How many business continuity and recovery plans should you have?
How much do you spend on testing vulnerabilities?
The Relationship Between Risk Management and Business Continuity Management
A vital part of business continuity management is the recovery plan. One question we often get when discussing the development of business continuity and recovery plans, is whether to have multiple plans or to try and produce one plan that caters to all situations. To this question, as with almost all questions regarding risk management, it depends on the organization and the internal risk management culture.
The great minds at the Massachusetts Institute of Technology have developed a single plan. The Business Continuity and Recovery Plan presented by MIT focuses on the recovery in the event of a disaster. The plan covers the details and processes for the path to recovery. In the opinion of the security experts at MIT, this single plan is enough.
However, it may be the case that your organization feels it is important to address multiple scenarios which would cause a disruption in “business as usual.” This practice is perfectly fine. Andy Osborne, an acknowledged expert in the field of BCM, points out in his book, Practical Business Continuity Management, “The problem with [a single plan] is it is almost impossible to predict the disaster scenario that will result in your plans being invoked.” This is an excellent point. However, Mr. Osborne continues to say, “Producing plans in an attempt to cater to every possibility can result in an administrative nightmare.”
Understanding the threats that exist to your business is crucial to determining the number of plans that are needed. After completing a risk assessment of your business entity, the threats that are present will assist in determining the number of plans that are needed. If the failure of critical technology becomes a high priority, it would serve the business best to develop a specific plan for the technology failure occurring. If there are no specific threats that warrant a recovery plan, it may serve your organization to create a generic plan that is applicable to multiple events and is flexible in nature.
A plan that is too descriptive and not flexible may be rendered useless if it is unable to adapt to the disruption that occurs. The key to a successful recovery plan is to be prepared to use it, and have a team that has the authority, and above all training to react to the circumstances. We recommend assessing the threats to your business entity, and using this information to determine the number of business continuity plans needed. At the end of the day, being prepared and ready is what is most important. Having to sift through multiple plans may result in loss of recovery time, or even the ability to recover at all.
RM Studio is risk management software and business continuity software that assists operational risk managers and business continuity managers in the development of risk assessments and business continuity plans. For more information about RM Studio contact our team at info@riskmanagementstudio.com.
