Have you ever had to bail out of an airplane?… Me neither, fortunately. But imagine if you did, and your parachute was too moth-eaten and tangled to support you because you hadn’t maintained it properly. Fun, right?
I see the same thing all the time with organizations’ recovery plans. The organization has a plan. They created it at some point in the past, and maybe at one time, it was actually pretty good. But that was a while ago, and they haven’t thought about it or looked at it recently. They’ve been too busy doing other things.
And then all of a sudden, there’s an emergency, and the organization realizes they need to implement their trusty old recovery plan in order to deal with the incident and minimize its impact on the business—but the plan is so moth-eaten it barely works.
Don’t let this happen to you.
In my experience, there are seven main ways in which recovery plans are commonly allowed to become out of date. Here they are; do any of them apply to you?
- Personnel. The people change, but the plan doesn’t keep up. Peoples’ roles, phone numbers, and office locations change all the time. Some folks leave, new ones come in. It’s always good for a chuckle when I’m reviewing a recovery plan with a client, and they see someone’s name on the contact list and say, “That guy hasn’t worked here in five years.” Unfortunately, the consequences of having an outdated contact list can be serious when an incident occurs. An up-to-date plan has up-to-date contact information.
- Distribution. Over time, the people at the organization who need to receive copies of the recovery plan can change. If people who need access to the plan don’t have it, it’s as bad as the organization not having a plan at all. Keep your distribution list current.
- Business processes. Like employees, the business processes at an organization are subject to change. At one point, an organization might outsource a particular process. Later on, as a result of a reorg or merger, for example, it might adopt one or more new processes. Is the recovery plan keeping up? It should, or it won’t be of very much use when there’s a disruption.
- Computer systems. The same goes for computer systems. Changing computer systems is a big, interesting project, in most cases. Changing the recovery plan to keep up is maybe not so interesting. However, it has to be done, if your plan is to serve the organization well in an emergency.
- Recovery times. The proper recovery time objectives (RTOs) for different processes change as the business evolves. Suppose the criticality of a certain process increased from one year to the next, with the proper recovery time objective for that process going from 5 days to 24 hours. Great. Now, was the recovery plan updated to reflect the new level of criticality of this process?
- Testing and validation. Have your plans and processes been tested within the past year? Have they ever been tested? If not, your plan is effectively out of date. Get those tests and validations taken care of and make note of them in your recovery plan.
- Changing threats and circumstances. Have the threats and challenges facing your business changed since the plan was created or updated? This a big issue at the moment with weather patterns and storm threats seeming to change almost from year to year. Alternately, a change could be something unique to your facility or industry. In any event, threats change and your plan should be updated to keep pace.
Those are the seven reasons that recovery plans most commonly go out of date. Have these or some other matter turned your organization’s plan into an antique?
If so, no problem. You just need to update it.
Here’s how to do it:
- Determine how critical the matter is.
- If the matter is critical to the execution of the plan, quickly get your team together, communicate what the exposure is, discuss the matter, agree on the change, make it, and redistribute the updated plan.
- If the matter is not critical, you can take care of it during your next regularly scheduled plan maintenance period.
You do have a regular schedule for plan maintenance, don’t you?
Well, you should.
As a routine matter, your organization should update its dynamic information—such as staff contact information—once a quarter. It should review all other aspects of the plan every six months. Some people do their review annually but for my money, that’s too long to wait. Too much can change in that much time.
The review should be done using checklists telling you what areas need to be reviewed. (I love checklists. I think they are so helpful. For tips on creating and using them, see my recent post “The 4-3-3 Rule for Writing Business Recovery Checklists.”)
If you are like me, the idea of jumping out of a plane with a moth-eaten parachute is not your idea of a good time. Your organization’s recovery plan is like its parachute. Inspect it regularly and keep it up-to-date to ensure it is ready for service when and if you need it.