Beyond Cranky People (BCP): Discovering “Plan B”

By: (CISA, CISSP)

Publication: The Kansas Banker , July 2015

 KBAJuly2015“I don’t want to work on this. I think it is a waste of time.” These were the opening lines from a department manager as we met to work on details of the Business Impact Analysis (BIA) I was helping to develop for a Business Continuity Plan (BCP). Next came, “If something bad happens you have to be smart and figure out how to fix it rather than try to look it up in some big book.” I was surprised. This “negative brick wall” was coming from a top employee—good attitude, highly competent, and an excellent work ethic.

What would you do or say? Keep on reading and I will tell you what I have learned.

According to the FFIEC, I was the “personnel responsible."[1] It was my job to gather details from my assigned departments so the “functions, processes, and personnel could be analyzed”[2] as a part of the BIA. Do you have or have you had this responsibility? If so, you may also have encountered people who did not like the idea.

There could be many reasons people are resistant to regulatory compliance tasks. Maybe they had a previous negative experience—endless meetings with little or no results. Maybe there is a lack of understanding—regulatory details and terminology may be complex and unfamiliar. Maybe there is a fear of failure—they don’t want to make a mistake or deliver poor results.

While consulting with financial institutions I have learned most good employees with a few years of experience have a “Plan B” in mind. Plan B is what he or she will do in the event there is a disruption to Plan A (normal operations). Plan B is a contingency plan—a continuity plan—in spite of his or her aversion to continuity planning. Like the manager said, they are smart and they have learned “how to fix it.”

So how do we bridge the gap between gathering BIA details and learning about Plan B? For me, I have had good results using a few short, simple questions in an interview setting. I try to stay away from BCP terms or jargon. Instead the questions are founded on a fundamental writing technique often called “Five Ws and a H.” Here are the questions I ask about critical processes:

  • How do you do this? or How is this done?

  • Who does it?

  • When is it done?

  • Where is it done?

  • What is needed to do it? What information? What equipment?

  • Why can be asked as a follow up to clarify any information.

Finally, I ask one more question to discover Plan B. This question is based on one from the FFIEC BIA section.[3] How would you do this if your core application, computer, network and/or Internet access were not available?

With the answers to these questions, you should be able to fill in the recovery details needed for a critical business process in the BIA. You will become the translator or interpreter between regulatory requirements and the Plan B of your smart employees. In this role, you will need to be familiar with the 14 questions in the FFIEC guidance.[4] These questions will help you form your interview questions and will serve as a reference to be sure you have gathered the information you need.

And now the rest of the story about the resistant manager. First, I listened. Then I explained I would take care of the BIA and said I had some short questions about how the process was done. We made it through the questions. Along the way we confirmed a vendor in Plan B would be able to provide a temporary service until we got back to normal operations. (If we had not taken the time to work on the BIA, the Vendor services would have been assumed, but not verified or tested.) Overall, a Win/Win.


[1] The Business Continuity Planning IT Examination Handbook, February 2015, Federal Financial Institution Examination Council (FFIEC), page 6.

[2] The Business Continuity Planning IT Examination Handbook, February 2015, Federal Financial Institution Examination Council (FFIEC), page 6.

[3] The Business Continuity Planning IT Examination Handbook, February 2015, Federal Financial Institution Examination Council (FFIEC), page 7.

[4] The Business Continuity Planning IT Examination Handbook, February 2015, Federal Financial Institution Examination Council (FFIEC), page 7 and 8.