Combating BCP Complacency Through Cultural Change

A couple of days ago I talked about complacency in business continuity planning and suggested that there may be a greater sense of awareness and urgency to get plans done in the U.S. than there may be in the U.K. and Canada. According to a press release that came out today, I could be giving the U.S. more credit than it's due. In a report entitled Disaster Planning in the Private Sector: A Post 9/11 Look at the State of Business Continuity in the U.S. co-authored by AT&T and The Partnership for Public Warning, the authors contend that nearly a quarter of companies in the United States are conducting business as usual without developing, implementing and testing contingency plans. Pretty scary stuff. Scarier still is the fact that the places we might expect to have the greatest degree of compliance rate fairly low on the scale:

"The survey indicated, surprisingly, that New York and Washington, D.C. were among those least prepared. In both cities, nearly 25 percent of companies lacked a plan. South Florida was the most prepared-only 15 percent of business respondents admitted not having a business continuity plan."

It is interesting to note that South Florida exhibits the greatest degree of compliance, due in most part to the fact that emergency preparedness for hurricanes is an annual ritual.

We have used this forum to repeatedly discuss the insurance implications and benefits associated with risk mitigation. However, one thing that we have not yet discussed is our belief that in order for these numbers to improve, business continuity has to evolve from a static playbook into a permanent mindset.

Sure, in the aftermath of terrible disasters firms have taken it upon themselves to put a plan together, but this tends to take the form of a great big playbook that once completed, and passed around for everyone to ooh and ahh at, is permanently placed on a shelf to gather dust. That's simply not the point. Business processes move and change daily, therefore it's impossible that a static plan can adequately address the most contemporary business processes if it hasn't been periodically tested and updated. I think this quote from a recent piece by Michael Croy of Forsythe Solutions Group Inc. nicely summarizes what I'm referring to:

"Disaster recovery and business continuity should be woven into business processes throughout the company. Too often, that planning is relegated to an annual exercise guided by a project mentality. If companies are to remain in compliance with federal regulations over the long term, disaster-recovery and business-continuity processes and data-security measures should be baked into operations and change-management activities."

Understanding that BCP isn't just about IT and static plans is key in adopting the business continuity mindset. Peter Power of Visor Consultants notes in a recent article that Lloyd’s chairman Lord Peter Levene hit the nail on the head when he recently talked about new global risks that threaten corporations:

“I firmly believe that the most successful, least crisis-prone businesses will be those whose boards have shown firm resolve and taken decisive action. Effective, integrated strategies for dealing with tomorrow’s risks require a change in culture at board level now.”

Cross-cultural cultural change -- I like the sound of it already.