Your day is running along just fine, you’re busy but you’re on top of everything so barring a disaster or someone throwing you a curve ball work is going well. And then it happens – in comes the reminder to review your Business Continuity plan.

Do you? Don’t you? Do you? Don’t you?

Your first thought may be ‘what’s the minimum I can get away with?’ No one’s looking, no one’s checking so how about I change the date and version number and send it in. Job done. Back to work.

So when was your plan last reviewed? Typically this could be a year ago so has your team changed? Have you lost or gained any critical processes? What about the systems you use? Have any suppliers changed? Any customers changed?

Actually, now you’re starting to think about it, would that strategy really still work? Shouldn’t we do something a bit smarter? And what was the recovery time objective for process xyz again?

Before you know it you’re looking for service contracts and service level agreements between you and your customers and you and your suppliers.

‘Heck. This is freaking me out now!’

‘Have we ever actually tested any of this? Did it work? What did we learn? Has anyone seen the test report?’

The search for documentation is underway. ‘Oh my god we’ve got a Corporate Policy on this! Has anyone read this? And there’s a set of standards we should be complying with.’

Right, let’s slow down for a minute. As a Business Continuity practitioner I have a foot in both camps. I have worked with lots of organisations developing their policies and standards and the whole idea of these is to ensure that plans and capabilities are effective at all times in case the organisation needs to rely on them. They drive good practice. Policies and standards are also aligned to the risk appetite of the organisation.

On the other hand, line managers are busy running their departments, doing the day job. That’s what they are employed to do so that the organisation achieves it’s objectives. Any ‘bureacracy’ such as plan reviews is a hindrance and detrimental.

So what should organisations do? If they relax the standards they increase the risk of not surviving business continuity incidents but if they make the standards too onerous they risk losing buy in from the internal functions.

Whatever goes into the Policy, Standards and Plans has to be realistic, relevant and appropriate. Equally the review process needs to be simple and effective (sorry I couldn’t resist).

Above all else there has to be a positive culture towards the topic – often a hard nut to crack – people need to be engaged and understand why these disciplines are necessary and the objectives to be achieved. Regular and ongoing dialogue is critical and support needs to be provided in a variety of ways if your organisation’s plans are to remain effective.

OK. So if you’re in the central function chasing departments for their plan reviews make sure your approach and support is right. If you are responsible for a department’s Business Continuity Plan take a moment to think – you may just need to rely on the plan one day.