Bringing your business continuity plans to life
“No plan of battle ever survives first contact with the enemy.” Helmuth von Moltke, German military strategist.
Insert the words ‘business continuity plan’(BCP) and ‘real life incident’ into this quote and it would still hold true. In fact, not only do most business continuity plans not survive first contact with a real life incident, but many BCPs are not even looked at when an actual incident occurs.
I was recently facilitating the desktop simulation of a significant business disruption incident for a client in which the scenario was that their entire data network appeared to have been compromised. This was the once a year test of the business continuity plan; the organisation’s top team sat around the table and they had a hard copy of the plan in a grab bag in the room in which the exercise was taking place. As soon as the scenario was put to the team they leapt into action, securing their IT network, considering the impact on the business and making alternative arrangements. All very commendable, but it was not until almost three quarters of the way through the exercise that any of them actually picked up the BCP and looked at it.
That seems very strange, doesn’t it? Why go to all the trouble and expense of drawing up a business continuity plan, appointing a business continuity team, testing the plan on a regular basis, and then not actually using it, even in a simulation exercise, let alone in the white heat of a real incident?
Human decision making
Actually it is not strange, or even surprising, at all. The science of human decision-making (popularised by US psychologist Daniel Kahneman in his seminal book ‘Thinking, Fast and Slow’) teaches us that even in non-stressful situations human beings will make non-rational choices based on their intuitive responses to presenting situations. The effect is multiplied in situations of extreme pressure such as a catastrophic business disruption event.
Kahneman argues that human decision-making is often based on a set of intuitive mental short cuts (heuristics) that can lead us in the wrong direction. The so-called ‘availability’ heuristic is particularly relevant, being related to judgements about the probability of an event based on how easy it is to recall other similar events. So research shows that business continuity managers almost always overestimate the real likelihood of their business being the subject of a terrorist attack, because it is so easy to recall examples of actual terrorist events, such as the 9/11 attacks in New York.
A business continuity plan is critical
Given that a well thought out and well tested BCP is critical to the chances of an organisation surviving a major business disruption without fatal damage to its operations or reputation, what could be done to bring the plan to life in a real incident and persuade the business continuity team to intuitively turn to it and pick it up?
The most important thing you can do is to make your business continuity plan salient, so that it is more likely to be directly relevant to the incident at hand. The scenario put to my client represented one of the highest threats on their corporate risk register, but it was not specifically addressed in their BCP, so when the desktop incident kicked off they did not intuitively turn to the plan for help.
As with the heightened perception of terrorist events, there is often a significant disconnect between the potential disruptions that are expected and those that actually happen.
According to the Chartered Management Institute 2013 Business Continuity Management Survey, the top three perceived disruption threats amongst managers were loss of IT (63%), loss of access to site (53%) and loss of telecommunications (52%).
The same managers reported that actual disruption events they had experienced were extreme weather (54%), loss of people due to illness (42%) and loss of IT (40%).
Step-by-step to business continuity
This salience can be achieved through the following steps:
Step 1 – Be prepared to review and restructure your BCP, so that it is a living document which is easily accessible and useable in the chaotic few moments when your incident is launching.
Step 2 – Build up a wide-ranging library of possible business disruption scenarios relevant to your own organisation.
Step 3 – Break the business continuity plan down into a set of specific tasks, each with clear ‘how to’ instructions.
Step 4 – Provide a range of multi-media assets that can support the ‘how to’ implementation of your BC tasks, such as video and audio files, process maps and contact lists.
Step 5 – Customise the response to each of your scenarios by identifying the tasks necessary to respond to that particular disruption event.
Step 6 – Allocate each of those tasks to a nominated member of your BC team in advance.
“There cannot be a crisis next week. My schedule is already full.” Henry A Kissinger
Having gone through these steps, you should then put in place a regular programme of engaging with your business continuity team, to create what I call ‘Responsive People’.
By engaging with your team on a regular basis, making them aware of their responsibilities and keeping track of how quickly they respond to regular BC messages, you can identify and build a team of ‘Responsive People’ who will be primed to act, and intuitively refer to the plan, when a real business disruption event takes place.
Founder of Crises-Control