Use Google? Click the button to add Continuity Central news to your Google home page.
Get immediate news and information updates via our Twitter feed.
SUBMIT YOUR NEWS
To submit news stories to Continuity Central,
e-mail the editor.
Want an RSS newsfeed for your website? Click
Final survey results: How important are paper-based business continuity plans?
In a recent joint advisory issued by the US Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA) and the Commodity Futures Trading Commission’s (CFTC) Division of Swap Dealer and Intermediary Oversight it was recommended, among other things, that “firms should consider keeping their business continuity plans, contact lists and other necessary documents, procedures and manuals at the alternative site, ideally in paper form in the event that electronic files cannot be accessed.”
In response to the above, Continuity Central carried out a survey asking the question:“How important are paper-based business continuity plans?” Altogether 118 responses were received.
55.6 percent of respondents believe that paper based business continuity plans are essential; 24.8 percent say that they are ‘quite important’; and 19.7 percent say that they are ‘not important’.
There was some variation of opinion depending on the size of the respondent’s organization. 57.3 percent of business continuity professionals in large organizations see paper-based BCPs as essential; this drops to 42.9 percent in medium-sized organizations and 50 percent in small organizations. However, 63.6 percent of those in micro organizations say that paper-based BCPs are essential.
The survey asked respondents’ to explain their survey answer. The following responses were received. They have been spell-checked and edited to remove typos but otherwise are published verbatim:
Comments from those who said that paper based business continuity plans are essential
People need an action list to follow in times of crisis. The availability of such a list is key.
A basic assumption in business continuity planning must be that normal ICT is not available. Contact lists, key procedures (especially if they're complicated) must be available. This does not include action plans (unless complex), because key staff should be able to develop and execute appropriate action plans to address the specific situation, especially after they've participated in the business continuity planning process.
As backup in case electronic copies are unavailable. However conversely, electronic versions should also be used as backup to paper copies. Neither is "better" than the other on their own.
Can't always rely on technology.
Employees cannot always rely on electronic access. Also, hard-copies allow for sharing with others.
You never know where your respective management teams will be at TOD, and what effects the disaster will have on Internet access. Storage on an employee owned device is a security risk, and technology can fail. Paper plans are still essential as a contingency alongside the cloud.
Just in case we lose all IT, we need those plans in the first few hours.
Plans and their supporting information should be stored electronically and every effort made to keep them accessible, but a backup copy, stored offsite is a prudent additional step to ensure access.
If you need to activate your BCP there are special conditions for it. You should not depend on any kind of electronic data. If the device where the BCP is on fails, you have a double problem at a moment when you can't handle this extra problem. Maybe you don't meet the MTPD which is important in this time.
Need guaranteed availability of these Plans.
We are a BC consultancy and advocate the use of paper based versions as long as the necessary security procedures are strictly adhered to. Paper based BC plans would be for use when access to electronic versions is impossible (for whatever reason).
Hard-copies allow for teams to record issues (future Plan updates), track status, while reading and actually executing the Plan. This allows the PC/workstation to be free and uncluttered so to actually execute the steps of the Plan. Also hard-copies assure you have your call lists and steps if your infrastructure is not yet available.
Our company is in the casualty insurance business and is totally computer based. Our most common incident includes the loss of electricity (such as in Hurricane Sandy) No electricity - no computers - no business. Hence, paper copies of the BC plans as reference documents are very important.
If everything is held automatically and IT systems are down how are you going to know what your plan says?
Based on events like hurricanes and power outages you should have paper copies as a back up.
Loss of power may prevent access to BCPs, having paper copies available enables a response regardless of power loss - I would consider it foolish in the extreme to depend upon only an electronic version.
Reliance on a single method to access critical work around processes is insufficient.
Paper, USB Drive, it doesn't matter, as long as there is something accessible off of the network. The plans are only good if they can be used, and if they are inaccessible, they cannot be used.
While plans are available electronically, the paper copy of the plan is maintained by emergency responders, DR personnel and the Crisis Management Team as a backup to the intranet copy.
People still work best with paper somehow...
Given that electronic media could not be accessed and communication lines are not available it would be essential to have a paper copy.
Electronic records are invaluable, but paper becomes invincible once all power sources are down. Having your plan on a jump drive or laptop is helpful as most often you can charge your laptop in your automobile.
If the electronic version of the BCM plan documentation is not accessible (either because of network failure, major power failure, Internet access failure, etc.), need to have a "Plan B" for the essential documents, and paper is the most logical one. Event contacts listed on your Blackberry could not be accessible: it happened to me during an incident, as my Blackberry died on me! Good thing I always have my paper list with me as a backup!
