Reduce Business Continuity Failures by Avoiding These Two Common Mistakes

Most of the time when organizations suffer significant operational disruptions, the outages can be traced to one of two common business continuity failures: deficient recovery strategies and inadequate testing. Fortunately, there are steps every company can take to fortify its position in these critical areas. 

 Related on BCMMETRICS: How Do BCM Offices Fail?  
Let Us Count the Ways

Bringing a Company to Its Knees 

There are many reasons business continuity programs fail. In my experience, the majority of failures and also the most serious failures are caused by two particular shortcomings: underdeveloped recovery strategies and a lack of realistic testing.  

When an event occurs, either one of these weaknesses can be damaging. If both are present, it can lead to a one-two punch that knocks a company to its knees.  

Shortcoming No. 1: Underdeveloped Recovery Strategies 

When I meet with companies to talk about their BC programs, there is often an elephant in the room: the inadequacy of their recovery strategy. It’s the big problem that everyone knows about and no one wants to acknowledge. 

A recovery strategy, of course, is the overall approach an organization uses to restore a business or IT process. Recovery strategies set forth the steps an organization should take to resume its mission-critical business processes and computer systems and applications in the event of a disruption. 

Unfortunately, most companies’ recovery strategies range from underdeveloped to nonexistent. Organizations with deficient recovery strategies have little to no idea what they need to do to recover the business if and when they are hit with an outage. 

Most of the time when a company’s recovery strategy is lacking, the problem can be traced to one of the following: 

• The company has not established any standards to guide its stakeholders in applying its strategies. 

• The company failed to take the findings of the business impact analysis (BIA) into account in devising its recovery strategies. 

• The company has not conducted a threat and risk assessment or else it ignores the conclusions of the TRA in creating its recovery strategies. 

• The organization starts strong and then peters out, failing to fully implement the strategies. 

• The company does not budget sufficient resources to fully implement its strategies. 

If any of these problems exist, it can be enough to keep your program from working when you need it most. 

Strengthening Your Recovery Strategies 

Thankfully, there are things an organization can do to strengthen its recovery strategies. Here are a few of them: 

• Establish and document an enterprise standard for implementation of the recovery strategies for the business processes and IT. 

• Take the BIA and risk assessment into account in devising recovery strategies. 

• Make sure the strategies are sufficiently robust to function when the company is at peak work volume. 

• Develop a wide spectrum of strategies to fit the full range of business processes and IT systems and applications, from those that are mission-critical to those that can be deferred for an extended period. 

• Follow through with sufficient resources and work effort to ensure that strategies are fully implemented. 

When an organization’s recovery strategies are underdeveloped, it is essentially gambling with its future. By crafting and fully implementing sound strategies, the organization is well on its way to being able to face the future with confidence. 

Shortcoming No. 2: Inadequate Recovery Exercises 

The other common cause of business continuity failures is omitting to conduct realistic recovery exercises. Having well-considered recovery strategies is essential. But the only way to find out if those strategies work is to test them through rigorous exercises.  

The following are some of the most common problems we see with companies’ BCM exercise programs:  

• They only perform tabletop exercises, which don’t fully validate recovery capability.  

• They don’t conduct BCM exercises regularly or with sufficient frequency. 

• When they do exercise, they don’t go through all scenarios and test for simultaneous events. 

• Program managers don’t test in an unannounced manner. 

• During testing, the companies don’t follow the relevant documentation in implementing their recovery strategies. 

• When exercises are underway, managers don’t note the gaps they observe and create action items for later implementation. 

• Management doesn’t review or validate the exercise. 

• Exercises for the individual business units are not integrated with those of the units upstream and downstream. 

• The exercises don’t take peak work volumes into account. 

Any organization whose testing program has these problems is not really testing anything, it’s only fooling itself. It’s also squandering a precious opportunity to identify and close gaps, thereby reducing the chances it will experience a business continuity failure. 

How to Fortify Your Exercise Program 

The good news is, there are a number of straightforward steps a company can take to make sure its exercise program truly validates its recovery capability. They include: 

• Follow the enterprise recovery exercise standard. 

• Take the BIA and risk assessment into account in planning and carrying out recovery exercises. 

• Ensure that mission-critical business processes and IT systems and applications are fully exercised. 

• Conduct exercises regularly, frequently, and comprehensively. 

• Ensure that managers participate, taking responsibility for the successful execution of exercises and the resolution of exceptions. 

By taking these steps, an organization can ensure that its testing program provides meaningful validation rather than false comfort. 

Becoming More Resilient 

The two problems that cause the majority of business continuity failures as well as the most serious failures are undercooked recovery strategies and inadequate testing. When an event occurs, these problems can combine to deliver a one-two punch that knocks an organization to the canvas.  

Fortunately, organizations can easily take steps to protect themselves against these shortcomings, such as taking their BIA and risk assessments into account in devising their recovery strategies and conducting exercises. Companies that take steps to strengthen their position in these two areas reap the benefits of greater resiliency and recoverability. 

Further Reading 

• Weighing the Danger: The Continuing Value of the Threat and Risk Assessment
• Testing 1-2-3: Three Things You Should Know About Business Continuity Testing
• How Do BCM Offices Fail? Let Us Count the Ways
• Let’s Get Real: The Limitations of Tabletop Recovery Exercises