Is that a Business Continuity Plan – or a Book of Lists?

In 1977, Irving Wallace and his children began publication of The Book of Lists (since updated many times). It’s a fascinating book, but only useful for making odd references at parties.

The same holds true for Business Continuity Plans. I’ve seen Plans 300 pages long – without a single word telling me what to do. Just pages and pages of lists:

  • All Critical Employees (and their contact information)
  • The addresses and CAD drawings of the company’s facilities
  • The BIA results for every Department (and the overall company impacts)
  • All the hardware in the datacenter
  • An alphabetical list of Vendors

Fascinating stuff; but when smoke is billowing out of your facility’s windows – it’s practically useless.

A Plan, by definition should be a detailed proposal for doing something. That seems simple enough; but a list is not a proposal. It does not instruct, it does not inform, it does not support decision making, it does not tell anybody what to DO.

Yet there they are. Lists of all kinds, lined up like good little soldiers waiting to be deployed in the recovery of an organization. Those lists were compiled with good, but ill-advised, intentions; because nobody knows what to do with them.

It’s easy to understand why some organizations and individuals gravitate toward lists. You don’t know what will happen, you don’t know when it will happen, how long it will last or how severe it will be. So how can you possibly plan for what you can’t anticipate? If you provide lists (the thinking goes) of everything you might possibly need whenever whatever happens, you’re prepared for everything!

In reality, when something happens, the first precious hours of your response (perhaps many hours) will be squandered deciding how to use those lists to react to whatever happened – because they are not ‘a detailed proposal for doing something.

But that Book of Lists is not a total loss. Those lists are important; they consist of assets and resources that are essential to creating viable, actionable plans. Lists comprise the ‘what’ (as in “What resources do we need?”). What’s missing, of course is the ‘how’ (“How will we use those resources?”).

People resort to creating lists because they take too wide a view; you can create actionable, viable plans by narrowing our plans to specific Processes (or specific IT Applications/Systems). Every critical Business Process (one that directly or indirectly impacts the ability to deliver the organization’s critical Products and Services) is dependent upon ‘assets’.
If we know which Processes are most critical to the organization, and we know which ‘assets’ (People, Facilities, Suppliers, Resources, IT applications and other Business Processes) they depend upon, we can write actionable strategies to recover, continue or replace each of those assets. Cumulatively, those strategies (and the tasks necessary to execute them) become a real plan – not just a book of lists.

When our plan development effort aims too high (trying to create an enterprise-wide, regional, or even a Departmental plan) we are forced to plan from the top down, because of the complexity. The result is often pages and pages of lists. Focusing plan development on an individual Business Process that supports critical Products and Services – and how to restore, recover or continue the assets that Process relies on – allows us to connect-the-dots among the dependent assets in those lists, and frees us to create an actionable plan.

When something disrupts your operations, time is critical. A plan that can immediately spring into action is worth much more than a book of lists that must be analyzed and strategized before the first action can be taken.

Don’t stop compiling those lists. Just stop believing that they constitute a plan. Put them to better use connecting the dependencies to critical Business Processes and IT Applications/Systems – and creating actionable plans.

SHARE:
Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

A Toolkit to Build Enterprise Resiliency

A Toolkit to Build Enterprise Resil...

A well-rounded Enterprise Resiliency Toolkit (𝗧𝗼𝗼𝗹𝗸𝗶𝘁) would provide key tools…
Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…