Let's look at five reasons your company's employees don't care about business continuity, and ways to make it work anyway:
1. They have no idea that a plan exists.
Believe it or not, the average employee doesn't spend a lot of time wondering how the business will survive in the event a giant Godzilla-like creature rises from the nearest body of water. They just assume someone will take care of things and usually make a hand wave about backups and perhaps even mention cloud computing. They don't understand their roles in getting the business back on its feet -- because they haven't been given roles or training. In InformationWeek's 2013 State of Storage Survey, less than half of survey respondents (40%) had a disaster recovery and business continuity strategy in place and tested it regularly. Another 40% had a disaster recovery plan in place but rarely tested it, while 20% had no plan. I suppose we could all adopt an optimistic outlook and hope for the best, but it kind of gives you a sick feeling, doesn't it? If not, it should.
Business continuity best practice: Engage your users with a broad-spectrum awareness policy, including what they should do in the event that they can't do their jobs. This should include explicit printed instructions for remote working and how to report an outage if the email server is down. Oh, and it should go without saying that you need to test your BC/DR plan regularly. If you want to be a stickler, take the system down as part of a test on a weekend and see how well the average user deals with the calamity.
2. They don't understand the meaning of "disaster."
Hollywood has taught us that disasters mean lots of special effects and perhaps Will Smith swooping in with a few witty quips and a big plan to save the day. But it's not like volcanoes and zombie outbreaks happen every day, or even once in a while. Disaster recovery more often involves power outages due to various terrestrial reasons, or data loss from malware, or just general clumsiness from employees destroying data accidentally. These aren't one-time events but rather things that are definitely going to happen -- maybe not today, maybe not next week, but you can bank on it. CIOs know and understand this, but your employees don't.
Business continuity best practice: Be crystal clear about what "disaster" means -- less smoke and laser beams and more visions of being attacked or someone accidentally deleting a directory. Include several sample scenarios that people can understand are high probability and in their best interest to prepare against.
3. They are creating new venues for business-critical data outside of the plan.
You know rogue IT is out there. You may even guiltily do it yourself, whether "it" is a stash of company documents on Dropbox or the new process that was sandboxed up on Amazon AWS and somehow never managed to migrate back home once it rolled into production. Even if your policy mandates optimum security practices, there's likely a team out there sourcing all of its files up on Google Drive because team members don't understand the implications of free cloud storage. While there are numerous reasons this activity might not be copasetic for your industry, that's a discussion separate from the need to work those processes into your business continuity plan.
Business continuity best practice: Combat rogue IT with detective work. If there's a team out there that is spartan with its file storage, consider it a red flag -- practically no one practices pristine data hygiene. They're storing their data somewhere, and if it's not on your covered systems, where is it? Expect reluctance to share, but with an assurance that you're not trying to hamper their efforts, but instead working to protect them, you should be able to break down silos. At the very least, get it on record that the offer was made.
4. They weren't even covered in the plan.
We've all experienced the ongoing struggle to align IT with the business, and this is one of the symptoms: The authors of a business continuity plan overlook business-critical processes simply because they didn't realize they were essential. Can you really blame employees who don't care about a plan that doesn't protect them? This is a big issue, and usually these processes aren't caught until the actual disaster strikes and it's too late.
Business continuity best practice: Consider it an opportunity for IT alignment outreach. Beat the streets and learn exactly what users are doing to drive company business. Keep track of all vital systems and ask questions, specifically as it would pertain to "what-if" scenarios around your business continuity plan. Yes, it's easier said than done, but IT needs to stay on top of what's mission critical this week.
5. They have their own disaster at home.
In the event of a hurricane, flood or zombie apocalypse, your employees are suffering the same environmental impact as your organization. Consider, for instance, Hurricane Sandy -- the residents of the impacted regions were concerned first and foremost about their loved ones and property and their own safety. If your business recovery scenario relies on one or two key individuals who know the passwords and procedures to get systems back online, you're taking a tremendous gamble that they are going to be able to focus on the needs of the company during a time of crisis.
Business continuity best practice: This is how you can differentiate a good company from a great one. Great companies provide for the creature comforts and work-life balance of their employees. Making sure your staff has what they need to do their jobs is an often-overlooked aspect of business recovery. Ensure that your business continuity plan contains recommendations for emergency housing and food, and arms your employees with everything they need to take care of business -- both yours and theirs.