Databarracks’ Business Continuity Podcast (BCPcast) is a jargon-free discussion with people who deal with disasters for a living. The company started the podcast because Business Continuity has a bad reputation for being complex and difficult. Actually, the best practitioners make it simple.
We speak to Business Continuity Managers from some of the largest organisations in the world including Google, Mastercard, TFL and The Guardian. Amidst the stories about disasters and recoveries, they share their tips and recommendations on what works. Here are seven lessons that everyone can apply:
- It’s not a disaster if you keep serving your customers
“…it was a good old-fashioned crisis. We refer to it as the ‘great crash of 2015’. We had a server crash and lost all the data…the backup tapes were corrupt, and so we were unable to restore…it took us a little over a year but we didn’t miss a single customer obligation. We didn’t miss a single deadline…we were paddling like crazy under the surface, but we were doing what needed to be done.”
- Vicky Gavin, Head of Business Continuity for The Economist
The ultimate aim of Business Continuity is to keep serving your customers through any incident. Disruptions are tough. They’re stressful and fraught. You’ll be working through the night, implementing workarounds to keep the business going and sometimes it feels like you’ve failed. But that’s not the case. If you can keep all the plates spinning, serving your customers and meeting your obligations then it’s a success.
- Keep your plans short
“…The best business continuity plan is an ugly document…The ideal business continuity plan is a checklist, a document that tells you exactly who, what, when, where and why.”
- Gianna Detoni, Panta Ray
It might seem odd, but Business Continuity Managers are often quite scathing about Business Continuity Plans. It’s not that they don’t like them, it’s just that they are something a lot of people get completely wrong. A 50-page plan is useless. It must be short, concise and usable.
It’s also vital to know who the plan is written for. It’s not written to be reviewed by other BC professionals. It’s written to be used by the people managing the incident. That means no jargon or specialist terminology. It also means the plan needs to be accessible and understandable for everyone, not just your ‘experts’. If your IT Recovery Plan can only be understood by the IT Manager, you’re in a lot of trouble if they’re not available.
- Plan for impacts, not scenarios
“We plan for impact mainly. That’s the way we do it here. We plan for people unavailable, premises unavailable, communications down, systems unavailable and suppliers letting us down. If we’ve planned for those particular things it covers most scenarios.”
- Katherine Corbishley, Business Continuity Supervisor at a large, global corporate law firm
Listen to the episode
This is the most common misconception about BC. Trying to plan for every possible scenario is an overwhelming and impossible task. There are fires, floods, terrorism, cyber-attacks plus ‘black swan’ events like Icelandic volcanos or unexploded WW2 bombs. You can’t have a plan for every scenario, but you can plan for their shared impacts.
Incidents will impact your People, Premises, Resources or Suppliers (PPRS). A plan for how to operate without your office works for a fire, a transport disruption, an evacuation or even a global pandemic.
- Test and exercise
“Most senior manager are very reluctant to see the plans invoked, because they don’t completely trust them. That comes from the fact that most organisations, or many, organisations, fail to test adequately.”
- Richard Bale has had a storied career working for London Buses and major American banks in the city
While our guests are often quite dismissive of the ‘plans’ themselves, something they all agree on is the value of testing and exercising. When you exercise the plan, you develop the institutional muscle-memory of how to respond when something goes wrong. When everyone is well-drilled, you don’t need to refer to a plan.
Don’t just limit exercising to your Crisis Management Team, it needs to be something everyone does, from the CEO down to the shop-floor. Look for ways to exercise more frequently like using transport-strikes as a chance to test working from home practices.
BC practitioners are also very clear about the test/ exercise distinction. A ‘test’ is something that you can pass or fail. For instance, does your generator work?
‘Exercises’ however aren’t something that you fail. In all exercises, things go wrong, and that’s okay as long as you learn from it. Once you eliminate that fear of failure, it removes the barrier to exercising more frequently, which is the most important way to become resilient.
- Think ‘social-first’ for reputation management
“I think previously, the skills for crisis management were very much around being able to manipulate the media and the media essentially were the big newspapers and the TV and the radio stations. They were the only people to publish news, but nowadays, everyone with a smartphone is a news publisher. So maybe 30 years ago you had to deal with five or six big organisations, now you’ve got to deal with 8 billion people, which gives you a bit of a problem.”
- Mel Gosling, Merrycon
Social media has drastically changed Crisis Communications and reputation management. It used to be the case that there was time to deal with the incident before needing to think about Crisis Comms. Now, because of social media, incidents are immediately reported and without presenting your account, can quickly escalate.
How well you communicate throughout the incident can be even more important than the incident itself. By being honest and clear you build goodwill with your customers. A competently managed incident isn’t a very interesting story for the press to cover, which limits your negative publicity too.
- Prepare for multiple, concurrent crises
“There were lots of things that we’d given some thought to before, but not in enough depth to cope with more than one thing happening at once.”
- Katherine Corbishley is Business Continuity Supervisor at a large, global corporate law firm
Are you prepared to handle a major cyber-attack while the team work remotely due to COVID-19? What happens if you need to send staff home due to an electrical fire, but the office car park is also cordoned-off? How will they get home?
What happens if your IT fails and your replica systems also don’t work? How long would it take to recover completely from backups? These situations are rare, but these are all real examples. When you plan your mitigation strategies always think “what happens if this doesn’t work?” and plan secondary actions.
- Know your leaders – and make sure they know their role
“Instead of actually then sitting down and doing things that the MD should be doing, like making decisions and organising things, this particular MD rushed out and went to the nearest hardware store and managed to get some brooms and dustpans and brought them all back and started cleaning the office up.”
- Mel Gosling, Merrycon
Another common misconception is that the Business Continuity Manager is in charge of Crisis Management. This is one area that our guests don’t always agree on. Some believe that the person leading the response (often called the Gold Commander) should be the most senior executive in the business. The Business Continuity Manager can support them and provide advice, but the decisions should be made by the people in charge of the business.
On the other hand, some practitioners believe not only are they the right person to lead the response, but the experience is critical to being a good Business Continuity Manager. It’s hard to know how to write a Business Continuity Plan if you have never needed to use one.
With either route, it is vital to know who’s in charge. We’ve heard several stories of what goes wrong when that isn’t the case. In one example, someone took it upon themself to deal with an incident rather than escalating.
Without the full picture of the situation they made completely wrong decisions. The opposite is when senior management try to muck-in, in the recovery rather than standing back, managing and delegating tasks. Both responses are well intentioned but can be very damaging. As we have seen in the response to COVID-19, serious incidents often bring out the best in people. Everyone wants to do their bit to help the recovery so harness that energy with clear direction and communication.