The Other ‘D’ (Not Documentation)
- Published on October 22, 2012
- Written by ROB GIFFIN, CBCP, CISA
It is really easy to lose sight of the big picture. We spend so much time participating in meetings, writing emails, building relationships, and developing/improving/tracking documentation that sometimes we need to take a step back and think about our real purpose in the organizations where we work.
How do you judge the success of your preparedness effort? If you judge the success of your business continuity program by the number of plans updated or BIAs documented, you might need to think twice.
In many ways, it’s too easy to focus on documentation, meaning developing, reviewing, perfecting, and tracking the many documents produced by a business continuity program. I, too, can easily fall into the same trap. As a consultant, it’s easy to become laser-focused on deliverables and lose sight of the ultimate goal. But, in the end, we are all working to prepare the organization for an unexpected disruption. Don’t get me wrong. Documentation is a big part of that, but it shouldn’t be confused with the ultimate goal of establishing an appropriate level of preparedness.
That leads to the other “D” that is often is overlooked, which is “DO.” As business continuity professionals, we absolutely need to get out of our offices and DO the work of preparing for the unexpected. What does that involve?
Often, it’s about asking the right questions. It involves engaging management regarding their thoughts on risk appetite, as well as their perceptions specific to the key risks facing the organization and what can be done about them. In business continuity, risk appetite is most often expressed as a set of executive-level statements on downtime tolerance or financial loss exposure. Of note, the completion of your BIA is often a great time to engage your management team on the findings and get their feedback about what is an acceptable amount of loss or downtime.
DO also requires a level of discussion deeper than asking if a plan is up-to-date. It’s important to ask questions and address topics such as:
- What has changed in your group since we last met, and what do you expect will change in the near-term?
- What concerns do you have about preparing for a disruptive event? Where do you see your group being vulnerable?
- What can I do to help your group become better prepared?
Addressing these questions and building capabilities that management is comfortable with (and align to their risk appetite) is how business continuity professionals can add long-term value to an organization.
The other often overlooked aspect of DO is training members of the crisis management team in their response roles – beyond just doing exercises. The senior leaders that are responsible for running the crisis management team often have never been in that type of a role before. As a result, business continuity professionals have a significant opportunity to help make those leaders comfortable in their role and better prepared to be successful in exercises and during actual disruptive events.
The best opportunity for this type of training is typically right before an exercise, when you have their attention and they are motivated to look good during the exercise. This is your chance to prepare them mentally for the type of coordination and decision making that will make them successful during real events.
Many other DO opportunities exist as well: connecting with public sector responders and community response groups, integrating continuity into supplier management, and establishing detailed coordination and status reporting with the IT disaster recovery group. So when you start to feel yourself exclusively focused on documentation, remember that your job is to DO, not just document.
Robert Giffin, CBCP, CISA, is a co-founder and director of technology for Avalution Consulting, a firm specializing in business continuity consulting and software solutions.