What’s the use?
It may come as a shock to some – particularly those who championed or funded the development of their organisation’s business continuity plan – but, despite the time and effort spent on them, most plans won’t work.
Because most business continuity plans aren’t designed to actually be used. They’re designed to pass an audit. So they’re crammed full of all the peripheral stuff that an auditor, quite reasonably, wants to see to prove that you’ve done things ‘properly’. Which means there are often several dozen pages of scope, objectives, policy, assumptions, version control, maintenance, testing, business impact analysis, risk assessment and goodness knows what else before you get anywhere near the bit that actually helps you to deal with the crisis/incident/disaster/emergency (delete as applicable) that you’re faced with. Does this sound familiar?
One option is to write two plans – one for the auditor and one for the people who might actually have to use it in anger. But that would almost certainly result in some duplication of effort, not to mention some awkward questions from said auditor if they rumbled you.
A better option is to simply remove all of the peripheral information and put it into a separate document, which forms part of your overall business continuity management system. That way those called upon to put the plan into operation might actually be able to find the stuff they need, when they need it, rather than ploughing through pages and pages of ‘stuff’ first. Or, worse still, ignoring the plan completely, at precisely the time that it should be of most use.