In the previous two blogs in this series on best practice in BC planning, I looked at identifying and mitigating the risks to your corporate environment, and at scenario planning for your identified risk events. These two steps prepare the ground for the next task, which is to develop your response and recovery plans should the risk you fear actually materialise.
Once you have scoped out your risks and looked at the different scenarios that could develop, you are in a great position to plan your response. But you must now beware, because this is the stage at which most BC plans leave the real world and enter the fantasy world of policy, procedure and backside covering. Once you enter this fantasy world, then the end result is likely to be an amazing plan that keeps the policy wonks happy, ticks every possible compliance box, reassures the anxious bosses in the C-suite, but is actually completely useless when a real crisis takes place.
When the excrement hits the fan then the last thing you need is an encyclopaedia sized policy document that does not tell you in plain and simple language exactly what needs to be done, who needs to do it and when they need to have completed their tasks. The most complete and well thought through BC plan is useless in real time if it cannot be used as an action guide. In this scenario, the most likely thing to happen is that the policy book gets thrown aside and the response team starts to act on gut instinct alone. This would be a disaster.
Far better to have in place a series of short, risk specific, incident standard operating procedures (SOP) that will provide a step-by-step guide to essential tasks in the resolution of and recovery from the incident in question. You should produce at least one of these incident SOPs for each of the identified risks on your corporate risk register, and possibly several of them, segmented by response team, depending on the complexity of your organisation and the risk to be addressed.
Each incident SOP should be clear as to who is responsible for each task or task list, the exact steps that need to be undertaken, the time limit is for completion of these tasks and in what order the tasks should be completed. This might sound ridiculously simple, but when the chips are down and everyone around you are losing their heads, and blaming it on you, a ridiculously simple set of instructions will help you to keep your head and guide the incident to a quick and effective resolution.
This real time utility is the philosophy on which Crises Control is based. That is why we have built a library of over 200 potential incidents for our customers to populate and also why we will shortly be launching two new modules for the platform. The first of these is a task manager function with the ability to create a series of incident related task lists and manage the execution of these during a risk event. The second is a unique incident standard operating procedure wizard that will allow customers to create their own bespoke SOPs drawing on best practice and high quality content that is hosted on our platform.
Much more to follow on these exciting developments in the next few weeks.
This blog is the third in a series looking at different aspects of best practice in BC planning.