Plan Checklist

How strong is your current plan?


Here are eight points to use in checking the strength of your current business continuity plan. If you're able to agree with most or all of these, your plan should have a solid foundation:

Your BCP is based on strategy rather than tactics. A tactical approach most often generates huge amounts of documentation without necessarily focusing on the real recovery issues. Because of excessive detail – perhaps even trivia - tactical plans quickly become outdated and obsolete. A strategic, top-down approach addresses the bigger issues of restoring revenue flow and organizational viability while keeping plans manageable and robust.
Your leadership team was involved in creating your BCP.  Business continuity planning is, at its core, risk management and business planning. If senior staff is not involved in creating the BCP strategy, the plan itself is a risk to a speedy, effective recovery.

Your BCP falls under the umbrella of an internal ERM/GRC program.

The integration of Enterprise Risk Management (ERM) and Governance, Risk and Compliance (GRC) business processes is evolving at a rapid rate within many organizations. Taken together, these processes provide a mechanism for ensuring rigor in a business continuity plan, for maintaining the timeliness of such a plan, and for supporting management's broader fiduciary responsibilities.
Your planning process includes a periodic risk assessment of mission-critical activities. Identifying unacceptable gaps in protections or backups for assets needed in performing activities tied to key organizational objectives and goals is important. The outcome of such a risk assessment should be recommendations for closing, or mitigating, any identified gaps.
You are prepared to respond to customers, the public, and other stakeholders within 60 minutes of an event.  Even a minor event can escalate into a major crisis if rapid, proactive communications do not take place. Recent history, including responses to the earthquakes, floods, tornados and snowstorms of 2011, clearly supports this fact. A solid BCP not only addresses how to communicate your situation to your stakeholders, it tells you—and them—when you will communicate and how you will continue to meet their needs.

Emergency response is addressed, but not as the primary focus of your plan.

Making short-term emergency response a primary objective overshadows larger strategic recovery considerations and can leave a business under-prepared to restore operations in the event of a major disruption. Most organizations have already developed an effective emergency process aimed at immediate hands-on situation management until responding public agencies arrive on site.

Your plan addresses IT issues, but is not IT-centric. 

Recent crises demonstrate that restoring access to a network with its associated information and data can be the least of a company’s problems. IT should be viewed as a tool - an important tool to be sure - but a tool supporting overall operations, not the reverse. IT should have a written, but independent Disaster Recovery Plan [DRP] that can be activated quickly to support operations not affected by a disaster as well as those that are directly affected.
Your BCP supports your company's operational effectiveness and lean/cpi initiatives. Integrating business continuity considerations into ongoing operational effectiveness and lean/cpi [continuous process improvement] initiatives makes great sense. These initiatives have a common theme: keeping the organization efficient, resilient, and financially stable. 


Are these points easily checked off? Take a good look at your current plan – contact us and let’s review it together. Or, if you don’t have a plan, let us help you develop one.