Barry Varley, CEO of independent testing consultancy Acutest, highlights the two main problems that lead to business continuity plans failing.
Ask yourself this: would you like to reduce your risks of failure? Easy isn’t it? I think we can safely assume that virtually everyone answered yes to that. Now ask yourself: what am I going to do in order to reduce the risks? What have I done already?
There is a lot of difference between goals, intentions and actions, and nowhere is this more prevalent than in business continuity planning. Everyone agrees it’s a good thing - most businesses intend to do something about it - but a lot fewer actually address the issue effectively.
It would be fair to assume that those companies with business continuity plans are actively engaged in reducing their risk. The irony is that, for many of them, their goals are sometimes being undermined by the very activities that purport to deliver them.
Many businesses become complacent because they have a false sense of security built on the existence of their continuity plans. However when the plans are invoked they fail unexpectedly. In a survey by AXA only 42 percent of companies that had suffered a crisis in the past and had continuity plans in place said that they had been effective. Although many companies are looking hard at their business risks, they are not dealing with the potential risks in their business continuity planning with the same rigour.
The two main problems that lead to business continuity plans failing are:
* Building on incorrect assumptions
* Ineffective testing
It’s easy to make assumptions that are wrong. It can be because whatever it is seems so obvious that it doesn’t require checking. This comes down to risk focus, which we will explore further shortly. Wrong assumptions can also be because you see what you expect to see rather than what is there, and this can be more difficult to deal with.
To put assumptions into perspective, we have a number of quizzes on the Acutest website: http://www.acutest.co.uk/ooh.html . One of them is a simple sentence and you count the number of f’s that appear in it. Hundreds of people have done it and participants are asked to rate how confident they are that they have counted the f’s correctly with 0% being no confidence and 100% being completely confident. The average level of confidence is over 80%. The number of people who actually get it right is approximately 20%.
The task appears to be ludicrously easy but the reason that so many people fail is because they read the sentence rather than read each letter. If an f sounds like a v (as in of) then it doesn’t register. You need to stop assuming that it is straight-forward, take a step back and look at what’s really required. Or alternatively believe that 20% is an acceptable level of success!
The most common types of wrong assumptions are:
- Assuming you know something – and you don’t
After a problem occurs, it may seem obvious to restore critical IT systems before non-critical ones. But what if whoever rated the systems had assumed this was so and wasn’t aware that there was a non-critical system on which some of the critical systems depended? The knock on effects of this assumption could waste valuable time and effort.
- Assuming that something is straightforward – but it’s complicated
In a disaster situation, telephone numbers will need to be diverted to another site. I know of companies that have assumed that this is a simple job that can be done immediately just by contacting the telephone company when a diversion is required. This is not necessarily true and arrangements and a procedure needs to be put in place before a problem arises.
- Assuming that someone else is doing something – and they are not
A common mistake made by companies is to assume that all staff know what to do in the case of a problem. Plans need to be circulated, or specific bulletins need to be provided to all staff detailing what to do, not just to senior management. This assumption is also true with suppliers. What happens if you’ve arranged to have PCs delivered to a disaster site and when they arrive you find there is no operating system (or the wrong operating system) installed? The supplier has assumed the company will load it themselves and the company has assumed the supplier will supply PCs complete with an operating system.
One way to reduce the problem of incorrect assumptions is to get someone from the outside to review your plan and assumptions. Challenging your plan in this way is not always comfortable, but it is a lot less risky than finding yours is one of the 58% of organisations whose plans fail when invoked.
Business continuity testing can be complex and this could explain why only 30% of companies actually test their plans. Many fear that it will be costly and difficult to do. Consequently, if you examine the testing activities that are carried out, you commonly find that time and money was spent on testing unimportant things, while a lot of more important, but more difficult elements were neglected.
To remove the risk of ineffective testing you should first focus on what requires testing, and then on how you will test it. It must be in this order: don’t let the tail wag the dog.
To decide on what will be tested we use a technique which we has proved effective in both structured software testing and less formal business process testing: the Acutest Grid.
The Acutest Grid is a 3 x 3 matrix for plotting risk. A risk is a likely incidence or problem that, if not mitigated and resolved, is likely to result in an issue having an impact on not only the business, but also the potential continuance of the organisation.
For each incident type we look at the likelihood of the incident happening and the impact of that incident should it occur. Each incident type can then be assigned a risk rating based upon these two factors. All incident types should be discussed and plotted.
Obviously test planning should start with the high likelihood and high impact: the top right hand box. Typically, the next step is to continue to test all potential incidents that would have a high impact if they occurred.
However, this is not a universal rule. For this reason the strategy for any organisation must contain a proposed priority for mitigation; both before an incident and also to provide some form of mitigation during an incident, should one occur. It should also include any testing of the business continuity plan that should take place.
There are a host of techniques available to test plans ranging from a walk-through or scenario test to disaster recovery testing and full business continuity rehearsals. Choosing the right balance of techniques to use and effective ways to combine them is crucial: nobody wants to spend more than they need to on testing.
The top reason that people often don’t test something on the top right hand side of the Acutest Grid is because of cost. We’ve found that many of the formal and informal techniques we use in other testing areas translate well into business continuity testing and help contain costs. Using a range of techniques can help balance cost and make sure your plans for dealing with high impact/high likelihood incidents are effective.
In one large corporation we recently reviewed we found that 76% of the testing effort lay in the bottom left four boxes. By freeing up the money spent on much of this testing we were able to test more of the serious concerns without increasing the testing budget. No prizes here for guessing if the business managers were happier with this change of focus: especially when a number of flaws in the high risks areas of the plan were uncovered in the testing and redressed in the revised plan.
Once it’s in place and tested, it is important to revisit your business continuity plan regularly. The business environment, your organisation, the technology and the range of cost effective solutions available are constantly changing, and your plan will need reviewing to make sure it takes these changes into account. And remember when you are reviewing a plan you will need to challenge assumptions to ensure they are still correct. Again an external reviewer will help you avoid complacency here.
So in conclusion, if you do have a business continuity plan don’t diminish its effectiveness by building it on false assumptions or by failing to test whether the strategies you have in place will work as you hope. And if your organisation doesn’t have a plan, congratulations on reading this far.
For free, no obligation advice on creating or testing a business continuity plan call Acutest on 020 7917 2838 or email firstname.lastname@example.org
•Date: 20th October 2005 •Region: UK/World •Type:
Article •Topic: BC testing
this article or make a comment - click