For some time, Government agencies (especially in North America) have focused their Business Continuity efforts (or Continuity of Operations, COOP, as they often prefer to call them) on an ‘All-Hazards’ planning approach.
Several years ago, I attended a presentation by a major US Government institution. The presenter began by defining Continuity of Operations “COOP is a management process that identifies risk, threats and vulnerabilities that could impact the government’s continued operations and provides a framework for building organizational resilience and the capability for an effective response.” He then defined Business Continuity simply by substituting the word “business” for “government” in the same sentence.
What is All Hazards?
Why mention that? Because some Business Continuity Managers believe that “All-hazards” is only for government use; that private business must adhere to the ‘Big 4 Scenario” approach to BC planning (Loss of Building, Loss of People, Loss of Technology, and Loss of Vendor). All Hazards is more comprehensive.It enables the preparation of organizations (any organization) to respond to any threat or vulnerability. Rather than plan for specific scenarios; the All Hazards approach creates a capability to respond effectively regardless of what happens – even those things which cannot be anticipated (those “black swans”).
Why All Hazards?
Adoption of an All-hazards approach to BC planning forces an organization to focus less on regulations (without ignoring them) by applying much greater emphasis on actionable plans (heavy on what-to-do, rather than why-to-do). Both scenario and All Hazards approaches require clear policies on goals and methods. But an All Hazards approach is rooted in action, rather than lists of potential resources (which is often the case in ‘best practice’ BCP’s) an lots of regulatory compliance components (risk assessment and BIA results, for example).
We live in a rapidly changing, global, always-on business environment today. None of those things are likely to slow down in the future. Business Continuity Managers have an obligation to help their organizations become better prepared to respond to those things which may impact their ability to deliver products and services. It’s no longer enough to simply write response strategies to the Big 4 scenarios. The world never was that simple – and its getting more complex every day.
How to Make the Transition
All Hazards BC planning means preparing for any disruption of day-to-day operations that may occur. It sounds great, but how is that possible? For most organizations, the first step is to change their Recovery mind-set. Instead of creating a facility-recovery plan (for everything in that building), or a Department recovery plan (for all the functions, no matter where they are), All Hazards plans must focus on Business Processes. It is at the Business Process level that impacts are felt – and can be responded to.
The second step requires another change. Instead of planning to respond to predetermined scenarios (such as the Big4), plans should focus on responding to the disruption of the critical assets (dependencies) of those Business Processes.
By planning to recover/restore/continue/workaround critical assets (Facilities/workspace, people/teams, IT systems and applications, physical resources, internal and external suppliers), All Hazards planning focuses on the impact of the disruption – not its cause. Also, by narrowing the focus to assets, it is always possible to implement the Plan – even when the traditional ‘scenarios’ fail (such as when only part of a building is unavailable, or only a specific Application, or when multiple impacts don’t fit any single ‘scenario’).
Long Term Impacts
All-Hazards BC plans are designed to enable an effective response when any one – or several – of those dependencies are disrupted. Refocusing on Business Processes may be a ‘cultural shift’ that takes time to absorb. But creating strategies/actions to recover critical assets of a single Business Process is less complex than whole Department or Location-based ‘scenario planning’. The initial conversion may take some additional effort. But the long-term effects will produce plans that are:
- Easier to exercise with a wider variety of options (Since they are no longer scenario-specific)
- Simpler to maintain since change to a dependent asset triggers a change to the Plan)
- More effective because they can be used in any and every circumstance.
Studies show that – in an actual disruption – most plans are ignored. Why? Because most plans don’t fit the actual disruptive scenario, making them difficult (or impossible) to apply. With All Hazard Plans, that is never the case.
