Requirements Over Time: The Venus Flytrap of Business Continuity

“Preppers” (those anticipating the end of the world who stockpile guns, food, camouflage gear, bottled water and the like in expectation of Armageddon), have it easy.  They simply buy and hoard as much as they can manage.  They think they know what will happen – they just don’t know when – so they amass as much as they can afford.

Business Continuity Planners face a more complex dilemma:  they don’t know what will happen, when it will happen, how severe it will be, or how long it will last.

Conventional thinking (I stop short of calling it ‘wisdom’) drives some of those Planners to ask their organizations to specify what they’ll need in the event of some business disruption – and how much more they’ll need over time (assuming that unknown ‘event’ lasts more than a day or two).

It seems to me that such requests – and the resulting date – are questionable, if not invalid.  How can I say that?  I’ve had nearly 20 years of experience in the Business Continuity industry (as everything from a participant to a planner to a consultant).  And I’ve seen lengthy surveys that ask for exactly that – and result in highly suspect data.

Corrupting the BIA

Suppose you’re a Department Manager.   You’ve been asked to complete a BIA survey.  You encounter the following question:

“In the event of a disruption to your facility/department/function/process, please complete the following chart for each required resource:”

Resource Day 1 Day 3 In 1 week In 2 weeks In 1 month
Phone
Computer
Desk
Printer
(other)

 

How do you answer?  For Day one, you estimate the minimum number of people you’ll need (and the resources they’ll need to function) if things go south.  You don’t know for certain – but at least you can make an educated guess.  The rest is pure speculation.

How can anyone fill in the chart factually?  After all, the BIA is collecting preliminary information.  No one has yet begun to think about Recovery strategies, or Alternate sites.  How is someone supposed to fill in those boxes when they don’t have a Recovery Strategy?

Basing Planning on Conjecture

The same table might appear in a Business Continuity Plan Template. By this time (hopefully) one or more Recovery Strategies have been determined.  So you might assume the Plan owner could complete the table factually.

Let’s take a hypothetical Plan involving a Critical Business Process working out of a single location.  Strategy: Move to an alternate site (another facility some acceptable distance away).  So how does that Plan Owner fill in the Table?  They can make a factual judgment of the number of people they’ll need on Day one – and the Resources they’ll require.  After Day 1?  It depends½  On whether it is a local or regional disruption; will he have people who can’t travel?  If it’s a local disaster, will she have people who won’t travel?  Or whether it’s an IT or Network problem; will he need the same number of people if the Application or Network has an RTO of 72 hours – or 2 weeks?  Or if the problem impacts Customers directly; will the need for her Process still be as great?  The list of ‘what-ifs’ is endless.  And all of them impact the numbers in the Table.

So what does those poor Plan Owners do?  They guess.

Compound Errors

Whether the data comes from BIA’s or Plans, somebody’s responsible for totaling up all the Resource requirements in those Table, and converting them to a single table (probably by Location).  Without a relational database, or a BCM software tool, that’s a lengthy job.  But one way or another, the results get tabulated.

The Facilities people are given the workspaces and furniture they’ll need to have available when locations are used as Alternate Sites.  IT gets its lists of required PC’s, phones, printers and other technical equipment.  And all of it is complete balderdash!  It’s a classic case of ‘garbage in, garbage out’.  Ask everyone who completes a BIA, or fills out a Plan Template to speculate about what they’ll need at some uncertain date in the future, under unknown circumstances.  The result is nothing but guesswork.

If that collection of guesswork forms the basis of planning for Recovery, the effort is wasted.  The house of cards built with speculative data is bound to fall the first time it is needed.  It’s this simple: You cannot build Plans on data that was derived by guessing.  And when those guesses came from 10, 50, even 200 respondents or more, the unreliability of the data shouldn’t even be in question.  Run from it.  Fast.

If you use ‘assets over time’, stop.  It’s an exercise in futility.  It is very seductive (it looks like such a pretty tool!), but like the Venus flytrap, it is deadly.  So what CAN you do?

Rely on facts:  What Resources do you rely on today?  What’s the minimum amount of those resources you’d require on Day 1 of any disruption (pick the worst case if you like)?  Those two questions supply both ends of the requirement.  Resources after Day 1 can be worked out on the fly (when the parameters of the situation are known).  You’ve got a place to start, and the worst possible case.  You can deal with that – at least it’s factual!

You might also consider the 6 Steps advocated by my colleague in his Method to the Madness blog.

SHARE:
Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

A Toolkit to Build Enterprise Resiliency

A Toolkit to Build Enterprise Resil...

A well-rounded Enterprise Resiliency Toolkit (𝗧𝗼𝗼𝗹𝗸𝗶𝘁) would provide key tools…
Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…