The OGO Blog

“Probably” Is the Enemy of BCP

How many times have you heard, “IT probably has that documented” or “the snowplow company will probably do it”? We’re guessing you’ve heard it a lot more than you should have… probably.

We started to hear “probably” more and more across our engagements this year. In fact, we even put it on OGO’s blacklist of words. “Probably” is a recipe for disaster.

  • My parachute will probably work.
  • My airbag will probably work.
  • My son will probably pull his own tooth out.

Of course, probably means different things to different people in different situations. But when it comes to business continuity planning (BCP), it always means there’s a whole in the plan.

BCP Requires Foolproof Planning

We do hundreds of BCP engagements per year, and we started seeing a lackadaisical attitude towards credit union BCP. Maybe everyone was trying to cram all their BCP activities into Q3 and Q4. Maybe employees are simply used to having enough wiggle room and good luck to say “probably.”

But not only is “probably” the enemy of BCP, it is also the enemy of high performing teams. The Covid-19 pandemic exposed why “probably” isn’t good enough.

We’ve all heard the old quote:

“The only thing necessary for the triumph of evil is that good men do nothing.”

This concept translates directly into the operation of your organization and your BCP programs. Reword this quote to read:

“The only thing necessary for the triumph of mediocrity is that high performing employees do nothing.”

Mediocrity is not going to grow your business. Mediocrity will not save you during a disaster.

When we run BCP events, “probably” is one of words that perks my ears. When we hear it, we key in on the conversation to interject some insight, because it’s probably missing something of value. See, when someone says “probably,” they assume that someone else is going to take care of the situation. That’s particularly dangerous when we’re talking about disaster recovery.

“Probably” is an easy way to shift the work onto another person or department. It’s a way to relinquish responsibility. It’s a shortcut. And you can see why those things just don’t work for credit union BCP, right?

How to Increase Credit Union Performance

You probably guessed it had something to do with Probably,” right? Well, this time it was safe to assume! It has to do with eliminating any use of the word. So, the next time you’re in a meeting and hear the word probably, do the following:

Listen completely and intently to what the person is trying to relay: “We’re probably going to open 1,200 new checking accounts this month.”

There will be some action needed, most likely by a different department. In this example, we’re talking about opening checking accounts, which is (usually) done in branches.

“Probably” implies that there will be some chance of variation in the person’s answer. Try to figure out where that variation comes from. “What would stop us from opening 1,200 checking accounts?”

Most likely, you’ll get an answer from someone overseeing that department. This is your opportunity to dig in and figure out exactly where the break point is. These discussions tend to get technical, but they usually expose bigger issues that the “probably” covers up.

When we run a DR tabletop or cyber-security scenarios, we let conversations finish when we hear the word “probably.” For example, we hear things like, “Yeah, IT probably has reasonable retention on their IPS/IDS logs.” It makes sense. Everyone knows Jerry in IT and shakes their head in agreement…

But nobody actually knows if Jerry has reasonable retention on his IPS/IDS logs! Well, except Jerry (we hope). So, we stop the entire session and run through the question again. Jerry generally will chime in, “Our IPS/IDS logs are written to our centralized syslog server and stored for 30 days.”

Then, the CISO or CIO asks, “So, if someone penetrated the network more than a month ago, we won’t have any logs of the event?”

And you’ll get a bunch of nervous glances around the room.

The point of these exercises isn’t to assign blame to Jerry. The goal is to get your organization to understand where your gaps exist, what level of risk those gaps represent, and to find a way to move forward. An ancillary benefit of these types of group discussions (assuming you’re doing your tabletop correctly and have a cross-organizational team doing it) is cross-training of a caliber that rarely happens in work environment.

Final Thoughts

The next time you hear “probably” in a meeting, don’t let it slide. Figure out who the real stakeholder of the information is, push to make sure the group understands where your organization is at today, and where it needs to be in the future.

Ongoing Operations helps credit unions develop, test, and maintain business continuity plans. We’re more than happy to discuss your BCP questions or challenges. Simply fill out this short form and we’ll be in touch!