are less effective in helping the organization recover. That’s a mistake to avoid.
In BCM planning, take time to deliberate among team members the business-critical activities that involve third parties. Look for what could bring operations to a standstill and account for it in your scenario planning.
The BCM plan doesn’t consult risk management
Many BC examples start as unidentified risks that go untreated to become adverse events or incidents. For example, Ransomware can knock out critical computer systems at city governments, which interrupt operations and endanger public services like 911. Reputation risk can come into play if an incident occurs that’s publicly damaging and spreads socially. It may not knock out critical systems, but it can still slow operations and hurt the bottom line.
One of the biggest mistakes made by BCM teams is a failure to engage risk management during the plan development process. By identifying major risks that could turn into adverse events and disasters, you can proactively include them in your plans and tabletop exercises.
BCM is as vital to your organization as the strategic plan for achieving objectives. BCM plans get your company back on its feet after a serious incident or disaster. Now that you know the top five common mistakes made with BCM, you’re ready to build a high-performance BCM plan.
Learn how the government shutdown affected business and the countermeasures needed to address the risk to remedy the situation.
Let’s continue helping the millions impacted by Hurricanes Harvey and Irma. Let’s also help business prepare for the next disaster with better BC/DR plans.
In case you missed the news story, Delta experienced a systems outage on Sunday, January 29. As a result, around 150 flights were canceled with many more delayed.