• (0)

    ISO 27001 & ISO 22301 Blog

    How to deal with BCM sceptics?

    Have you ever heard something like “It can’t be done”, “It has no use”, or “It’s useless if a major disaster occurs”? If you implemented business continuity management, you probably did. Naturally, such an attitude would not help your project, so here are some suggestions how to handle such people.

    “If a major disaster occurs, we won’t be able to do anything”

    This is probably the most common one. Well, they may be right, unless you really prepared your business continuity strategy and business continuity plans taking into account all the possible scenarios – if you did that, then you can explain to them that you have prepared an alternative site which is distant enough to withstand any kind of disaster, that you’ve made a backup copy of data, that there is a replacement for any employee in the company, that you have alternative suppliers for any critical service etc.

    “If a nuclear war breaks out, it won’t work”

    Well, unless you are a military supplier, it wouldn’t matter, would it? Basically, in this kind of catastrophic scenarios, your business probably wouldn’t have a purpose anymore.

    “It has no use”

    Just pray you’ll never have to use business continuity. Even without mentioning the well-known examples like 9/11 or Hurricane Katrina, it is enough to ask – have you ever experienced a power outage? Or did your server break down? Or maybe a PC with important data on it? Have you ever heard of a building that burned down completely? It is enough to read newspaper headlines to understand that those things can happen to anyone.

    “We will do this only to satisfy the auditor”

    Wrong priority. If you do it properly, you’ll protect yourself, and as a consequence your auditor will be happy.

    “We can’t foresee all the incidents”

    This is true, at least in the beginning. But if you perform your risk assessment right, use literature and various resources, and review the assessment regularly, the chances are that in time you’ll be able to take into account all the possible risks. Once you know them, you can prepare your response.

    “In case of emergency, people will start looking after their families, not after the business”

    True also. Who wouldn’t call his/her family first to see if they are all right in case of an earthquake? But if you plan very carefully who can go home right after an incident occurs and who must stay and resolve the situation, and if you take care of the family of the employees that must stay (e.g. by assigning some other employees to this task), then you’ve probably solved this problem.

    “People will react irrationally in crisis situations”

    Definitely true. But if you train your employees (and suppliers/partners) regularly, and if you exercise your business continuity plans, they will get used to stressful situations, and will probably respond in the right way if such situations occurs.

    If you already implemented similar projects, you know how awareness is important – if your co-workers do not recognize the purpose of such projects, you will experience great difficulties with implementation. Not to mention that your project might altogether fail – this is why you need to consider awareness raising in advance.

    Check out this webinar Developing the business continuity strategy according to ISO 22301 which explains how to prepare for different disruption scenarios.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.