Keep It Simple, Stupid
Published on September 30, 2009
Written by KEN SCHROEDER
At the risk of being branded a heretic, there are times when we in the business continuity profession get in the way and become our own worst enemy. To see what I mean, look at a typical small business – say 50 employees or less. On top of this struggling enterprise layer the business continuity tools, steps, and procedures we insist must be there for any successful program:
- Risk assessment
- Planning strategies
- Gap analysis
- Business continuity lifecycle
Let’s take a couple of minutes and apply some old-fashioned common sense to the issue.
First of all, in a typical small enterprise, business continuity probably evolves from a short blurb in a planning meeting where someone says, “Well, shouldn’t we have a business continuity plan?” following which, everyone nods and delegates the task to some unsuspecting underling in their three person IT shop, and then move on to the next topic. Right or wrong, it happens, and we have to live with the reality of it.
Our stalwart, dedicated hero picks up the latest copy of DRJ, reads some article that applies second order differential equations to a risk assessment model, throws up his hand in disgust, makes sure that IT makes backup tapes, and calls it a day.
What advice can we in the industry give our friend to make his job easier? I think we can really put some clarity in the process by asking, “What does he really need to know to get started?” Here’s my recommendation:
My mantra is: “Business continuity planning is simple!” When all is said and done, you only have to consider two lists of three:
List 1: Risk Assessment Process
1. What threats face us?
2. What risks do those threats impose on us?
3. What can we do to minimize (or eliminate) those risks?
List 2: The Planning Process: Ensure backups for:
1. People (Who backs up whom?)
2. Places (Where can they work if we lose our facility?)
3. Process (How can they operate if the primary process is unavailable?)
Is this an oversimplification?
Absolutely. But that’s the point.
As your grandfather admonished you, “Always remember the KISS (keep it simple, stupid) principle!” A typical small business doesn’t have the assets, resources, or time to throw at the business continuity problem the way larger companies demand, but that doesn’t mean it’s hopeless. My two lists of three are a great starting point.
The first list covers the threat/risk assessment portion of planning. Our hero doesn’t need to struggle with all the differentiation he reads about.
(Why, for example, does he need a separate entry for blizzard and ice storm; or, to note the difference between a disgruntled employee and a disgruntled customer, when “someone going postal” might suffice?)
Keep it simple. Focus on the risk, not the threat: Computer systems go down! Work interruption occurs! The building incurs damage! Staff are unavailable!
The mitigations are the same, regardless of the threat that imposes the risk. In fact, what advantage is there in listing 20 threats that all impose the same risk, except to make the list look longer to satisfy the auditors?
Organizing on risk leads directly to my second list which covers the planning process. Every business function depends on three critical elements: people, places and processes. You have to provide backups for each of them. Like the proverbial farmer hand milking the cow, he sits on a three legged stool. If a leg breaks, he falls over and the entire process comes to a halt. Our job is to prevent that from happening.
Every person or team in the organization needs a backup. Maybe they aren’t fully proficient, but trained and exercised well enough to continue a minimum level of service for the duration of the crisis. (And no, reorganizing the names in the list doesn’t create a second list!) Publish the names in your plan. Don’t let it be enough for human resources to bury an entry in the personnel folder.
Every work location needs a backup. For whatever reason the facility becomes unavailable, staff need to know where they go to work – and that location needs to be ready to go. It doesn’t matter if the cause was flood, earthquake, hurricane, fire, riots, the result is the same – staff must go somewhere to work.
Every process needs a backup. Keep the KISS principle at the fore here as well. Just because a primary process has a complex IT supporting process, it doesn’t necessarily mean that the backup must be IT based as well!
For example, following Katrina, financial institutions dispensed cash from black garbage sacks stored in the trunks of cars using folding tables set up in parking lots. The transactions were recorded on old-fashioned ledgers until IT systems were restored.
Was it elegant? No!
Did it work? Absolutely!
With backups for people, places, and process identified, published, and exercised, our intrepid small business is miles ahead of their competition, ready to face any adversity that might befall them. Have they developed a BIA, done a gap analysis, applied any statistical modeling to their risk assessment? Absolutely not!
However, they now have the foundations of a business continuity plan, and they can take care of these other details later. They’ve got a great start! And, after all, that is what we in the industry want them to have.
Ken Schroeder is vice president of business continuity for Southeast Corporate Federal Credit Union, and consults for Southeast’s member credit unions. He serves on the board of PPBI, and is a member of the DRJ Editorial Advisory Board. He is a retired Air-Force rescue pilot and employment planner.