During a recent DATAMARK webinar, we polled the audience and found that nearly a quarter of respondents felt that the importance of business continuity planning was the greatest lesson COVID-19 taught their organization. Not surprisingly, having agile tech and standard operating procedures (SOPs) and work environment flexibility also ranked high—all components of business continuity plans.
As we recently explored in DATAMARK Insights, 80 percent of organizations plan to make business continuity planning a focal point of the coming year. In other words, the vast majority of business leaders are passionate about shoring up their planning and will be investing in continuity of operations plans immensely going forward. But will you be working on the right things? Will your efforts really protect your organization going forward?
In this article, we’ll break down some of the most common reasons business continuity plans fail, so you can address them in your upcoming strategy sessions and be ready come what may.
All too often, organizations start with some ideas and the best of intentions, but they lack the expertise necessary to create a comprehensive plan. They may pull people in from various departments and ask for input, going so far as to identify what their key processes are and how they could be taken offline, but without the help of a disaster-recovery specialist—someone who has helped companies rebuild after lots of types of incidents and has created continuity plans for multiple organizations—it’s easy to overlook something. Always bring a specialist on board, even if you can only have a pro as a consultant and not a full-time employee.
The who is as important as the what. A solid continuity plan identifies key players, including the person or people who will be held accountable for business continuity management and each person responsible for taking action during an incident. Often, nobody steps forward to take action during an incident because each person thinks someone else has taken action or that someone else is responsible when roles are not made clear and communicated during the planning stages.
Sometimes even the best plans fail to discuss when the organization should put its continuity plan into action. For example, maybe the plan explains how to shift employees to a work-from-home model, but it doesn’t say when this should happen. This can leave the person making the decision at a loss—should they wait until 20 percent of the workforce can’t come to the traditional work location due to inclement weather? Should they wait until 50 percent can’t come? Or, what if the roof is leaking? At what point should the organization begin to have team members telecommute?
The person responsible for making the decision must have clear guidelines to ensure decisions are being made based on evidence and best practice.
The pandemic was a major wake-up call for organizations. Few, if any, had business continuity plans that addressed pandemics specifically. However, those with continuity plans for incidents related to an inability to access a building or remote work capabilities could draw on those and address the situation faster than those with no planning.
In a perfect world, your organization would have plans for every possible incident in place, but hitting the high points of various types of incidents is a solid start. A few areas plans must address are:
It may be hard to identify what’s “realistic” if your team doesn’t have experience creating business continuity plans, but one common mistake here is expecting too few people to be able to shoulder the burden of operations. For example, an organization may think that if 50 percent of its workforce is present, it’s enough to get by, but they don’t realize the workforce is too small to carry the workload, even temporarily, until it’s too late.
Similar issues are seen with worksites. For example, the organization may think that only one site could be hit with a problem at a time and that a sister site can carry the load. This isn’t always possible, depending on what type of incident occurrs.
Finance is another big issue in this area. Often, organizations fail to realize how much an incident will impact cash flow or how much it will cost to bring everything back online.
Organizations that haven’t experienced an incident that requires leveraging a business continuity plan often forget about the aftermath. The return to normalcy should be outlined, just like the shift to the continuity plan is. This includes who is responsible for deciding when normal operations can resume, what criteria they should use, and what steps will be taken. When the return plan isn’t created, valuable time is lost, often at great expense.
It’s not enough to have a plan or even to believe it can theoretically work. You must test it against the situations for which it’s designed to protect your organization. It’s akin to running fire drills. You don’t know what will happen or how people will respond until they’re going through the experience. Moreover, regular testing of continuity plans can help ingrain procedures in the minds of those involved, so following the predetermined steps is natural. The team won’t have to think about what they’re doing when they’re nervous, upset, or frazzled—it’ll be second nature.
Organizations must evolve to prevent issues and address incidents when they cannot be prevented. We touched on this when we discussed DATAMARK’s approach to data security. In those situations, the need to update your plans regularly may be apparent. It would help if you were on top of your data security because even the smallest lapse can leave the door open to catastrophic consequences.
However, many organizations were still hit hard because their continuity plans weren’t modernized before the pandemic hit. They were using outdated software, didn’t have backups, weren’t leveraging the cloud, and so forth. It’s essential to reevaluate your continuity plans regularly to ensure you’re addressing the latest threats and using the best solutions. Someone accountable for doing so too.
One final reason continuity plans fail is that they don’t get shared. All too often, companies invest time and effort into creating plans because it’s something on someone’s list of things to do. They get it checked off their list and then forget about it. Then, when an issue arises, nobody knows who is supposed to do what or what’s supposed to happen. It slows the response times dramatically and can render all the planning useless. However, when plans are made and shared with the whole team, everyone is on board. It can also help alleviate concerns and keep morale up when the team might otherwise have worries about the company’s future or the work they’re performing.
Business continuity planning is built into everything we do here at DATAMARK, from backups of customer data through plans to address power outages, business closures, and more. We’re also proud to include service level agreements in our client contracts, providing additional assurance that our clients’ outsourced business processes will continue come what may. It’s one of the many reasons Fortune 100 companies and essential government agencies entrust us with their most sensitive back-office processes.
If your organization needs help with business continuity management, contact us for a consultation.