When you can’t put your full weight on your foot or leg because of an injury or surgery, you can still get around using crutches. It’s not hard, but it’s clumsy, it’s slow, and you can’t keep doing it forever (or at least you hope you won’t have to). The goal is to get healthy and ditch the crutches.
Think of scenario-based plans in just the same way. They’re a temporary fix. But sometimes it seems easier to keep using them for lack of a good alternative.
Since Business Continuity plans were first penned, planners and plan owners have struggled to determine what to plan for. I once heard a Vice President of a financial institution say “Tell me what’s going to happen, when it’s going to happen, how long it will last and how severe it will be and I’ll be happy to assign someone to write a Recovery Plan for it.”
Of course that’s not possible. But must be a better way; there are so many situational variables that it may appear impossible to come up with a plan template that’s a one-size-fits-all. So the easiest path – basing plans on specific scenarios – may seem to be the most logical approach.
But a Business Continuity plan predetermined on scenarios (Loss of Building, Flood, Loss of IT, Earthquake, etc.) is just a crutch. It’s a temporary fix that some planners can never seem to get past. I formerly worked for an organization whose BC template included planning for 17 different scenarios. It was an exhausting, and ultimately fruitless, effort.
Let me backtrack for a moment and admit that there are some ‘scenarios’ that are worth planning for. Those are scenarios you can predict – and which allow you to make preparations in advance of their occurrence. Hurricanes are a good example. The Weather Service predicts their approach – giving you time to get ready. Those preparations should be your Hurricane Plan. A scenario plan might also be valid for a blizzard, rising water (not flash floods, which come with no warning) and especially Pandemics.
For everything other than advance warning scenarios, you simply can’t anticipate what might happen, when it will happen, what it will impact, or how long it will last. You can’t plan effectively for the cause of a disruption. You can plan for the preparations – but you can’t necessarily plan for the impact (since you don’t know its severity or longevity).
That’s where true Business Continuity Plans should focus: on impacts, not causes; and not just vague generalities (‘loss of IT”).
Every Business Process (and every IT Service or Application) has dependencies – assets on which it relies for day-to-day operations. When any of those critical assets (people, facilities, vendors, business processes and technology – including networks, databases and hardware in the case of IT apps and services) are disrupted, there are options available. By focusing plans on recovery/restoration of critical assets, it’s possible to create plans based on impacts – not causes.
Mapping the dependencies of your organization’s most important products and services (those on which your customers rely) in the planning phase provides the intelligence needed to create plans for the impacts on critical assets. When you know your options for reacting to the loss of an asset, it no longer matters why it’s unavailable. Identify all the critical assets of the processes and application that supports your critical products & services and you will no longer need to think about planning for scenarios; you can begin planning for the loss of those assets.
