You Can’t Write Business Continuity Plans for Every Event

So Address the Loss of Assets – Not Potential Threats

Black Swans and Super Storms:  It is impossible to create Business Continuity plans for every possible threat your organization could face.  Not only are the possibilities complex (every hurricane differs from every previous one), but the list of possible disruptions is endless.

While the risk from Black Swans can’t be anticipated, certain risks are known because of empirical data (history, geography, sociology, technology).  You have a facility in Southern California; it faces the risk of earthquake; your Florida facility faces the likelihood of hurricanes.

But even among these known risks, there is still complexity.  Planning for what might happen is futile; there are too many unknowns; all you really know is what you don’t know:

  • You don’t know what will happen
  • You don’t know when it will happen
  • You don’t know how severe it will be
  • You don’t know how long it will last

What’s the point of creating a plan for a threat about which you can only make guesses?  If you’re not clairvoyant, your odds of being correct are minuscule.  Don’t waste your time.

Of course, as a Business Continuity practitioner, it’s your job to plan.  You can’t hide from that responsibility for long.

So stop worrying about what could cause a disruption and concentrate on the impact of such a disruption.  You can’t plan for what you don’t know, but you can plan for theimpact of an event – any event – upon the assets on which your business’ critical functions and processes rely.

For example:  A Call Center fields your customers’ and prospects inquiries, 7 days a week.  Your BIA determined the call center has an RTO or Maximum Tolerable Period of Disruption (MTPOD) of 24 hours.

That Call Center is an Asset.  If it gets disrupted, it needs to be back up and running within 24 hours.  You don’t need to predict what will cause the disruption – only that the impact will result in the inability of the Call Center to field inquiries.

Your plan to recover that Call Center can concentrate on the assets the Call Center requires to perform its day-to-day operations:  trained people, workspace, incoming phone service, access to certain IT systems and applications (including desktop hardware and networks).

Regardless of the cause of the disruption, you can plan for alternate recovery strategies for the potential impact on each of those Call Center critical assets.

  • Loss of facility: perform the work elsewhere, work from home, or direct all callers to your website temporarily while you repair/source a new location.
  • Loss of IT systems or applications: manual workaround until restored (the same strategy might occur if the facility loses power, but not phone service), failover to a backup service or redirect to the website.
  • Loss of people: transfer the work to other employees with call center experience or to staff in other offices, bring in contractors, or prepare to deal with disgruntled customers.

All of these strategies focus on what to do if the asset is unavailable.  What disrupted that asset is irrelevant.  Terrorist attack, flood, sun flares, system failure, plague; it doesn’t matter what caused the disruption if you’ve got a plan to address the loss of critical assets.

Of course this example is simplified.  More than one asset could be disrupted.  But just as likely, an asset might be only partially impacted (the facility’s fine, but there’s no electricity, or, only a few key employees are unavailable, or the IT application’s still operating, but the network is down, etc.).

By focusing on what assets are critical to day-to-day operation of a business process, the path to creating a Business Continuity Plan that will address any situation – regardless of the cause – is simple and straightforward.

Your BIA should determine your critical processes.  Cataloging the critical dependencies (assets) of those processes will provide the base to plan for any loss of those assets.

Don’t let the specter of Black Swans stop you from creating plans to meet the unknown.  You don’t need to plan for HOW something might happen -plan for the IMPACT it may have.

SHARE:
Jim Mitchell

Jim Mitchell

A frequent speaker at Business Continuity conferences, many of Jim Mitchell’s blogs can be found elsewhere on eBRP’s website and has published articles in DRJ, Continuity Insights and Continuity Central. Jim has more than 20 years of experience in Business Continuity; if you don’t agree with his opinions – he won’t be surprised.

Related Posts

A Toolkit to Build Enterprise Resiliency

A Toolkit to Build Enterprise Resil...

A well-rounded Enterprise Resiliency Toolkit (𝗧𝗼𝗼𝗹𝗸𝗶𝘁) would provide key tools…
Enterprise Resiliency: Navigating Through Disruptions

Enterprise Resiliency: Navigating T...

In today’s threat landscape, the ability of an organization to…
Orchestrating BC/DR Testing: Virtual – Emergency Operations Centers

Orchestrating BC/DR Testing: Virtua...

  Enhancing Planning and Logistics Management  Coordinating BC/DR tests involves…
Insights into creating a successful Disaster Recovery Test – Part 2: Preparation

Insights into creating a successful...

Insights into creating a successful Disaster Recovery exercise – Part 1: Objectives

Insights into creating a successful...

Aligning Cyber Incident Response Planning with Your BC/DR Program

Aligning Cyber Incident Response Pl...

Cyber disruptions – and their impact on both reputations and…
What Can You Do when your BCM software Relationship Falls Apart

What Can You Do when your BCM softw...

“This isn’t working.”  “I’ve changed.”  “I don’t see a future…
Aligning BC/DR to CSIRP Challenges

Aligning BC/DR to CSIRP Challenges

The immediate reaction to a cyber-security incident is the FUD…
Technology Modeling – the eBRP Way

Technology Modeling - the eBRP Way

Definition: Technology modeling is a point-in-time snapshot of an Enterprise’s…
eBIA – The eBRP Way

eBIA - The eBRP Way

Definition: A Business Impact Analysis (BIA) is the cornerstone of…