| ||Your BCP is based on strategy rather than tactics. ||A tactical approach most often generates huge amounts of documentation without necessarily focusing on the real recovery issues. Because of excessive detail – perhaps even trivia - tactical plans quickly become outdated and obsolete. A strategic, top-down approach addresses the bigger issues of restoring revenue flow and organizational viability while keeping plans manageable and robust. |
| ||Your leadership team was involved in creating your BCP. ||Business continuity planning is, at its core, risk management and business planning. If senior staff is not involved in creating the BCP strategy, the plan itself is a risk to a speedy, effective recovery. |
| || |
Your BCP falls under the umbrella of an internal ERM/GRC program.
|The integration of Enterprise Risk Management (ERM) and Governance, Risk and Compliance (GRC) business processes is evolving at a rapid rate within many organizations. Taken together, these processes provide a mechanism for ensuring rigor in a business continuity plan, for maintaining the timeliness of such a plan, and for supporting management's broader fiduciary responsibilities.|
| ||Your planning process includes a periodic risk assessment of mission-critical activities. ||Identifying unacceptable gaps in protections or backups for assets needed in performing activities tied to key organizational objectives and goals is important. The outcome of such a risk assessment should be recommendations for closing, or mitigating, any identified gaps. |
| ||You are prepared to respond to customers, the public, and other stakeholders within 30 to 60 minutes of an event. ||Even a minor event can escalate into a major crisis if rapid, proactive communications do not take place. Recent history, including responses to the earthquakes, floods, tornados and snowstorms of 2011, clearly supports this fact. A solid BCP not only addresses how to communicate your situation to your stakeholders, it tells you—and them—when you will communicate and how you will continue to meet their needs.|
| || |
Emergency response is addressed, but not as primary focus of your plan.
|Making short-term emergency response a primary objective overshadows larger strategic recovery considerations and can leave a business under-prepared to restore operations in the event of a major disruption. Most organizations have already developed an effective emergency process aimed at immediate hands-on situation management until responding public agencies arrive on site.|
| || |
Your plan addresses IT, but is not IT-centric.
|Recent crises demonstrate that restoring access to a network with its associated information and data can be the least of a company’s problems. IT should be viewed as a tool - an important tool to be sure - but a tool supporting overall operations, not the reverse. IT should have a written, but independent Disaster Recovery Plan [DRP] that can be activated quickly to support operations not affected by a disaster as well as those that are directly affected.|
| ||Your BCP supports your company's operational effectiveness and lean/cpi initiatives. ||Integrating business continuity considerations into ongoing operational effectiveness and lean/cpi [continuous process improvement] initiatives makes great sense. These initiatives have a common theme: keeping the organization efficient, resilient, and financially stable. |