Let ’em have it?
You’ve probably noticed that the general level of business continuity awareness has grown in recent times – which is good news. But it probably means that your customers, prospects, business partners, investors or other stakeholders are increasingly taking an interest in your business continuity arrangements. In fact, if you haven’t been asked about them yet, it’s probably only a matter of time.
It’s highly likely that at some point you’ll be asked by someone for a copy of your business continuity plan. But should you send it to them or not?
Well actually, in most cases it’s not necessary and in any case the detail of your plan is largely nothing to do with them! Think about it – your plan probably contains personal or confidential information, such as names, addresses and contact numbers, commercial details or other sensitive stuff.
It’s almost certain that you wouldn’t just send a copy of your business or marketing plan or your budget forecast or your employee database or details of how you run your business to a third party, just because they asked for it. So why should the content of your business continuity plan be any different?
Rather than sending a copy of your plan, a better approach might be to send a summary of what you’ve done and what you’re doing, for instance that :
- You’ve appointed a business continuity manager or co-ordinator;
- There’s a senior-level steering group in place;
- You’ve done a business impact analysis to identify the time-critical functions and their recovery time objectives;
- The key risks to the continuity of your business have been considered and appropriate steps taken to mitigate them;
- You’ve implemented a strategy and appropriate solutions to meet the identified recovery requirements;
- There’s an incident management and business continuity framework in place, the relevant teams have been established and team members briefed on their roles and responsibilities;
- Incident management and business recovery plans have been documented;
- There’s an ongoing programme of exercising and testing;
- The strategy, solutions and plans are regularly reviewed and updated;
- The business continuity management system is in line with a recognised standard, such as BS25999.
The vast majority – particularly if they actually know anything about business continuity management – will be more than happy with this approach. In fact, there’s a fair chance that they’ll be much happier than if you just send them a copy of the plan.
Of course, if you haven’t done any of the above, you’ll probably get found out, whether you send a copy of the plan or not!
Comments
Andy,
Good points here and I would add another in that I would want to know what training/experience the appointed Business Continuity manager/co-coordinator has to perform the role so evidence of training should be available.
I am happy not to be provided with a copy of an organisations plans as I would never give them out due to the secure information about the company and in particular its people e.g. email, phone numbers etc it would contain.
My approach has been to ask for a copy, I once had one provided, after many weeks of badgering, which was 250 pages long with much of it cut and pasted from the Internet and some of which I recognised as having written my self! Naturally this told me a great deal about he competencies of that company with regard to BC.
When plans are not provided I always insist on the provision of a ‘body of evidence’ of plans. No time to go into detail on just what I look for in this but much of it is covered by your points.
Maybe others would like to contribute what they look for….
Cheers,
Colin
There is another way.
Let them have the plan, but keep contact lists separately.
I’ve developed ours so it’s a “pack” information. The Plan contains instructions and guidelines to follow and what the contractual recovery requirement is, and the systems and processes to recover with RPO, RTO and MTPoD, and is about 20 pages including document control, Table of Contents etc. The contacts are in a separate 1 page document which goes in the pack. This is because , in our organisation, people change more than the plan does. So if someone changes roles/clients etc, we don’t need to print a 50-70 page plan with all the contacts, just because 1 page changes.
Regards
Rob