Most executives would agree that business continuity is important, maybe even critical, to the operation of a business. Where they may hesitate, however, is when it comes to spending money on this initiative during challenging budget times.
In my 25+ years in this business, I've run up against the following typical arguments, many of which may echo your own sentiment. Here, I describe exactly why these arguments fall flat when exposed to scrutiny.
1. "We've been running our systems for years and never had a disaster."
A major incident can happen at any time. It will be little consolation to you when a disaster does occur and you are struggling to explain to the C-suite how you let it happen. Think about life insurance. Lots of people take out life insurance without ever needing to take advantage of the benefits — and they are extremely grateful when they don't!
2. "We are fully insured against any loss or theft."
This one may be partially valid in that this may have been true for some companies in the past. But to protect against a major interruption and to cover the real value of a business, a company would require insurance premiums at an unaffordable level. The cost of insurance has gone sky high in recent years — one of the reasons that has led to growing adoption of business continuity solutions and planning. Plus, it can be difficult for all but the largest companies to even get this type of insurance.
3. "We are situated in an accessible, safe area with robust infrastructure."
Geographically, you could argue that there are some areas of the world that are inherently more dangerous in which to maintain business operations. Undoubtedly, living and working in some areas poses fewer risks to personal safety than in other areas. However, criminal acts and terrorism are not the only sources of disasters. There are also many internal risks – don't overlook them. Learn more in "How to Prevent Business Email Compromise or Imposter Email Threats."
4. "Statistically speaking, fires, floods, acts of God, and terrorism are rare."
Although it is true that the headline grabbing major incidents are infrequent, they still occur. It is tempting to believe that no terrorist would target your company or your office. But an attack that has nothing to do with your company or your location could cause power outages, denial-of-service (DoS), data breaches, or other events that will negatively impact your business. And, you might be surprised to learn that the more prosaic incidents could have the same adverse business impact.
5. "Our suppliers have never let us down."
Supply chains have become more complex in recent years. As manufacturers continue to specialize and utilize just-in-time methodologies, businesses are taking advantage of this trend as a way to reduce costs in their supply chains. As a result, more vendors are involved in producing any given product. The supply chain is a risky framework. A relatively minor player that suffers a disaster could cause issues for a much larger company if that company is a customer. Businesses are operating in an environment of very specialized subcontractors. Your supply chain must be part of your business continuity program.
6. "We've already thought about what we would do if an incident were to occur."
Frankly, that's not good enough. You've doubtless heard, 'a failure to plan is a plan to fail.' Well, a failure to test (frequently and extensively) is also a plan to fail. Vague, untested plans may give a false sense of security yet be worthless. This goes for both your company as well as your suppliers. Testing is paramount. There is an increasing focus on table top testing; involving stakeholders ensures that they complete their tasks, responsibilities, and communication as described within the plans. Stakeholders that are familiar with their tasks ensure a successful recovery should an event happen.
7. "Business continuity management is too expensive."
You may have been burned in the past with solutions and plans that provided limited value, particularly during tough economic times. But if business continuity management is kept simple, focused, and reuses existing organizational structures, planning need not be expensive or difficult to implement. Above all, business continuity is a culture change for an organization. The top teams of an organization need to understand their current operational risk and come to a consensus of what their collective appetite for risk is.
8. "Business continuity maintenance involves a big commitment."
When you're immersed in growing and maintaining your business, it may feel as if business continuity management is yet another task to throw on top of the pile. But, if kept simple and embedded, business continuity becomes just another discipline, such as HR, health & safety, or credit control. It's all part of doing business in the 21st century. An emerging trend is to outsource business continuity management entirely, or pieces of it, to a third party, which can be very effective in certain situations.
If you're ready to take steps to ensure your business remains operational under all circumstances, where do you get started? A good first step is to consider the following questions:
- What are your key processes? What happens to the business if you can't do them, and how long can you be without them? Business and application impact analysis is a good way to answer these questions.
- Who are your most important customers and what will they do if they can't get your products or services?
- Who are your most important suppliers and what credit arrangements do you have with them? Do you have other sources? Make them part of your plan.
- If you and your employees couldn't access your offices, where would you work?
- In the event of a disaster, how would you communicate with your staff, your customers, your insurers?
- What threats to your business can you identify, and what is your tolerance for risk? If something happens, what will be the impact to your business?
- What are the businesses that neighbor yours and what risk could they pose?
- If an incident occurred today, how confident are you that you would know what activities you are doing today, tomorrow, next week? What are the priorities? What is your maximum period of disruption you can tolerate?
- Are you aware of any legal or regulatory obligations you may face in the event of a disaster, and what will happen if you are unable to meet them?
Whether you're convinced or not of the importance of business continuity management, one thing I think everyone would agree with is that data loss, whether from human error or a disaster, can have a catastrophic impact on your business.