I have been talking about risk registers a lot this week. One of the first things I push whenever a risk register is mentioned is that they are good BUT I find myself echoing an old Enterprise Architect colleague whose catchphrase was “that’s a good question but a more interesting question might be…”
A Risk Register is great, at Centerprise we have a robust Risk Register as part of ISO 27001 and the others, but a risk register tells you what could go wrong. The right question is probably, “How long could the company exist without….. X Business Function?”
To give an example, one of my clients has 100 or so staff in central London, being London based their risk register identifies a potential risk of “loss of access to the office”. This client has a very mature attitude to business continuity and his Continuity Plan is built around “Continuity Objectives” which are drawn from his business functions. “S” is well aware that his primary continuity objective is “Meet deadline” and that his risk of having more than 20% of his office team involved on a deadline at any given time, is minimal. His Continuity Objective is “Achieve Client Deadlines”, his mitigation is a work Area Recovery Contract for 20 seats. If his loss of access scenario became a long term issue then he might have a greater problem on his hands, but the risk of losing access to a central London site for more than a few days is minimal enough to be covered by a plan B such as “find temp office space PDQ”.
If you have an existing Continuity Plan I suggest a three point plan to sanity check it once a year:
• Plot the Business Functions that would Really impact your business if they couldn’t be performed , (or those that are legislative requirement for you).
• Abstract these into Continuity Objectives
• Map these onto your Plan and shed the bits that are overkill.
Written by Matthew Weetman, Business Development Manager. Mweetman@adam.co.uk