The OGO Blog

Probably is the enemy of BCP (and your organization)

credit union bcp

How many times have you heard, “IT probably has that documented” or “The snow plow company will probably do it?” We’re beginning to hear that phrase more and more across our engagements this year and it has been put on OGO’s blacklist of words.

  • My parachute will probably work.
  • My airbag will probably work.
  • My son will probably pull his own tooth out.

Probably does mean different things in different situations to different people. However, we do hundreds of engagements a year (and personally into the dozens a year) and this type of lackadaisical attitude a bit more this year for some reason. Maybe it is because everyone is trying to cram all their BCP activities into Q3 and Q4. Maybe employees are simply use to saying probably. But not only is probably the enemy of BCP, it is also the enemy of high performing teams.

We’ve all heard the old quote: “The only thing necessary for the triumph of evil is that good men do nothing.” This concept translate directly into the operation of your organization and your BCP programs. Reword this quote to read: “The only thing necessary for the triumph of mediocrity is that high performing employees do nothing.” Mediocrity is not going to grow your business. Mediocrity will not save you during a disaster.

When I’m running a BCP event, probably is one of words that perks my ears. If I hear, I tend to key in on the conversation and interject some insight into it because it probably is missing something of value. When someone says probably, they are making the assumption that someone else is going to take care of the situation, especially in DR-related discussions.  It is an easy way for them to shift the work onto someone else or a different department.

The next time you’re in a meeting and hear the word probably, do the following:

  1. Listen completely and intently to what the person is trying to relay: “We’re probably going to open 1200 new checking accounts this month.”
  2. There will be some action needed, most likely by a different department. In this example, we’re talking about opening checking accounts which is done in the branches.
  3. Probably implies that there will be some chance of variation in the person’s answer. Try to figure out where that variation comes from. “What would stop us from opening 1200 checking account?”
  4. Most likely, you’ll get an answer from someone overseeing that department. This is the opportunity to dig into the question and help the group figure out exactly where the break point it. In these discussions, which tend to get more technical, is where you’ll find the real issues that the “probably” is hiding.

When I’m running a DR tabletop or cyber-security scenario and I hear the word probably, I’ll let the conversation finish out. Most of the time it simply stops when someone says, “Yeah, IT probably has reasonable retention on their IPS/IDS logs.” Everyone knows Jerry in IT and shakes their head in agreement. But nobody actually knows the answer to that question, except, hopefully, Jerry. So I’ll stop the entire session, all the group, and we’ll run through the question again. Jerry generally will chime in, “Our IPS/IDS logs are written to our centralized syslog server and stored for 30 days.” This is generally the time that the CISO or CIO chimes in and says, “So if we find out someone has penetrated the network and they did it more than a month ago, we won’t have any logs of the event?” And you’ll get a bunch of nervous glances around the room.

The point of these exercises isn’t to assign blame to Jerry. The goal is to get your organization to understand where your gaps exist, what level of risk those gaps represent, and to find a way to move forward. An ancillary benefit of these types of group discussions (assuming you’re doing your tabletop correctly and have a cross-organizational team doing it) is cross-training of a caliber that rarely happens in work environment.

So the next time you hear “probably” in a meeting, figure out who the real stakeholder of the information is, push to make sure the group understands where your organization is at today, and where it needs to be in the future.

Want to learn more about the services that Ongoing Operations provides? Click here.

Interested in what OGO is up to? Subscribe to our blog today!