1. Scope. On many of the plans I see it is not clear what the scope of the plan is. The name of the department may be on the front of the plan but it is not always obvious whether this is the whole of the department, which may cover many sites, or just the department based in one location. It should also be clear within strategic and tactical plans what part of the organisation the plan covers. Or does it cover the whole of the organisation? Where large organisations have several entities and subsidiaries it should be clear whether the tactical and strategic plans cover these.
2. Invocation criteria. I believe it should be fairly clear what sort of incidents should cause the business continuity plan to be invoked. I also believe that this invocation criteria should be “SMART”, so as not to be open to interpretation. The criteria should be easy to understand so if you get a call at 3am in the morning and informed of an incident it should be fairly obvious whether you invoke or not. Focus should be on the loss of an asset such as a building or an IT system, not on the cause of the loss. There needs to be a ‘catch-all’ in the invocations criteria which says ‘and anything else which could have a major impact on our operations’ so that the criteria is not too rigid if we need to invoke for an incident we have not yet thought of.
3. RTOs. Defining and agreeing your Recovery Time Objectives is one of the most important items you set during the analysis and design stages of the business continuity lifecycle. There should be a list of RTOs relevant to your plans within the document so you can make sure that you are going to recover your operations at an agreed time.
4. Strategy. I have looked at lots of plans which have lots of detail within them but having read them I am no wiser to the organisation’s recovery strategy or even whether they have one at all. I like my plans to have a written strategy which tells the story of how we are going to recover, containing details of outline activities, locations and timescales. Then it is clear to anyone implementing the plan what your recovery strategy is and how it will be implemented.
5. Information from the BIA. I have seen lots of organisations which do very detailed BIAs and collect lots of information. This information, which could all usefully be used in the recovery, does not make it into the plan. It looks as if two separate activities have been carried out – the BIA and the plans – yet there is no visible connection between the information collected in one and the information in the other. If you cannot use the information in the plan then why collect it in the BIA stage at all? There should be a clear relationship between the information collected in the BIA stage and the information within the plan.
6. Items not needed on the day. Many plans I see are a cross between a plan containing information needed on the day of the incident and policy information. During an incident you do not need information on how often the plan needs to be exercised or the responsibilities of the Business Continuity Manager. My suggestion is to go back through your plan and move to a separate document any information which you do not need on the day of an incident.
7. Telephone numbers. I think telephone numbers should not be contained within the plan. You may wonder how that can be so, as surely you need the numbers to communicate with your key interested parties. Having telephone numbers available are important but I think it should be a last resort to put them within the plans. As soon as you put numbers within a plan you create a monster, which needs to be constantly fed. Every time a number changes you have to change the number in the plan and then send out the amendment to all those who hold a copy of the plan. This creates a huge administrative task, if you give out copies of the plan in hard copy this kills loads of trees, as you will have to reprint a number of copies of the plan. If you just send out the relevant section or page of the plan what you end up is an unamended plan stuffed full of amendments.
If possible, make use of existing lists within your organisation. There are people whose responsibility it is to update telephone lists. The CEO’s PA may keep all the senior management team’s details up to date on a laminated card and send the card out to all executives. Get yourself on this distribution list for the card and instantly you have a list of the telephone number of all senior managers. If HR keeps a list of all home telephone number and mobiles ask for the list to be made available to the incident team on the day of the incident. Often people are happy to give HR their details but may be reluctant to give the details to anyone else in the organisation. My suggestion is to, wherever possible, avoid putting the telephone number in a plan and try and make use of existing lists which are maintained by others.
8. Your plan should have a logical sequence. Too often plans have lots of good information but it is difficult to find. Perhaps on the first page of the plan you could have an immediate action list rather than have pages of background information, scope objectives and quality assurance information. These are all important and should be in the document but why not put them at the end so they can be referred to only if necessary.
9. Details of the medium to long term recovery. Many plans only concern themselves with the short term recovery and the immediate actions to be carried out after an incident. They go into great detail of how the first 10 members of the call centre will get to the work area recovery centre within the RTO of 24 hours. What the plan does not mention is the strategy for recovery of the 90 other members of the call centre who need to be recovered within one week. Yes there can be some hot planning on the day but I believe there should be some detail within the plan of how to recover the “second wave” of staff to be recovered.
10. A team to manage the incident. Often at the operational level a plan contains lots of good information on the recovery of the department but does not contain any information on who will manage the recovery. Will their representative on the Tactical Team manage the recovery or will it be the departmental managers who will get together and implement the plan? The Good Practice Guidelines 2013 says that every recovery plan should have a team to manage it.