7 Business Continuity lessons from The BCPcast
The BCPcast is a jargon-free discussion with people who deal with disasters for a living. We started the podcast because Business Continuity has a bad reputation for being complex and difficult. Actually, the best practitioners make it simple.
We speak to Business Continuity Managers from some of the largest organisations in the world including Google, Mastercard, TFL and The Guardian.
Amidst the stories about disasters and recoveries, they share their tips and recommendations on what works. Here are seven lessons that everyone can apply.
1. It’s not a disaster if you keep serving your customers
The ultimate aim of Business Continuity is to keep serving your customers through any incident.
Disruptions are tough. They’re stressful and fraught. You’ll be working through the night, implementing workarounds to keep the business going and sometimes it feels like you’ve failed. But that’s not the case. If you can keep all the plates spinning, serving your customers and meeting your obligations then it’s a success.
2. Keep your plans short
It might seem odd, but Business Continuity Managers are often quite scathing about Business Continuity Plans. It’s not that they don’t like them, it’s just that they are something a lot of people get completely wrong.
A 50-page plan is useless. It must be short, concise and usable.
It’s also vital to know who the plan is written for. It’s not written to be reviewed by other BC professionals. It’s written to be used by the people managing the incident. That means no jargon or specialist terminology. It also means the plan needs to be accessible and understandable for everyone, not just your ‘experts’. If your IT Recovery Plan can only be understood by the IT Manager, you’re in a lot of trouble if they’re not available.
3. Plan for impacts, not scenarios
This is the most common misconception about BC. Trying to plan for every possible scenario is an overwhelming and impossible task.
There are fires, floods, terrorism, cyber-attacks plus ‘black swan’ events like Icelandic volcanos or unexploded WW2 bombs. You can’t have a plan for every scenario, but you can plan for their shared impacts.
Incidents will impact your People, Premises, Resources or Suppliers (PPRS). A plan for how to operate without your office works for a fire, a transport disruption, an evacuation or even a global pandemic.
4. Test and Exercise
While our guests are often quite dismissive of the ‘plans’ themselves, something they all agree on is the value of testing and exercising.
When you exercise the plan, you develop the institutional muscle-memory of how to respond when something goes wrong. When everyone is well-drilled, you don’t need to refer to a plan.
Don’t just limit exercising to your Crisis Management Team, it needs to be something everyone does, from the CEO down to the shop-floor. Look for ways exercise more frequently like using transport-strikes as a chance to test working from home practices.
BC practitioners are also very clear about the test/exercise distinction. A ‘test’ is something that you can pass or fail. For instance does your generator work? ‘Exercises’ however aren’t something that you fail. In all exercises, things go wrong, and that’s Okay as long as you learn from it. Once you eliminate that fear of failure, it removes the barrier to exercising more frequently – which is the most important way to become resilient.
5. Think social-first for reputation management
Social media has drastically changed Crisis Communications and reputation management. It used to be the case that there was time to deal with the incident before needing to think about Crisis Comms. Now, because of social media, incidents are immediately reported and without presenting your account, can quickly escalate.
How well you communicate throughout the incident can be even more important than the incident itself. Being honest and clear you build goodwill with your customers. A competently managed incident isn’t a very interesting story for the press to cover, which limits your negative publicity too.
6. Prepare for multiple, concurrent crises
Are you prepared to handle a major cyber-attack while the team work remotely due to COVID-19?
What happens if you need to send staff home due to an electrical fire, but the office car park is also cordoned-off? How will they get home?
What happens if your IT fails and your replica systems also don’t work? How long would it take to recover completely from backups?
These situations are rare, but these are all real examples. When you plan your mitigation strategies always think: “what happens if this doesn’t work” and plan secondary actions.
7. Know your leaders – and make sure they know their role
Another common misconception is that the Business Continuity Manager is in charge of Crisis Management. This is one area that our guests don’t always agree on.
Some believe that the person leading the response (often called the Gold Commander) should be most senior executive in the business. The Business Continuity Manager can support them and provide advice, but the decisions should be made by the people in charge of the business.
On the other hand, some practitioners believe not only are they are they right person to lead the response but the experience is critical to being a good Business Continuity Manager. It’s hard to know how to write a Business Continuity Plan if you have never needed to use one.
With either route, it is vital to know who’s in charge. We’ve heard several stories of what goes wrong when that isn’t the case.
In one example, someone took it upon them self to deal with an incident rather than escalating. Without the full picture of the situation they made completely wrong decisions. The opposite is when senior management try to muck-in, in the recovery rather than standing back, managing and delegating tasks. Both responses are well intentioned but can be very damaging.
As we have seen in the response to COVID-19, serious incidents often bring out the best in people. Everyone wants to do their bit to help the recovery so harness energy that with clear direction and communication.