5 Reasons Your Employees can be a major risk to your Business Continuity & Recovery plan
Developing an exhaustive business continuity plan is critical to the well-being of your organization, but it’s important to note that a common risk factor not considered, is potentially your own employees. A well thought out plan could take months of drafting, refining and testing, documentation and formulating a recovery plan to get you back on track.
One of the many risks that are commonly overlooked is varying degrees of end user frustration, apathy and general ignorance.
Some common reasons your company’s employees don’t care about business continuity, and ways to make it work anyway:
They have no idea that a plan exists. Believe it or not, the average employee doesn’t spend a lot of time wondering how the business will survive in the event a major crisis They just assume someone will take care of things and usually make a hand wave about backups and perhaps even mention cloud computing. They don’t understand their roles in getting the business back on its feet — because they haven’t been given roles or training. According to InformationWeek‘s 2013 State of Storage Survey, less than half of survey respondents (40%) had a disaster recovery and business continuity strategy in place and tested it regularly. Another 40% had a disaster recovery plan in place but rarely tested it, while 20% had no plan. I suppose we could all adopt an optimistic outlook and hope for the best, but this is not the way to protect your business from risk.
Business continuity best practice dictates user engagement with a broad-spectrum awareness policy, including what they should do in the event that they can’t do their jobs. This should include explicit printed instructions for remote working and how to report an outage if the email server is down. With regular tests of your business continuity plan and occasionally planning a system outage drill as part of a test on a weekend to see how well the average user deals with the calamity.
They don’t understand the meaning of “disaster.” Disaster recovery more often involves power outages, or data loss from malware, or just general clumsiness from employees destroying data accidentally. These aren’t one-time events but rather things that are definitely going to happen — maybe not today, maybe not next week, but eventually. CIOs know and understand this, but employees don’t.
Be crystal clear about what “disaster” means – such as the potential of being attached via a virus, individual or someone accidentally deleting a directory. Include several sample scenarios that people can understand are high probability and in their best interest to prepare against.
Employees can create new venues for business-critical data outside of the plan. Stashing of company documents on Dropbox or the new process that was stored on Google Docs somehow never managed to migrate back home once it rolled into production. Even if your policy mandates optimum security practices, there’s likely a team out there sourcing all of its files up on Sky Drive because team members don’t understand the implications of free cloud storage. While there are numerous reasons this activity might not be acceptable for your industry. Expect reluctance to share, but with an assurance that you’re not trying to hamper their efforts, but instead working to protect them, you should be able to break down silos. At the very least, get it on record that the offer was made.
They weren’t even covered in the plan. We’ve all experienced the ongoing struggle to align IT with the business, and this is one of the symptoms: The authors of a business continuity plan overlook business-critical processes simply because they didn’t realize they were essential. Can you really blame employees who don’t care about a plan that doesn’t protect them? This is a big issue, and usually these processes aren’t caught until the actual disaster strikes and it’s too late.
Consider it an opportunity for IT alignment outreach. Beat the streets and learn exactly what users are doing to drive company business. Keep track of all vital systems and ask questions, specifically as it would pertain to “what-if” scenarios around your business continuity plan. Yes, it’s easier said than done, but IT needs to stay on top of what’s mission critical this week.
They have their own disaster at home. In the event of a natural disaster, your employees are suffering the same environmental impact as your organization where concerns first and foremost will be about their loved ones and property and their own safety. If your business recovery scenario relies on one or two key individuals who know the passwords and procedures to get systems back online, you’re taking a tremendous gamble that they are going to be able to focus on the needs of the company during a time of crisis.
This is how you can differentiate a good company from a great one. Great companies provide for the creature comforts and work-life balance of their employees. Making sure your staff has what they need to do their jobs is an often-overlooked aspect of business recovery. Ensure that your business continuity plan contains recommendations for emergency housing and food, and arms your employees with everything they need to take care of business — both yours and theirs.
