Let ’em have it?
You’ve probably noticed that the general level of business continuity awareness has grown in recent times – which is good news. But it probably means that your customers, prospects, business partners, investors or other stakeholders are increasingly taking an interest in your business continuity arrangements. In fact, if you haven’t been asked about them yet, it’s probably only a matter of time.
It’s highly likely that at some point you’ll be asked by someone for a copy of your business continuity plan. But should you send it to them or not?
Well actually, in most cases it’s not necessary and in any case the detail of your plan is largely nothing to do with them! Think about it – your plan probably contains personal or confidential information, such as names, addresses and contact numbers, commercial details or other sensitive stuff.
It’s almost certain that you wouldn’t just send a copy of your business or marketing plan or your budget forecast or your employee database or details of how you run your business to a third party, just because they asked for it. So why should the content of your business continuity plan be any different?
Rather than sending a copy of your plan, a better approach might be to send a summary of what you’ve done and what you’re doing, for instance that :
- You’ve appointed a business continuity manager or co-ordinator;
- There’s a senior-level steering group in place;
- You’ve done a business impact analysis to identify the time-critical functions and their recovery time objectives;
- The key risks to the continuity of your business have been considered and appropriate steps taken to mitigate them;
- You’ve implemented a strategy and appropriate solutions to meet the identified recovery requirements;
- There’s an incident management and business continuity framework in place, the relevant teams have been established and team members briefed on their roles and responsibilities;
- Incident management and business recovery plans have been documented;
- There’s an ongoing programme of exercising and testing;
- The strategy, solutions and plans are regularly reviewed and updated;
- The business continuity management system is in line with a recognised standard, such as BS25999.
The vast majority – particularly if they actually know anything about business continuity management – will be more than happy with this approach. In fact, there’s a fair chance that they’ll be much happier than if you just send them a copy of the plan.
Of course, if you haven’t done any of the above, you’ll probably get found out, whether you send a copy of the plan or not!