Any theorist can write a plan. Everything ‘looks good on paper’.

Organisations often take comfort from the fact that they have a Business Continuity plan. They even take comfort from the fact that key suppliers and critical partners also have plans. Due diligence procedures will usually ask whether the recipient organisation has a Business Continuity plan. Of course they will always answer ‘Yes, we have a plan’ but they are not going to volunteer immediately that it’s never been validated or used.

People like plans. They are tangible. They are visible. They are auditable. So they satisfy a lot of requirements. Plans also provide the basis of the Business Continuity capabilities so my first point is that ‘Yes, we still need plans, but they are the beginning rather than the end game’.

Right. You’ve got your plan. Now what?

Have your people been provided with a copy? Have they ever been briefed or trained on it? I know for a fact that when a Business Continuity manager sends the latest version of an organisation’s plan out only a small percentage of team members will read it. Why would they? They only need it if something sinister happens so they opt for waiting until that day arrives. All well and good but if the documented theory is flawed it’s a bit late finding out when you are expected to be able to rely on it.

In addition this tells us something about the way Business Continuity plans need to be written. Let’s accept for a moment that people will only look at it in the hour of need – at this stage we won’t have time to educate or train them, we need to get on with dealing with the incident. Plans therefore need to be written in a practical and useful way so that people can pick them up and use them – sorry theorists but people simply do not need background, history, policies and explanations they just need to know what to do next.

Your organisation’s Business Continuity Plan will be much improved and fit for purpose if you have validated it through exercising. Every exercise I have ever conducted has resulted in changes and improvements to plans. No one would ever disagree that it’s better to identify such changes before a real incident.

Training and educating your people is also a critical element of developing effective Business Continuity capabilities. I have written previously about how organisations would never allow untrained personnel to execute business processes or deliver services to clients and yet we seem to think our people can immediately manage a business continuity situation without training, practice or even any warning. If this was the case no one would ever bother planning.

If you are undertaking a due diligence exercise on the topic of Business Continuity don’t stop at asking if the organisation on whom you are going to rely has a plan. I’ve already given you the answer above. Probe a bit further. Has it been exercised or tested? Has it ever been used? Has the team been trained and so on.

Good plans are essential but they are only part of the overall solution. The only way we will be judged is how our organisations come out of an incident and statements such as ‘but we had a great plan’ are not going to save you.