Don’t Plan for Snow – Plan for Impacted Assets

The harshness and repeated ferocity of the winter of 2015 (especially in the New England states) sent many businesses scrambling to update their Business Continuity Plans.  The earlier Ebola crisis in West Africa set off the same kind of frenzy.  As a wise Business Continuity Management (BCM) guru once said “no good crisis should go unexploited”.  What he meant was that public crises can be leveraged to stimulate interest (and funding) for BCM.

The result of the blizzard and Ebola phenomena isn’t about stimulating interest, it borders on panic – for all the wrong reasons.  An earlier blog addressed the wisdom of planning for impacts, not for events.  These recent snows and epidemics have served to reinforce that advice.

There are so many things that could happen to disrupt your organization.  Many of them are as yet unknown (those “black swans”). But are “Scenario Plans” worth the effort? Consider that the 30-day snowfall record for Boston set in January-February 2015 (90 inches) broke the previous record (59 inches) set 37 years earlier (1978).  Does it make sense to create a ‘Blizzard Plan’ – if it occurs every 30 years?  Likewise, is an ‘Ebola Plan’ really necessary when that specific virus is unlikely to spread in significant numbers beyond West Africa?

In many ways, the panic to plan for specific events mirrors how the TSA looks at airport security:  by guarding against something that already happened (the “Shoe Bomber”, for example) by installing new safeguards (shoe removal) to assure it won’t happen again.  TSA procedures grow with every (thankfully) foiled terrorist attempt on air travel.  Likewise, a BCM program with plans for every possible event will eventually resemble Wikipedia (but prove less useful).

Surely some of the scrambling that’s taken place results from pressure – from the C-Suite, the Board, from internal auditors – to prove our organization is ready for that ‘hot threat’ of the moment.  It is possible to be prepared for that blizzard, or plague – or tsunami, bombing, flood, DoS attack, labor strike, or the return of the Ice Age.  But not by developing a new Plan specific to each possible event.  The event is not the key to assuring continuity, resilience or recovery.  Your organization’s critical assets (its facilities, people, processes, technology and supply chains) are what you should be striving to protect – under every circumstance.

Neither will the typical “Loss of” plans meet every contingency.  Would a “Loss of People” plan have been sufficient during the Boston snows storms?  What if only some of the people couldn’t make it to the office?  What if the building is unreachable – and many employees can’t access the Internet or get a consistent cell phone signal?  Could you combine your “Loss of Building” and “Loss of People” Plans to deal with that?

But, if your Plans provide alternative strategies for losing access to your facility (or even parts of that building), absence of people with specific skills sets, the inability of specific critical vendors’ to provide good or services on a timely basis and the lack of connectivity to mission-critical technology, you would be prepared for anything.  By shifting focus from cause to impact (what has gone wrong, rather than why) you won’t need to add another “scenario” to your Business Continuity Plans when the next ‘crisis of the month’ arises.

SHARE:
Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

A Toolkit to Build Enterprise Resiliency

A Toolkit to Build Enterprise Resil...

A well-rounded Enterprise Resiliency Toolkit (𝗧𝗼𝗼𝗹𝗸𝗶𝘁) would provide key tools…
Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…