We just hosted a webinar on business continuity planning with Gary Walker, our senior consultant and a certified business continuity professional. The conversation covered some really interesting ground on why municipalities struggle with BCP and what actually works. You can watch the full replay below, but we wanted to pull out the core lessons in case you don't have time for the full session.

THE THREE PROBLEMS KILLING YOUR BCP

Your municipality probably has a business continuity plan. It's sitting in a shared drive somewhere. It hasn't been updated since 2021. This is worse than not having a plan at all.

Problem one: You treat it like a project, not a program.

A municipality gets funding one year to write a business impact analysis and draft recovery time objectives. The plan gets approved. IT gets a copy. Then everyone moves on. There's no annual funding. No ownership. No testing. The plan becomes a compliance checkbox and nothing else. The moment the funding cycle ends, so does the work.

Problem two: You've handed it to IT and walked away.

IT is smart, but they can't define business priorities. They can't know that if your HR department loses half its staff, finance still needs payroll processed, or that a facility outage doesn't just impact IT but impacts every service being delivered from that building. As Gary pointed out during the webinar: "IT cannot determine recovery times or dependencies for the business. The business must define that. IT will help enable the recovery, but they certainly do not define RTOs."

Problem three: Nobody tests anything.

When disruption actually hits, ransomware, weather, a critical system failure, you discover the gaps in real time. Gary was blunt about this: "The only thing worse than no plan is something that's untested and not being validated. That's actually worse than having no plan at all."

WHAT GOOD BCP ACTUALLY LOOKS LIKE

Solution one: Make it a program with annual funding.

Not a big consulting project every five years. Annual funding for ongoing management, tabletop exercises, training, plan updates. Your departments should update their plans whenever staffing changes, new services launch, or regulations shift. Small, frequent updates throughout the year. This keeps the program current without requiring massive annual reviews.

Solution two: Give ownership back to the business.

HR owns HR continuity. Finance owns finance continuity. Facilities owns facility continuity. IT owns technology recovery and disaster recovery. Everyone works together on dependencies and testing, but department heads are accountable for their own continuity plans. This changes the whole dynamic. It's not something IT has to chase down. It's something each department manages like any other operational responsibility.

Solution three: Test regularly. Learn. Improve.

Tabletop exercises aren't about being perfect. They're about finding gaps. Once you find a gap, you fix it. Next time you test, you validate that the fix worked. Testing is how you move from a document to actual capability. The municipalities with real business continuity capability are the ones that test at least annually and use what they learn to update their plans.

WHY THIS MATTERS NOW

The gap between municipalities that treat BCP as a program and those that don't is widening fast. Ransomware attacks are hitting the municipal sector harder than ever. Weather events are more unpredictable. The cost of being unprepared is no longer theoretical. The municipalities that maintain their BCP programs regularly, test them consistently, and treat them as an ongoing responsibility will be the ones that recover quickly when the next disruption happens. The ones that treat it as a project will be scrambling to understand what went wrong.

REMOVING THE FRICTION

A solid program can be built with spreadsheets and meetings and discipline. But spreadsheets get unwieldy fast. Dependencies scatter across five tabs. Updates become a nightmare. Testing results live in email threads. Accountability disappears. The tools we've built over the last five years remove friction without removing rigor. Departments see a simple dashboard where they update their services, set recovery time objectives, define dependencies, and document their team action plans. A few clicks and their plan updates automatically. IT sees the full picture, all services across the organization, their criticality, their dependencies, their incident history. Everything tracks automatically so you know where you stand.

But here's what matters: you can't wait for the perfect tool. Start now with what you have. Form a committee. Fund the program. Do a business impact analysis this year. Test it next year. Keep going. That consistency is what transforms BCP from a checkbox into a real capability.

Connect with Gary to learn how we can help you improve your BCP today!