BCI European award winner Eugina Pierre exposes the main business continuity assumptions that can lead to bad business continuity planning
1. Once I complete my business impact analysis (BIA), I do not conduct a further high-level analysis as part of the “Understanding the organisation” phase of the business continuity lifecycle
Once BIAs have been conducted, this phase of the business continuity lifecycle is often “ticked off” as complete, without broader consideration of the risk implications. Unfortunately, this means that not only is the business continuity programme managed in a silo but also the departmental risks merely get the attention of the respective line management. As a result of not conducting a risk assessment such as a resilience gap analysis, the board do not have oversight of group-wide risks even though these have a high likelihood of critically impacting the entire business if not addressed. This also means that the board are less likely to buy into the business continuity programme as much as they should because they have no vision of key risks for which they are potentially responsible. This is often one of the biggest blockers for achieving business continuity goals and is proven to be extremely detrimental to group collaboration and in securing appropriate budget and resource for the business continuity activities needed for the organisation.
2. I have business continuity strategies and plans in place but do not need to test them as I know it will work in the event of a crisis
Many organisations have plans and strategies in place and update them regularly but do not test. For instance, before COVID-19 a lot of companies had a work from home strategy in place but IT did not conduct work from home test days with all staff or phased staff (as a minimum) to see if the IT infrastructure, bandwidth and IT support team could cope. Conducting a work from home test day is often deemed as unfeasible as it could potentially cause too much unnecessary disruption to the business. The perception is that the IT team already knows what to do (so everything else should work fine) and the test is pointless as there would never be a need for all staff to work from home at once. Therefore, due to a lack of home working tests, organisations may have missed out on a lot of learnings and opportunities to create better ITDR plans. In addition, a lot of companies were not able to properly consider robust information security controls for home working in advance. Consequently, this may have increased the risk of cyberattacks, as quick and easy solutions to enable all staff to work from home were implemented during COVID-19 e.g. employees using untested IT services and devices. In conclusion, this principle of requiring the need to test on a regular basis also applies to all other strategies such as transfer staff or work to another site etc. Untested strategies could worsen the impacts of a crisis if it does not go according to plan.
3. COVID-19 proves that we only need one recovery option
For an organisation to have high levels of preparedness and be adaptable to any given crisis, organisations should have more than one tested recovery strategy in place. No one recovery strategy will enable a business to minimise impact during the most common crises i.e. loss of people, IT, supplier, building etc. For example, consider the scenario of a fire in the workplace overnight, which caused long term loss and damage to the building. The majority if not all staff may have left their work laptops in the building as the work from home policy does not require staff to take laptops home, and in addition, corporate policy does not allow use of a personal device. How quickly would IT be able to source new laptops for all staff? How long would it take for IT to configure the laptops? Taking into account these factors, an organisation may need to have an alternative tested strategy in place to continue business as usual in the interim. Any type of crisis can impact an organisation differently and for varying lengths of time. Prior to COVID-19, a lot of companies had various strategies in place e.g. transfer staff to another office, recovery site and work from home. However, because the pandemic called for everyone to work from home where possible, it has lead organisations to believe that only work from home is required going forward. This is a misconception for various reasons as not only does this reduce the resiliency of an organisation to respond to any given crisis, but having in place only one strategy i.e. work from home, could increase the likelihood of subsequent issues. In this case, for example, staff demotivation and increased stress due to isolation, increased cyberattacks and poor compliance due to less process around the movement of documentation and security.
Eugina Pierre is a winner at the BCI European Awards 2020, in the category of “Continuity and Resilience Consultant”. She is often acknowledged for her pragmatic yet forward-thinking approach to all things business continuity management (BCM) and resilience. Aside from her day-job in the industry, Eugina dedicates time and enthusiasm into improving diversity within the industry, promoting awareness to women and young people from different backgrounds through mentoring. She spoke at the BCI Women in Resilience seminar earlier this year and featured in the BCI’s Continuity & Resilience Q1 2020 Magazine.
This year is Eugina’s 10th anniversary of working within the continuity and resilience industry. During this time, she has held various roles in business continuity and operational resilience. Eugina currently works as a business continuity consultant, working with multiple organisations from small to large in several industries including insurance, banking, mortgage providers, media and publishing, to name a few. Her role in these companies has been to create, lead and manage their continuity and resilience programmes.