Compliance can be a real pain in the ass.
Dotting i's and crossing t's is time consuming. Worrying about whether or not you're doing everything you're supposed to do is exhausting. There is a Latin phrase "Quod justum, non quod utile," which is do what is right, not what is easy. Unfortunately that easy button is so dang tempting. And like a siren on the rocks, it will destroy you.
What exactly am I talking about? Checking the box on your business continuity plan.
Too often business owners who are required to have a BCP - either to follow regulations, like a financial services advisory firm, or for clients to land their business - are spending money to get a slap dash version of a plan done so they can say "See? We good?" These plans are often not tailored to the specific business because they are cookie cutter or are very limited in scope: only addressing cybersecurity (which mostly looks only at technological fixes, not the entire non-technical aspects of the business).
Spending money on something that doesn't work is a waste of money. I never guarantee 100% chance at success but I can guarantee 100% chance of failure for those plans. Especially if they are pushed out by a company whose business model is to sell compliance products.
These are terrible plans on their face and the business owner may not even know it because they are trusting that since they paid for it from a company rather than some guy named "Jeff" who is the secretary's cousin. These plans also offer a false sense of security. That false sense of security runs to not just the business owner, but to the business employees and clients who trust things are going to be ok and services available at all times.
Why do regulators even bother getting involved with requiring business continuity plans? Because they want customers/clients to understand that when they are evaluating vendors for services, they are offered a layer of protection for their money.
You're just throwing money away by hitting the easy button. Once you understand it is an investment and not a box check, you'll wish you did it right the first time. Don't do it right to appease your customers, know it is securing your business, employees, and bank account as well.
Even Microsoft likes to hit the easy button on their business continuity for legacy products...and it became a very expensive and embarrassing mistake for them (check out their SEC 8-K filing from January). And Microsoft spends a lot of money on this stuff.
You're already investing. Invest properly. Get involved. Care. Don't be tempted by the sweet song of the sirens to phone it in, it will lead to a bad conclusion.
