Compliance – what should organizations calculate when it comes to Business Continuity Planning and Disaster Recovery?
Only focusing on calculating the number of Business Impact Analyses, Risk Assessments, testing, etc. completed over a period of time does not guarantee the effectiveness of your Business Continuity Management program.
Feedback from BCP Builder Community on LinkedIn:
Planning and Preparedness
- I think there is a difference between “Planning” and “Being Prepared”.
- Most of our metrics simply measure our standing in “Planning” or writing “Plans” but do not necessarily inform us on how well prepared we are.
- A better measurement is to record how well we responded to the things we plan for. I happen to think we do not need real events to measure this, but we can create exercises that simulate, close enough, what a real incident would be like and measure our response to that.
- Once again; not how many exercises we conducted, but how well we responded during those exercises. Our responses to simulated events should show a trend in getting better and better with executing our Plans.
- It is quite possible to have completed all your “Plans” and have gone through the whole “Planning” compliance process without adequately being prepared.
- Counting the numbers of Business Impact Analyses completed, when plans were last reviewed and updated and so on provides only minimum justification of actual preparedness or recovery capability. In fact, I would argue that this approach often provides a false sense of security/level of recoverability. We need to spend more time demonstrating improved preparedness over time, not increased volume of activity.
- There is a big difference in type and value of metrics that measure how busy the Business Continuity Management team has been versus how risk is being reduced, or how much resiliency has increased.
- Preparation includes having socialized the Plans and having conditioned the people to efficiently and effectively respond and engage our strategies and solutions. I am not sure I have seen a good Dashboard that reflects a true representation of an organizations level of preparedness. I would love to be able to plagiarize one when someone comes up with it.
More than Tick Box Compliance
- Quantity metrics encourage a tick box compliant culture. Keep it real, manage quality outputs, enjoy reductions in either incidents to begin with or the reduction of impacts over the time of the incident. Measure these elements to avoid tick boxing and the overuse of the phrases, unprecedented, unforeseeable and outside our planning assumptions.
- Most media response teams train the use of those words habitually. Together with instant estimates on the cost of impacts within less than 24 hours, “current estimates are”. However, prior to the incident, organizations say it is too hard to estimate costs, during a Business Impact Analysis.
- For effective Business Continuity Management, all organizations must consider and factor in the physical, psychological and social needs of all staff.
If you want to increase your Organizational Resilience, start with preparing a Business Continuity Plan and check out BCP Builder’s Business Continuity Planning Templates.