The harshness and repeated ferocity of the winter of 2015 (especially in the New England states) sent many businesses scrambling to update their Business Continuity Plans. The earlier Ebola crisis in West Africa set off the same kind of frenzy. As a wise Business Continuity Management (BCM) guru once said “no good crisis should go unexploited”. What he meant was that public crises can be leveraged to stimulate interest (and funding) for BCM.
The result of the blizzard and Ebola phenomena isn’t about stimulating interest, it borders on panic – for all the wrong reasons. An earlier blog addressed the wisdom of planning for impacts, not for events. These recent snows and epidemics have served to reinforce that advice.
There are so many things that could happen to disrupt your organization. Many of them are as yet unknown (those “black swans”). But are “Scenario Plans” worth the effort? Consider that the 30-day snowfall record for Boston set in January-February 2015 (90 inches) broke the previous record (59 inches) set 37 years earlier (1978). Does it make sense to create a ‘Blizzard Plan’ – if it occurs every 30 years? Likewise, is an ‘Ebola Plan’ really necessary when that specific virus is unlikely to spread in significant numbers beyond West Africa?
In many ways, the panic to plan for specific events mirrors how the TSA looks at airport security: by guarding against something that already happened (the “Shoe Bomber”, for example) by installing new safeguards (shoe removal) to assure it won’t happen again. TSA procedures grow with every (thankfully) foiled terrorist attempt on air travel. Likewise, a BCM program with plans for every possible event will eventually resemble Wikipedia (but prove less useful).
Surely some of the scrambling that’s taken place results from pressure – from the C-Suite, the Board, from internal auditors – to prove our organization is ready for that ‘hot threat’ of the moment. It is possible to be prepared for that blizzard, or plague – or tsunami, bombing, flood, DoS attack, labor strike, or the return of the Ice Age. But not by developing a new Plan specific to each possible event. The event is not the key to assuring continuity, resilience or recovery. Your organization’s critical assets (its facilities, people, processes, technology and supply chains) are what you should be striving to protect – under every circumstance.
Neither will the typical “Loss of” plans meet every contingency. Would a “Loss of People” plan have been sufficient during the Boston snows storms? What if only some of the people couldn’t make it to the office? What if the building is unreachable – and many employees can’t access the Internet or get a consistent cell phone signal? Could you combine your “Loss of Building” and “Loss of People” Plans to deal with that?
But, if your Plans provide alternative strategies for losing access to your facility (or even parts of that building), absence of people with specific skills sets, the inability of specific critical vendors’ to provide good or services on a timely basis and the lack of connectivity to mission-critical technology, you would be prepared for anything. By shifting focus from cause to impact (what has gone wrong, rather than why) you won’t need to add another “scenario” to your Business Continuity Plans when the next ‘crisis of the month’ arises.