It is entirely possible that electronic files will not be immediately accessible. Therefore a paper copy would be the only copy immediately available for use in responding to the incident.
Even though we live in an electronic age, we have to be aware that we are in some cases planning what to do if these systems are not available, therefore one of the contingencies would be to have a paper copy of the plan accessible, not only locally, but remotely.
It is elementary.
Electronic can be used as a back up. While paper is better for the main copy. Imagine if the electronic copy is not accessible on a local pc or on a SharePoint site. Paper is easier to read during a pressurised moment of crisis.
Useful in case Internet access and/or cloud storage temporarily available. Also useful when mobile and links might be slow.
Although we store electronic copies of BCPs and related documentation in our document management system, and we also back this up on multiple USBs and standalone laptops, we consider it essential to also have at least two copies of all BCPs stored onsite and offsite for ease of access and readability.
A paper based copy of BC plans located at the recovery site can be accessed immediately with no dependency on a network connection or PC, Laptop etc. Recovery can commence immediately. Also a paper based recovery procedure could possibly detail how any electronic recovery documentation is accessed.
Extremely important. If there is no paper based Plan copy you will encounter one IT incident where all IT services will be down for some time. Having all Your BC preparedness stuff besides you (not only BCPs developed, master plan (crisis management) principles, incident management principles and schema - are must have) - will be just enormously valuable.
There is always a possibility that technology may fail. Keeping a hard copy ensures it's availability at all times.
IT failure is the commonest cause of business disruption here. Also despite having laptops people rarely take them home so would not be able to access plans out of hours without a paper copy.
I have had first hand experience of power outages and having a hard or paper copy was essential in our ability to react and recover.
I have experienced an incident when access to shared drives and intranet was down for several hours and another when power was off. Paper BCPs were essential.
If systems are unavailable or bandwidth is taken up due to a wide area outage. A paper based plan is the only fallback.
They are required in case of a true ICT disaster making access to electronic plans near impossible.
Access to on-line plans is only via company desktop and laptop computers. The company has not issued iPads or iPhones to Managers/Staff, therefore, plan access has to be via paper copies in a BCP File.
If there is a real catastrophic event it could have influence on the web - the availability of the BCP. With the paper-based BCP at least basic information can be gained - without having access to electronic format. And if your BCP is in the "cloud" it could be lost forever....
I have had experiences where computer based programmes could not be accessed because there was no suitable trained personnel to work the system. On another occasion the computer based system 'broke down'. Paper plans can be accessed and understood by the majority of people. Businesses must guard against becoming 'slaves' to IT based systems just because they are there.
Power interruptions and failures can be a frequent occurrence in the winter / storm season. (We are also in earthquake country, which will most likely exacerbate the issue). Given the higher likelihood of power outages in our region, having paper copies available as back-up makes a great deal of sense.
There is too much of a dependency on technology which in essence are arranged like dominoes.
My experience is that you never have anything of high value in just one form or in one place.
Technology has it own limitations and having paper based plans as a back up option is the safest bet.
If the electronic tools fail,it is easy to use the hard copy of the BC Plans and other associated documents like call lists. We regularly update them in a battlebox which is version controlled and maintained offsite.
IT is one of the areas of a business most prone to failure. It is also reliant upon other "services" such as electricity supply and resilient back-ups, recovery plans, etc. A paper copy of the BCP ensures that it can be accessed anywhere anytime regardless of the availability of power, IT services, etc.
Cannot rely on the agency that supports IT to have it available during an incident-better to have hard-copy, available to reference, as work through crisis.
We have two folders containing key information. One held in our manned security office & the other with the BC manager. These are instantly available to initiate phone cascades call support contracts etc without having to find a pc to open the secure memory sticks or cloud-based versions.
In the event that IT systems are unavailable it is vital to have access to paper-based plans. This helps ensure Resilience of Business operations.
I have seen server outages and network outages that would not let you access online continuity plans. In the same light, I've experienced power outages that would not allow me to access plans on the hard drive of my laptop due to the internal battery being used up.
Due to the results of Hurricane Sandy (power failure for a significant period of time), relying on power to charge cell phones, fuel for personal vehicles etc, payphones and paper based backup systems may be all you have to maintain contact.
Can't rely 100% on other media types to be immediately available.
This is not a good survey - the question is incomplete and will lead to almost meaningless statistics. You must identify if this the ONLY source of the plan or not at the every least. Ideally the question should be phrased to include all other types of reference that may be available such as tablets, laptop, Internet etc.
