A logical question is, then why do it? If this is not the final truth, why propose it at all? That is a fair question, and my answer is twofold. First, it is important to for us in this field to be able to remind ourselves of what, essentially, business continuity and business continuity planning are all about. What are our most important principles and concepts? What are our limits, especially, what are some things we are not supposed to be and do? Having a concise set of guidelines serves to remind us of these things. We also face a very normal tendency to become bogged down in the technological, the arcane, and the finely detailed aspects of business continuity planning. These Ten Commandments can help us keep sight of the forest, even though we often must focus on the leaves on the trees.
There is a second, and equally compelling, reason for such a list. It enables us to express some important elements of what we do in a way that those outside of our field can understand. Jargon and techno-speak can be both bewildering and alienating to those outside of the business continuity planning profession. When you start talking to the uninitiated about BIA and RTO and RPO, or the difference between risk, threat, and vulnerability, you see their eyes start to glaze over. This list has no jargon or TLAs (three-letter acronyms) in it. If business continuity planning is ever going to make sense to many people, our explanation of it has to make sense as well. That means being able to convey the essentials in terms that anyone can understand.
Here, then, are my Ten Commandments of Business Continuity Planning.
I. Thou shalt recover what thou ownest. Translation: 'If you own it, you recover it.' Someone could easily ask, 'Well, what do I 'own'?' In business continuity terms, the answer is simple: What you own is what you do or provide on a daily basis. This commandment can be further broken down into two parts: 1) the owner of a process is responsible to recover it; 2) the owner of a resource is responsible to provide it. Within the business continuity universe, I like to modify the meaning of both 'process' and 'resource'. We speak of a department having one or more business functions. I use 'process' to refer to those functions that deal directly with the business' external customers. I use 'resource' to refer to those functions that deal with internal customers, i.e., other areas within the business. So whatever you supply to your customers on a daily basis, whether those customers are internal or external, is what you are responsible for recovering. Sometimes people look at Business Continuity Planning as supplier of things, sort of like a discount store. It is not continuity planning's job to 'supply things' needed for recovery. It is continuity planning's job to help the business unit have a plan which tells it how to get things needed for recovery.
II. Thou shalt have alternatives. Redundancy and diversity are critical. Have at least two different ways of doing anything. In a major disaster, only 1 out of the 3 people you count on may be available. Likewise, only 1 out of the 3 alternatives available may work at that time. When you document contact information, for example, listing a person's work phone number is a start; listing a pager and/or cell phone as well is much better; and including a home phone number is better still.
III. Thou shalt concentrate on surviving. Recovery is survival, not 'business as usual'. Even under the best circumstances, in the event of a major disaster it will be a considerable time before things are 'back to normal'. There is no such thing as a recovery that is 'transparent to the user'. However, do not overlook one very important common denominator with business as usual: survival is still the same people doing the same things for the business that they always do; they are just doing those things in very different circumstances. Being in survival mode does not mean that people suddenly take on a whole different set of duties and responsibilities; that is often a recipe for another disaster.
IV. Thou shalt not set paper above people. Plans recover nothing; people recover the enterprise. The ultimate goal is not a set of written plans, even if these plans are well maintained and regularly tested. The ultimate goal is the continuity or recovery of the business. At best, written plans are an aid to such recovery. The fact that recovery will succeed or fail based on people must be recognized and given proper consideration in the development of any continuity plans or strategies. One important consequence of this principle is that you cannot depend on what (or who) is not there. Plans must be written in such a way as to depend on those present at time of incident, whether in notification procedures, plan activation, etc. 'Senior staff member onsite' can be a good description to identify plan roles and responsibilities. One time, as I was rolling out completed business continuity plans to a regional group of managers, one of them observed that in the event of a fire, he would get out of the building, not look up the section on 'fire' in his plan. His remark, while facetious, hinted at this underlying truth: the plan helps prepare people to respond to a disaster; the written documentation forms a kind of safety net. If you have a disaster in which you have everyone and everything you need, everyone knows what they are supposed to do, everyone remembers everything, and no one panics or forgets, your need for a written plan will be minimal. If things do not go that perfectly, however, the documentation provides a concrete and highly visible reference point.
V. Thou shalt test. An untested plan is no plan. According to one statistic, only 40% of companies with business continuity plans have tested them. Of those whose plans are tested, 80% reveal major flaws when tested.
VI. Thou shalt distinguish between strategy and recommendations. Continuity planners do not set strategy; they make recommendations. Strategy is ultimately determined by those who pay for it. The Board of Directors, senior management - whoever sets strategy, will choose what seems to them the most cost-effective option. They need to make that choice with a complete understanding of the risks and exposures involved in each option. Our job is to make sure that the decision regarding strategy is an informed decision.
VII. Thou shalt not allow plans to age. Wines age well; continuity plans do not. Which business do you want to recover: this one or the one that existed last year? Plan data has a 'shelf life' of about three months; beyond that it is suspect.
VIII. Thou shalt not covet thy neighbor's larger binder. Translation: Less is more, so avoid 'binder envy'. The more concise the recovery plan, the better. Likewise, recovery plans should not be redundant; they should not reproduce documentation obtainable elsewhere. They should, where necessary, reference that documentation, no more. Examples of documentation that probably should not be part of the recovery plan itself include the following: team or departmental calling trees, manual or other alternate processing procedures, asset lists or inventories, and group, departmental, or company phone directories. A second reason for avoiding this duplication is the fact that if you have one set of data in two places, you in fact have two sets of data. Plan maintenance, as well as usability, can be compromised.
IX. Thou shalt not become complacent. Every plan is capable of improvement. It is a matter of degree: every thermometer registers something. There is always more to do: retesting, updating, rewriting. A plan is only final or perfect if the business is no longer changing (i.e., no longer exists).
X. Thou shalt avoid scope creep. Many people outside of business continuity planning have many ideas about what business continuity should be or do. Very often, those ideas are wrong.
The following is a list of things that business continuity planning is NOT.
It is not:
- a fixed asset management system
- an inventory system
- a computer hardware inventory
- data security (though often lumped together with it on the org chart by some sort of Byzantine corporate reasoning)
- a first-aid manual
- a duplication of existing documentation
- a discount store ('they will provide what we need if there is a disaster')
- a public utility ('if the power goes out, call business continuity planning')
- a departmental calling tree
- a cheap, outsourced substitute for your own department's recovery plan.
As I mentioned at the beginning, someone else composing a 'Ten Commandments' list could easily come up with something different from mine. I firmly believe, however, that my list embodies some very important and fundamental principles of the business continuity planning field. A business continuity strategy that adheres to these principles will not only be on the right track, but also avoid many of the mistakes made by existing programs.
David Greb, CBCP, has worked in the field of business continuity planning for over five years. Currently he is the business continuity planning manager for Birch Telecom, a phone company providing local, long distance, and data services to small businesses in the Midwest and South.