Business Continuity Part 2: Too Many Plans Contain 'Blind Spots'
My recent post on Business Continuity Planning and its role in supporting institutions affected by the recent Midwest flooding generated more than its fair share of dialogue with my peers.
So much of what's required by regulation often presents itself as a documentation exercise and rarely transcends the theoretical domain into practical use. So, when it happens, when an institution needs to depend upon one of these documents to manage through the very situation it was intended to address, it's of great interest to the practitioner community.
One of the more interesting facts to emerge from my clients affected by the flooding is how many of them avoided any direct impact to their business operations. The worst of it was for one institution that needed to evacuate part of its back-office operations, but didn't directly rely upon their plan. They made decisions based upon office space available at different branches and redeployed as necessary until the threat subsided.
What was a bit surprising is that when I asked a few of my clients if they had at least reviewed their plans "just in case"... none had. Furthermore, when I asked if they intended to factor in the flood conditions into future business impact analysis and risk assessment activities in support of their BCP, they were mostly unsure. Based on my experience with BCP, I'm not surprised.
I've often encountered businesses that have BCP's that fall short of addressing all likely risk factors. I'm often amazed by how short-sighted some of these plans can be. Here are some examples:
Why do these "blind spots" exist? Because smaller institutions (and some large ones as well) develop their plans by simply filling in templates. They don't possess the broader exposure or experience in understanding the various points that need to be considered. However, once an event occurs and the plan needs to be relied upon, its deficiencies are brought to light in a heartbeat. I've often heard phrases such as "we never considered the possibility" or "we never encountered it before and didn't' think we ever would".
For the institutions I talked to about the recent flooding, this was a first-time occurrence. There was nothing historically to make them believe they needed to factor such conditions into their BCP. However, a properly developed, deployed and tested BCP addresses all likely scenarios.
I wonder how many financial institutions based throughout the United States would fare under similar conditions. I wonder how many are planning to review their strategy, as well.