One of the initial decisions that companies are faced with in designing their business continuity plan is identifying their "risk appetite." This term refers to how much risk a company is willing to accept in lieu of expending time, money and effort to transfer, prepare for, avoid or mitigate known risks.
However, an even more important decision that many companies fail to consider, which can result in time, money and effort being wasted, is determining the company's appetite for business continuity itself.
Specifically, companies considering creation of a business continuity plan need to honestly answer the following questions:
1. What is the true motivation for establishing a business continuity program? Is it to satisfy regulators, to display to customers, or to actually provide comprehensive protection for the organization?
2. Will senior management consent to establishing business continuity as a corporate objective. Specifically, will employees be given clear, measurable objectives to ensure that they participate in the training and tests necessary to embed business continuity into the company or is training something that will remain optional.
3. What are the expectations of senior management and employees for a business continuity program?
I would argue that if a company simply wants a plan to throw at regulators and auditors to make them go away, this can easily be accomplished with a minimal amount of training and effort. Because no formal standard yet exists (although one is actively in the works) most agencies or individuals requesting business continuity plans will not have a basis for identifying mandatory components of the plan. As such, running a find/replace in your current DR plan for "disaster recovery" and converting each instance to "business continuity" might be all your organization is looking for.
Moreover, in the absence of endorsement from senior management, a well-written plan will likely be of no more use than a find/replace plan. Employees will not read it as all of their specifically defined priorities will supercede it and senior management will only want to know "do we have one" or perhaps "is ours bigger than our competitors."
Is this approach risky - "yes." Is it ethical - "no." Will the end result be any different than a painstakingly defined plan that sits on a shelf - "not in the slightest."
Ask the question to employees and senior management before you put in the effort. A silent nod from senior management is insufficient.
No comments:
Post a Comment