Assumptions: Business Continuity Plan Killers

Assumptions are the IED’s (Improvised Explosive Devices) of Business Continuity. Anyone can create one and, once strategically placed (usually tucked among the Mission Statement and Objectives) they have the capability to destroy a Business Continuity or Disaster Recovery Plan in an instant.

So what can a Planner do to protect against those roadside bombs?

I’ve looked at hundreds of Business Continuity Plans (plus DR Plans and Crisis Management Plans) in my lengthy career. Every time I see a plan section titled “Assumptions” I cringe. There may be instances where predicating a Plan on assumptions may be useful, but most often it is an excuse to absolve the plan writer of responsibility should the plan’s execution go awry.

What do I mean by ‘assumptions’? Some examples:

  • Access to the building will not be prohibited for more than 48 hours.
  • All personnel listed in this plan are willing and available to work when and where assigned.
  • In the event of interrupted access to IT systems, access to original documents will be made available.
  • The corporate network will remain accessible to all other operating locations.
  • All critical IT Applications & Systems with be restored within “X” hours.
  • The plan is not applicable during quarter- or year-end periods.

These are real assumptions (shortened to fit the space) found in real plans. Shown together like this, the emerging pattern seems petty, silly, and obviously self-serving. Yet they exist. These and many like them appear in hundreds (if not thousands) of plans that organizations rely on. (There are also assumptions that are the direct result of basing a plan on a specific Scenario. Scenarios are covered in another blog.)

Regardless of the reason an assumption is made, the effect is always the same: if the assumption doesn’t occur exactly as cited, the Business Continuity Plan fails. Its only value may be to sop up the flood waters, or to fan the flames. An assumption is an obstacle placed in a highly visible spot – assuring that the writer can’t be blamed if the assumption doesn’t occur. A Plan with multiple assumptions is an accident waiting to happen. The perfect scenario (where the stars and assumptions align in perfect harmony) is never likely to happen; the plan is almost certain to fail under all circumstances.

So what are the alternatives?

When the initial premise of a Business Continuity or Disaster Recovery plan focuses on the cause of a potential disruption, an assumption may seem necessary. But that need not be true. The solution:

1. Plan at a more Granular Level.
When writing a Business Continuity Plan for a facility (and all the business operations that take place in it – not to mention the IT assets involved) it is difficult to see the forest for the trees. Assumptions are a way of coping. Instead, try planning for the disruption of the individual business processes or IT applications housed in that facility. Even drilling down to plan for the disruption of a Department may allow for more targeted recovery strategies (and fewer assumptions). Just be careful – within a Department, not every process has the same RTO; don’t fall into the trap of trying to treat every process as an equal – that’s another assumption that will lead to failure!

2. Stop focusing on Cause and switch to Impact
If all the homework has been done (BIA, dependency mapping, Risk Assessment), the assets – people, facilities, IT apps/systems, vendors & business processes – on which a business process or IT application/system relies should be evident. Use that information. Documenting the strategies (and tasks) required to recover that asset is possible – and why access was lost isn’t necessarily relevant. Sure it’s possible to lose multiple assets, but if you develop recovery strategies for every critical asset, you’ll still have options during a disruption.

3. There’s more than one Path
In a perfect world a Business Continuity Plan would document a single path to achieve recovery. Follow those steps and you reach nirvana. In the real world, the path to recovery may branch, loop back on itself and change over time. By focusing on asset recovery, and documenting multiple recovery strategies for those assets (ex. Alternate site, alternate team, manual process, etc.) recovery is possible under any scenario. Just pick the best recovery strategies for the circumstances.
If you a make assumptions a critical component of a Business Continuity Plan, you diminish its odds of success. Why plan for failure? Stop focusing on what your plan can’t do, and plan for all the potential options that could lead to success.

SHARE:
Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…
Threats, Impacts, BCPs

Threats, Impacts, BCPs

Within Business Continuity circles there is ongoing debate about the…