Ayesha Al Bakoush, CBCP, CRA
Businesses and organizations are not immune to crises and therefore planning for the unexpected must be considered as a sound practice. Many organizations are unprepared to handle workplace crises, operating under the myth that “those things won’t happen here.” While most of us do not like to think about crises happening to us, planning to deal with them proactively and effectively would help protect human lives, prevent damage and reduce the likelihood of financial and non-financial impacts.
The whole concept of business continuity is relatively new to the UAE. Subsequent to the issuing of the first Emirati business continuity standard – AE/HSC/NCEMA 7000:2012, the majority of the government organizations have started to adopt business continuity into their strategies and have initiated plans from scratch. There are many factors that contribute to the success of business continuity plans, for example: obtaining the executive management support, completing the Business Impact Analysis and Risk Assessment. However, those elements alone cannot guarantee the effectiveness of the business continuity plans.
Business continuity should be more than just a plan, ideally it should be integrated into the culture of the organization and be part of daily operations. This article will undertake analysis of various reasons why business continuity plans might fail even if they cover all critical planning aspects.
- Experience & Right Skillset
Although learning the hard way is not always the best option, but the lack of experience in disasters usually leads to wrong decisions as well as the focus on areas that might not be crucial to the organization. Due to the fact that our country is considered to be a safe country and we do not face fatal disasters of any kind, it might be a challenge for organizations to plan and consider events that they have never faced and they don’t even know whether those events are going to ever happen.
Ideally training and professional accreditation is one of the best solutions, it helps professionals broaden their horizon about the topic through their networking with other professionals and help them gain more insight about the topic. Also, exploring other organizations who have robust business continuity plans in place and learning from their lessons.
The embedding of the business continuity into the culture of the organization is key to the success of the program. An experienced business continuity professional who knows and understands the culture of the organization he/she is working for, should be able to put plans and ideas to slowly and steadily engage the staff and make it easy for them to absorb the business continuity concept and make it fit into their business and operating models.
- Training and testing
Training and testing usually shows how serious an organization is about its business continuity plans. Due to the resistance factors to new projects, business continuity plans might just end up as a document on the shelf that is never used or looked into. In addition, the safe culture and the lack of exposure to disasters might encourage organizations to skip testing and training which might be considered as a disturbance to normal operations and an unwanted task.
Training & testing are the best indicators to ensure the proper execution of a business continuity plan. As per DRI’s 10 Professional Practices, BC plans should be tested at least once a year to ensure the awareness of the employees about their roles and responsibilities and what is expected from them in case of disasters. It is also important to utilize different types of testing ranging from table-top to full scale exercises, each organization should choose the type of testing that suits the nature of its operations taking into consideration the maturity level of the Program.
- Over doing it
Many organizations fall into adding too much operational details to their business continuity plans to ensure the availability of all required information.
Another common mistake is “abusing” management support to force the implementation and execution of business continuity-related or non-related processes. In other words, business continuity related terminology might be used the wrong way to drive change into the organization which will demotivate staff and minimize their sense of engagement and ownership.
Business continuity plans should contain the information about critical staff and functions in a brief and well-structured way that makes it easy for the staff to read and execute. Details and long processes should be eliminated from the plan and kept into a separate appendix to minimize confusion, save time and effort. Also, shortcuts to long processes should be taken into consideration and activated during disasters to overcome human resource shortages.
With regard to the use of management support, business continuity professionals should know the required amount of pressure they should use with their staff to enforce rather than force change. Also, staff should feel that they are engaged and involved which will motivate them to contribute towards improving the plans.
- Wrong assumptions
Understanding the nature and culture of the organization is a key element in building a successful business continuity program. Business continuity objectives should be aligned to the organization’s objectives to ensure maximum benefits. The ideal way to plan for disasters is to plan for the worst case scenario, but the question is: how bad the worst case can be? In this case, professionals should be realistic while planning for the worst case.
Business continuity professionals should flawlessly understand management expectations from the business continuity program. The most successful program is one that is tailored according to the needs and expectations of a specific organization. It is also required from business continuity professionals to have a strong vision about what might make a disaster even worse, and what would be the potential solutions or backups if further incidents do materialize.
In some cases outsourcing might be a suitable solution to transfer risk and accountability to a third party. However, if an organization is planning to keep its critical functions up and running during a disaster, outsourcing or signing a contract with a third party promising to deliver a service or a product during a disaster is not enough. No matter how strict the legal terms and conditions are, if the service provider fails then the whole process fails.
Before outsourcing or transferring accountability to a third party, an organization should make sure the service provider has their own business continuity plans updated and tested. Also, service providers and third parties should be part of any organizations business continuity testing and training to help define expectations and outcomes from both sides. In addition, it is very critical to always have a backup plan in case the initial plan fails. In this case, finding more than one provider for the same service or product and keep their information documented and updated. And most importantly get them engaged and updated regularly.
Business continuity is a holistic approach based on simple and clear methodologies, if planned properly will ensure the continuity of an organization’s critical functions during disasters, and safeguards its human and physical assets. The implementation of best practices and international standards alone are not enough to ensure the effectiveness and the success of a business continuity plan, rather, it should be realistic, simple, flexible, and up-to-date.
Creating and maintaining a successful business continuity program is more than following a set of best practices; nevertheless, avoiding the above mistakes can enable a more effective capability that aligns to organizational needs and drivers.
Ayesha Al Bakoush is currently working as Principal Business Continuity Specialist with Abu Dhabi Crown Prince Court. With over 10 years of professional experience, she possess strong experience and domain knowledge, ranging from implementing and auditing business continuity management programs, enterprise risk management, and project management. She has done her Bachelors in Information Management from the Higher Colleges of Technology in Abu Dhabi and currently pursuing Masters in International and Civil Security at Khalifa University for Science and Technology Research. The author is a Certified Business Continuity Professional and can be contacted at: firstname.lastname@example.org