Every second article I have read says it’s not about the scenario but the actions therein.
True, but what happens when you are trying to engage a whole department into Business Continuity Planning, finally get there and get meetings agreed to exercise the plans and the scenarios just don’t relate?
I conducted a few exercises giving out the usual fire, flood, telephone scenario and even a case of winning the lotto. At first quite a few said, “Oh that’s never going to happen anyway”. Sometimes you can’t win them all and no matter how much you try some people just don’t want to buy in. That is ok. If they are willing to accept the risks then they are willing to accept the consequences.
Since I have been involved with Business Continuity (almost 1 year) I don’t re-call going to an exercise where it wasn’t cancelled. (I have a pretty good handle on this now after being ‘rejected’ for an exercise 5 times.) I expect it and it is mainly because people are slightly anxious about what is needed.
I have had Heads of Department look almost anxious at the thought of me coming in to ‘test’ them. It reminds me of school days where I had to take exams and dreaded it because I didn’t understand the subject. The same principle applies. You get told to do the plan, and then you do it, don’t really get why, then when you test it, that eureka moment occurs. (Hopefully)
Making a silo based organisation (there is always going to be silos) come together to focus on better resiliency and business continuity is a challenge. The phrase WIIFM has never been more applicable than at this time. I decided it was time to scrap generic scenarios, take a more ‘hands on’ approach and focus it around what each department did. I spoke their language and combined it with mine.
Example: I did a desktop/walkthrough for a department who primarily focuses on large fundraising events. What was going to gauge them more, a fire scenario in the office away from their event or a scenario related to an upcoming event which has the capacity to generate an income of more than £50k?
The Scenario: A special event is happening tonight and will raise £50K. Card payment readers are locked in the office, but it has been established that the building has been closed due to another flood (using something that happened recently).
What are the options? Is there a backup? How will you get donations from people who want to pay by card, how will the BCP help decide what to do? I then went to build on from that scenario.
The Result: Realisation that something like this actually happened in the past and the bank they would ring had refused card readers. Various options were discussed, paper slips could be used and as the scenario developed it turned out that for the most part a lot of the contingencies were in place. They just hadn’t realised that this would be a BC event. The feedback was positive and further tweaks to the BCP were required. The head of department had said it was a good example and would use it in their team meetings to raise awareness for the rest of their staff, especially as this has never been considered before.
Success I’d say!
Better to have the business continuity plan and not need it than to need the plan and not have it. –anon
RISKercizing until next time..