So Address the Loss of Assets – Not Potential Threats
Black Swans and Super Storms: It is impossible to create Business Continuity plans for every possible threat your organization could face. Not only are the possibilities complex (every hurricane differs from every previous one), but the list of possible disruptions is endless.
While the risk from Black Swans can’t be anticipated, certain risks are known because of empirical data (history, geography, sociology, technology). You have a facility in Southern California; it faces the risk of earthquake; your Florida facility faces the likelihood of hurricanes.
But even among these known risks, there is still complexity. Planning for what might happen is futile; there are too many unknowns; all you really know is what you don’t know:
- You don’t know what will happen
- You don’t know when it will happen
- You don’t know how severe it will be
- You don’t know how long it will last
What’s the point of creating a plan for a threat about which you can only make guesses? If you’re not clairvoyant, your odds of being correct are minuscule. Don’t waste your time.
Of course, as a Business Continuity practitioner, it’s your job to plan. You can’t hide from that responsibility for long.
So stop worrying about what could cause a disruption and concentrate on the impact of such a disruption. You can’t plan for what you don’t know, but you can plan for theimpact of an event – any event – upon the assets on which your business’ critical functions and processes rely.
For example: A Call Center fields your customers’ and prospects inquiries, 7 days a week. Your BIA determined the call center has an RTO or Maximum Tolerable Period of Disruption (MTPOD) of 24 hours.
That Call Center is an Asset. If it gets disrupted, it needs to be back up and running within 24 hours. You don’t need to predict what will cause the disruption – only that the impact will result in the inability of the Call Center to field inquiries.
Your plan to recover that Call Center can concentrate on the assets the Call Center requires to perform its day-to-day operations: trained people, workspace, incoming phone service, access to certain IT systems and applications (including desktop hardware and networks).
Regardless of the cause of the disruption, you can plan for alternate recovery strategies for the potential impact on each of those Call Center critical assets.
- Loss of facility: perform the work elsewhere, work from home, or direct all callers to your website temporarily while you repair/source a new location.
- Loss of IT systems or applications: manual workaround until restored (the same strategy might occur if the facility loses power, but not phone service), failover to a backup service or redirect to the website.
- Loss of people: transfer the work to other employees with call center experience or to staff in other offices, bring in contractors, or prepare to deal with disgruntled customers.
All of these strategies focus on what to do if the asset is unavailable. What disrupted that asset is irrelevant. Terrorist attack, flood, sun flares, system failure, plague; it doesn’t matter what caused the disruption if you’ve got a plan to address the loss of critical assets.
Of course this example is simplified. More than one asset could be disrupted. But just as likely, an asset might be only partially impacted (the facility’s fine, but there’s no electricity, or, only a few key employees are unavailable, or the IT application’s still operating, but the network is down, etc.).
By focusing on what assets are critical to day-to-day operation of a business process, the path to creating a Business Continuity Plan that will address any situation – regardless of the cause – is simple and straightforward.
Your BIA should determine your critical processes. Cataloging the critical dependencies (assets) of those processes will provide the base to plan for any loss of those assets.
Don’t let the specter of Black Swans stop you from creating plans to meet the unknown. You don’t need to plan for HOW something might happen -plan for the IMPACT it may have.