Inaccessibility to non-paper BC plans could be caused by a number of factors eg. IT failure, power failure, denial of access (if remote working is not an option), N3 failure, telecoms failure etc. Having both paper and system based plans is the best as it provides resilience.
It is not appropriate to rely on electronic storage or devices to hold important recovery information.....it may not work or the device may not be charged up when you really need it.
We have experienced several incidents where power was not available to the majority of our employees (Hurricane Sandy): without paper plans our BC teams would not have access to the information needed for recovery efforts.
Very important to have digital Plans (not only static document ) but paper copy could be an easy backup of the plan, you can easily get it in case of emergency and follow step by step also while reaching backup site. No problem in case of loss of power, loss of Internet etc. One difficulty is to keep the last and updated version of the plan. The process to distribute updated printed and also digital copies is in any case essential.
It is intuitive and more efficient to refer to hard-copy during a crisis versus accessing it online.
Having various copies in all media formats are important. Paper copies at work, home, trunk of car including copies in the cloud, company server, etc.
Comments from those who said that paper based business continuity plans are quite important
You should have multiple copies of your BCP in different formats.
Only the contacts part of a plan needs to be on paper, and even that can be saved to a local drive on an iPad or laptop. Not essential to have large volumes of plans.
In a worse case situation, electronic information may not be as readily available as paper would.
Copies kept off-site or on phones or iPads.
Moving towards having BCP available at sites on tablets maintained by staff at site.
Access to checklists and contact details more important than the rest, although latter could be held on mobile phones.
It is important to have a summary of the planned recovery strategies, from a training perspective and of course regulations. However, the majority of the memory muscle comes from training, role playing sessions and workshops to discuss all aspects of a disaster impacting operations.
The importance of plans being available in paper is correlated to the criticality of the recovery of a function/ business process. If the reliance on ITDR is such that an electronic-only version of the recovery plan represents a risk, then paper copies should be available (or, some other option to the company IT systems, e.g, SaaS or cloud-based repositories).
It's hard to use electronic plans in some situations. I insist on a paper "golden hours" plan to cover the first 24 hours. I ensure electronic copies are stored on a different system that are obtainable via the Internet and at alternate sites. I also ensure all teams have copies of their own plans on designated laptops or USB as well as holding copies of all plans centrally. I rigorously audit this and insist exercises are performed using existing documentation.
Plans are available both electronically, locally stored on mobile devices read only (e.g Tablet and smartphone). Most individuals go to these at time of incident as they have the device on them / near them rather than a paper copy that is likely to be out of date and if they are lucky they might find it quickly - individuals are notorious for "filing" things in a safe place - so safe they cannot find it. There has to be a balance a mix between paper and electronic.
Despite there being a plethora of devices on which plans might be accessed these days, IT systems disruption, mains power outage or battery failure etc. remain a risk. A prudent planner should therefore still be encouraging plan owners to include hard copies in their armoury.
We currently don't have an adequate IT support solution to support incident management and as our plans have been changed from text books (150 pages long with more explanation than plan) to slim, concise guides, it is important that people with a role have their bit at least.
Reference to the continuity strategies and key roles and responsibilities is important to avoid confusion. I don't believe running from the paper plans like a script is viable, but having a place to start is important to overcome any initial reactionary approach.
The paper component of the plans should be a series of contact and check lists. Nothing too large!
Worst case your network is down, how do you access you ASP or SharePoint or ShareDrives?
All Business Unit heads have been asked to maintain a paper copy of their plans in an alternate secure location.
I agree that you should have paper copies but as the world moves into an advanced digital age I think it is also important to think how people are going to access the documents. It's the content that's important not how you view them.
Most places BCP & DR are separate activities and mostly both are exercised at comfortable prior notice. When everyone is aware of an exercise, there is little confusion and the required details are readily available with multiple people who are the designated coordinators. Things are different in a real time scenario - as in - when it happens, where it happens, who is there when it happens everything mostly would be different from the one which was practiced. During a critical situation, people do wonder if the sun rises in the east or west and often there are confusing challenges and this make life even more difficult and hence its far better to have a paper copy of the plans and protocols to be made available at alternate locations.
We are also asking the critical process owners to include written documentation of their processes in their plans.
Printed hard copy of initial response portion of the plans and contact lists. 2) Soft copy of initial response portion of the plans and contact lists on Blackberry 3) Replicated, version controlled full copies of plans on SharePoint infrastructure 4) full plan copies in PDF on portable USB drives -encrypted - just EOC group.
Alternatively contact details and task lists could be held on mobile devices. Oftentimes the plan development process is more important than the plan itself.
