The Total Business Metrics Special Interest Group met monthly to assist business continuity professionals connect, share challenges and best practices and improve their work, led by business continuity consultant John Robinson.
Can checking compliance boxes ever be acceptable? Putting official paper in place is potentially the lowest-effort route to passing a cursory examination or audit, but what effect does it have? The result is typically packaged and summarised and appears perhaps as a single line on a board report. These are busy people, so if the outcome appears positive, it is quickly passed over and attracts no attention, generates no remedial action. Safe for another year.
The saving in time and investment is often substantial, however this must be set against the risk of taking this neat shortcut. The risk stems from two key sources; first the operational risk associated with having no proven fallback (very low likelihood, potentially catastrophic impact); second the legal and regulatory risk associated with misleading investors, customers, employees and other stakeholders who have bought into the organisation based on the information provided. Someone breached their trust and the organisation could be fined. At worst, people could go to jail.
Box-checking is dangerous territory and when uncovered, erodes trust and credibility. Live current evidence helps, but only mature, demonstrable capability provides certainty. It implies we should test business continuity plans thoroughly before we go public.
This leads me to another train of thought we touched on during the SIG. Why do so many senior businesspeople feel they can acceptably sidestep testing BC plans? There are some interesting possibilities to contemplate.
- The organisation has agreed a no-test approach with its stakeholders
- Management doesn’t know of or fully understand its obligation to manage risk
- They understand the obligation but put profit first
- They believe paper testing is sufficient or that insurance will cover it
Option one is typical and often acceptable amongst owner-run organisations or those with a declared strong risk appetite, although they may need to reduce margins to offset the high levels of risk they pass to customers.
Options two and three come down to leadership, education and culture. It’s pointless denying that disasters happen and demonstrably affect a number of businesses every year. So it comes down to the acceptability of denial and the organisation’s interpretation of the gamble management is taking. The cultural beliefs that “the chances of it happening on my watch are nil” and “I can always find another job” can be enough to promote a powerful unspoken risk-taking culture, from the CEO to the shop floor. Long-term investors may take a different view.
For option four see the checkbox argument above. Most insurers now demand business continuity plans.
The only valid reason to postpone a test is - in my view - where that test is demonstrably not required. BC tests are important. They scream credibility and permanence to all who have an interest in the organisation’s continued well-being, including employees. They are an incentive to choose you over your competitors and are a vital ingredient of success. We should all do them.
Download our whitepaper on measuring BCM.