How can you prove you have a solid Business Continuity Plan, without revealing the Confidential Information inside?
A Business Continuity Plan is often prepared because somebody has asked to see it – either a client or an auditor.
The problem is, when you prepare your plan properly – there is a lot of proprietary information inside.
What would you be comfortable releasing to vendors and clients to prove you have a solid Business Continuity Plan without disclosing confidential information?
Check out the video below for the options I suggested to my client who asked this question.
Feedback from BCP Builder Community on LinkedIn:
An Executive Summary can be provided when commercially sensitive information prevents the full sharing of a Business Continuity Plan. As a procurement professional as well as Business Continuity I recommend that clients do not see your plan and neither are they competent to review it. This is what you should include in an Executive Summary:
- Designed solution
- Recovery Time Objective
- Minimum Business Continuity Objective
- Any flexible Service Level Agreement information
- Key points of the planning process
- Governance model
- Roles and responsibilities
Supply Chain Training
Clients need to get more intelligent in their tender processes and not simply ask for plans to tick a pre-qualification box. I have seen some woeful requests for information from organizations. If responded to, these requests would have taken a full time role to answer. The requests often showed that those who did the request were fairly clueless about what they were asking for, and probably wouldn’t have understood the answers anyway. Tick boxing is one of my pet hates, give me a good old fashioned discussion any day.
- Business Continuity Institute 2 day Resilience in Supply Chain Course
- ISO TS 22318 Supply Chain Business Continuity
ISO 22301 Certification
- Certification under ISO 22301 goes a long way to satisfying clients with regulatory obligations that the Business Continuity Plan is aligned with best practices.
- We always treated our plans as confidential and also competitive advantage. We used ISO22301 accredited certification across the whole of our business (not just a select scope) and provided those who enquired (clients, insurers, regulators) a standard written response and the certificate itself. This worked for us 99% of the time.
- Accreditation demonstrates a basic standard; I have seen a number of organizations pass such audits with the correct documentation. However, the quality of output has not been measured adequately, only compliance with the standard. So yes, use this as a gateway to receiving a tender, but due diligence on the reality that exists is more important when building resilience in your supply chain. Pre-qualification gateways are not sufficient alone. Due diligence followed by supplier relationship management. Anything you discovery that is missing post award can lead to contract variations later. So do your homework beforehand not afterwards.
Policy and Statement
- I would question the need for any Business Continuity Plan to be released to a client/ business partner. Whilst I can appreciate this may form part of a due diligence process, the plan itself is pretty worthless to the requester unless they fully understand your working environment (which they won’t). It’s probably more appropriate to provide a copy of your policy or even a statement (posture setting) rather than a plan. This provides the client/ partner with a clearer understanding of how you conduct Business Continuity Management within your organization.
- Your plan contains confidential information and may provide your commercial edge and should not be shared. However, there are ways a plan can be provided, if the client/ partner is absolutely insistent on receiving a copy. I created a light version of the plan, which allowed me to extract any commercially sensitive information from it, whilst still maintaining the bulk/ essence of of the plan. Whilst it may not be the full plan, it will provide the client/ partner evidence that you have one and should satisfy their requirements from a due diligence perspective.
- I let them have a copy of the cover sheet and the table of contents, this usually suffices. I also ask our suppliers to do that if they are unhappy supplying a copy of their plan.
- The “Plan” itself is Company Confidential, but, I think you should be able to create other documentation you can share with your clients/ business partners that explain your “Program” and summarizes your strategies/solutions. They should not need all the confidential information included in a “Plan” to appreciate the completeness or effectiveness of your “Program”. You can show evidence of having Plans and evidence of effective tests/practices of solutions without giving away the sensitive information included in the Plans. I have worked hard on convincing employees that I will protect the private information I pleaded for them to include in a “Plan”. I would never invalidate their trust in me by sharing this information with others, outside of the program.
- It is true that your Business Continuity Planning will often contain company and personally sensitive data which the Senior Leadership team would be reluctant to release. The way I have seen this resolved is to have a pre-prepared pack available for clients or regulators which shows recent evidence of the intent, exercising and governance of an active continuity/ resilience programme, containing a dated covering letter signed off by the Chief Executive Officer.
- This above evidence can be further enhanced with a one to one or virtual meeting where you control the content shown directly to the client from the actual plans.
- You could offer to provide supervised access to your planning documents on your premises at a mutually convenient time.
If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.