I see much of the value in plans being the work undertaken as part of the planning process. A paper plan is useful in the event IT systems fail, but there are other options to store key documentation that might be needed - cloud or perhaps (secure) USB stick used in a stand-alone computer/laptop.
BC Plans are stored electronically, but for managers/individuals it is important to have access to their copy during a crisis. Hurricane Sandy has taught us, amongst others, that access to the Internet (as an individual) might not be evident during disasters.
Based on the volume of info stored - moves are being made to store these electronically and available on smart phones.
Comments from those who said that paper based business continuity plans are not important
Plans are used to drill and test throughout the year such that you can execute once an event occurs.
Multiple electronic copy sources, auto updated.
Our contact details are stored with a 3rd party and we would use their system to send out emergency notifications to all staff. Staff have contact numbers stored on their mobile devises so team can talk to each other. What good is a plan anyway? We employ intelligent staff who know what their roles are and they are able to recover their urgent business processes without reference to a plan. (Although we all have them and we have a printed copy in two locations).
Multiple electronic versions on other machines such as smart phone or tablet, or electronic storage capability such as USB keys.
Digital format required with backup in a separate location.
It's not important if you can have it on a flash drive or a short form in a wallet card.
The plan is accessible via the Internet and if the Internet is down we have much bigger issues to deal with than accessing the BCP. Additionally the plan is located on an internal network drives that are replicated and available at the backup datacenter during a disaster.
Considerations surrounding "plan accessibility" have changed dramatically with the advent of small, cheap and reliable electronic storage devices that accomplish the purpose of a paper copy - and do the job better. Simply put: the choice is no longer between paper and a network server. There are other, better alternatives.
We provide a controlled copy of the BCP on our intranet and recommend that all managers and staff with a potential role in BC store a soft-copy on their laptops. When a new version is issued we then advise all to update by downloading the new version to their laptop. We also advise that that copy is only for cases where they do not have network access and should refer to the controlled copy on the network at all other times. When required, they can print off either copy. (They have the option to print off a copy anytime they see fit and a disclaimer on the front page reminds users that they should refer back to the latest controlled copy on the intranet).
The plans include significant technical and personal information that we update either monthly or quarterly. It is more important for the repository to be remote from any of our locations and always be accessible via the web.
I assume I can access plans in the cloud via a mobile device.
Multiple secure electronic copies and off site storage.
Tools used in the development and management of the plans, which are located outside the main center or as software as a service with a third party, and we can keep copies on various portable devices, tablet etc ...
Business continuity does not rely on plans and access to them -Yes, businesses need BCPs to assist them to know their business, and to know what actions to take in a crisis. For our business -a govt agency - it is more important that the managers and staff know their responsibilities and actions to take, than it is to read a plan (hard or soft copy) during a crisis. The plans require to be in existence, but should not be so complex of large that they need to be referred to during a crisis. Employees should have the knowledge and expectations to act appropriately in whatever event occurs. Clearly for some businesses, though, detailed plans would be required to correctly implement various technical responses etc.
Due to the high cost (both in time and resources) I have only limited copies of any plan in hard copy. With the availability of virtual storage solutions it is far easier to access material during an incident (and to be honest is more likely to be so as users will have greater access) using this capability. This does not completely kill off the need for hard copy but certainly reduces its importance.
In the current age of high technology, it would be a shame to depend on paper based back ups. Backups within Technology, for example, storing the plans in local drive in case network is down, could be options pursued but not paper.
All plans are available from a highly reputable crisis management system reachable over the Internet.
Key is effective planning and preparation – education and awareness, and competency and capability in response (flexibility and agility – right incident management people and recovery and restoration and resumption processes). Over focus on paper plans is likely to result in them containing 'Life, the Universe and Everything' – they become unwieldy and a distraction during an incident (people focus on what a plan says not what the situation requires – constrains thinking, inventiveness and is likely to make response extremely slow and risk averse – 'death' by deliberation etc. Paraphrasing Helmuth von Moltke the Elder: 'No plan survives contact with the enemy' – the enemy being a Significant Incident / Business Disruption. Effective paper plans (where required) should only contain what is not commonly known e.g. internal and external contacts (and even these will be held on portable devices), detailed technical specifications / procedural requirements etc. (which are likely to be replicated in paper or digital form at an alternate site).
I work for a governmental organisation, and it is pushing the electronic way of life. So though it is important to have a BCP, it is not necessary on paper, because everybody has a PC, can work from home, and we consider the testing with roleplays as very important, to teach management how to dog-fight.