Reasons for Failure of Business Continuity Plans

I was recently attending a conference on Business Continuity Management, and happened to attend an enlightening talk given by Mr. Vijay Sethi, CIO of Hero Honda – the world’s single-largest two wheeler company. The focus of the talk was on “Reasons for BCP Failure”, and I believe the points given below are highly applicable to a lot of organizations. With his permission, I am presenting the key ideas presented:

1. Faulty drivers for implementing BCP
A lot of organizations implement BCP because customers demand it, or they need it for ISO 27001 certification, or because their auditors have repeatedly stated so.

2. Not business-centric
A lot of BCPs end up becoming focused purely on IT infrastructure, and are more like Disaster Recovery Plans, rather than comprehensive Business Continuity Plans.

3. No clear owner of the BCM process
The success or failure of the BCM depends on who is the internal driver or champion of the process. Thus the owner of the BCM should be clearly defined. While, the CIO or CTO could be the owner, he must ensure he has a larger business perspective, and more importantly the rest of the organization should not see it as an technology-focused initiative, rather as something that affects all of them.

4. No regular BCP tests
The efficacy and strength of the BCP depends on the frequency and quality of tests carried out. More often than not, testing is done just before an audit. The lessons from a BCP test are also not incorporated into improving the BCP. The practical reason for this is that testing is not an easy process – it requires a lot of thought, effort, and resources to execute properly and efficiently.

5. No regular updating of the BCP documents
Often the numbers given in a call-tree turn out to be not reachable or worse still the person no longer works for the organization. In today’s business environment, organizations are changing rapidly in terms of  processes, new technology, new lines of business, as well as people turnover. The BCP document can very quickly become obsolete and useless if it is not updated regularly.

6. No regular training
The truth is that no one will have the time or occasion to read the BCP document when an emergency strikes. Therefore, the successful execution of the steps in the BCP is dependent on the level of training and awareness regarding the BCP. Again, people turnover results in training not being given to the people who have replaced earlier BCP team members.

7. BCP is too rigid or too complex
No crisis will turn out exactly as envisioned in the BCP. Therefore, the BCP must allow for enough flexibility, fallback options, and enough authorization to the crisis management team to take decisions that they feel to be in the best interests of the organization. Teams should be trained to think outside-the-box. Primary focus should be on enabling and empowering the team, rather than the BCP document.

8. No clear management involvement
I would put this as the #1 reason. Management is often not truly interested in the development and maintenance of the BCM, and usually plays a peripheral role in developing and driving it within the organization.

9. Cost cutting
In the current economic scenario, it is likely the first budget cuts might be to resources allocated to the BCM. Check whether within your organization, during budgetary discussions, it is the BCM that is losing out on getting priority.

To round out the number to 10, and to also add some post-script after the 26/11 attacks, I’d also like to add my 2-cents to the list above:
10. Post 26/11 knee-jerk reactions
From what we are observing around the country, organizations are rushing in to implement security measures, which are not really based on a risk assessment or business impact analysis. Especially in hotels, malls, corporates and governmental organizations the measures are being implemented without taking into account realistic threat probabilities and actual business dependencies.

The talk was filled with very interesting quotes, and I’ll end this article by reproducing a very appropriate one here:

“The time to repair the roof is when the sun is shining”, John F. Kennedy.

Author


Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.