|
Keith Pursall argues that paying
more attention to the people who business continuity plans are aimed
at will produce plans which are more effective in a crisis.
Business continuity plans are usually produced for a number of reasons
– to ensure the survival of the business, to meet regulatory
requirements, because the auditors say so etc. etc. Whatever the
reasons, the end result is a set of procedures and arrangements
geared to the successful recovery of the key business functions.
These are usually documented (with or without the use of software)
with a heavy emphasis on the IT systems required, external and internal
contacts, and any alternative accommodation arrangements.
However, one aspect that is frequently overlooked is ‘the
people factor’. In other words, those people who will have
to use the plans when faced with an actual disaster situation.
One of the problems is the word ‘plan’.
As soon as this is used, people start thinking of schedules, Gantt
charts etc, and more often than not, the business continuity project
proceeds from there through its various phases. Starting with a
risk analysis, it progresses through business impact review and
strategy selection to plan preparation and eventually to testing.
But what about dealing with the disaster itself? How is the crisis
going to be managed?
Before starting work on their plans business
continuity managers should always ask themselves the following questions:
* When will the plans be used?
* How will the plans be used?
* Who will use the plans?
Answering these three questions will test the
effectiveness of any plan and with it the organisation's ability
to cope with a crisis.
When will the plans be used?
By their very nature business continuity plans will be used at a
time of crisis; it is therefore important that they are designed
to be effective in such scenarios. These are situations where people
will be working in unfamiliar surroundings, experiencing all sorts
of difficulties and almost inevitably under great pressure. All
business continuity professionals should review their plans and
ask themselves whether they are the sort of documents people would
want to read in such traumatic circumstances. Or will they take
one look at what appear to be wordy and incomprehensible documents
and decide to ignore them altogether?
Because of the nature of the situation in which they will be used,
any plans should be easy to read and easy to understand; and they
should not be cluttered with any unnecessary information –
business impact reports, risk matrices, inter-departmental memos
etc.
How will the plans be used?
It is essential to think about how precisely the plans will be used.
Are the plans to provide step-by-step instructions to be followed
at the time of the disaster? Are they to be a source of comprehensive
reference material? Or are they merely a specification of what is
planned to happen, not to be used at the actual time? Or are they
a combination of some or all of these? How will people use them?
The answers to these questions will determine the type of plan that
is produced.
Ideally, business continuity plans should form
the solid basis for a successful recovery. In a disaster situation
everyone needs to know exactly what to do. This means that each
plan must be an ‘action document’ – providing
clear instructions to each person involved.
Who will use the plans?
Who is going to read the plans? Business continuity managers? Departmental
heads? IT specialists? Members of staff? Once again, the way in
which these questions are answered will determine the structure
and content of the plans. Too often plans are produced which try
to be everything to everyone – these are invariably doomed
to failure. It is impossible to produce a single document which
provides everyone with everything they need, whilst at the same
time remaining concise and easy to understand.
It is far better to produce documentation on
the ‘need to know’ principle. Different people will
need different information. In a disaster the chief executive's
role will be very different from that of the IT manager. So why
provide the chief executive with detailed technical information
he/she does not need or, conversely, the IT manager with policy
documents which will not be used?
Plans need to be modular and flexible to meet
these differing requirements – not monolithic, unwieldy and,
ultimately, not workable in a crisis situation. It takes a lot of
time and resources to produce workable business continuity plans;
therefore it must be worthwhile spending time on thinking about
when, how and by whom they will be used.
Back from the future
One way to ensure that your efforts are not wasted is to start with
the disaster itself and then work backwards. This can be achieved
by running training sessions based on a simulated disaster and focusing
the attendees' minds on the problems it causes. By starting with
the crisis, they are immediately faced with deciding what they need
to have in place to deal with it. This includes not only the procedures,
information and alternative arrangements, but also making sure that
the right people are in the right place at the right time! It is
no good having your salvage team as the first people on the scene
of the disaster, if the press and media are clamouring for a company
statement.
In a disaster situation so much depends upon
on how effectively people respond – how the chief executive
handles the media, how the human resources department deals with
staff problems and concerns, how the IT department recovers the
computer systems. All the various back-up arrangements and technical
solutions are important, but none of them will work without people.
Surely, therefore, it makes sense to ‘put people first’
on your list of business continuity priorities?
Keith Pursall is managing director of Alkemi
Limited.
•Date:
13th June 2003 •Region: Worldwide •Type:
Article •Topic: BC
- plan development
•Rate this article
or make a comment - click
here
|
