Bad ideas certainly are not exclusive to popular culture; in fact, articles and case studies litter the internet documenting both public and private organizations attempting to resurrect failed models and strategies in hopes that new capabilities or use cases will finally make a particular idea just as good in practice as it was in theory or on paper.
In the wake of several high-profile, unpredictable, catastrophic incidents (“Black Swan Events”) in 2012, Avalution received a number of requests to develop highly-specific, scenario-based plans from our clients. Planning for Every Scenario is “For the Birds” explains that Black Swan Events cannot be predicted, and advises that organizations that implement flexible strategies, applicable in almost any type of scenario to manage response and recovery, enjoy the highest levels of success when faced with a disruptive incident.
However, the demand for scenario-based plans seems to be back.
We understand why organizations may think scenario-based plans are a good idea; however, their appropriateness, utility, and long-term value is limited – much like line dances, vampire romance movies, and mullets.
Instead, in this perspective we’re going to use a case study to make the argument for a resource loss-based plan development approach.
CASE STUDY INTRODUCTION
Background: (February 10, 2016) As a potential strike situation looms between NJ Transit and its rail work unions, just under one million daily commuters may be forced to find another way to make it to work. Organizations localized to New York and New Jersey are aware that union rail workers have been without a contract since 2011 and that a disruption occurred previously in 1983.
Tech Firm X, located in New York City, develops and maintains an e-commerce platform that is hosted in Verizon’s public cloud service on geographically-separated infrastructure. All of Tech Firm X’s development tools are web-based and accessible either through personal devices or company provisioned laptops.
An executive at Tech Firms X argues that given the likelihood and circumstances, it would benefit the organization to have a business continuity plan in place that specifically addresses the potential NJ Transit strike.
Before continuing with the case study, I’d like to take a quick step back and briefly answer the ever-so-common question: why do organizations create and maintain business continuity plans in the first place?
The ugly truth is many organizations feel pressure from regulatory agencies, customers, shareholders, executive leadership teams, insurance agencies, and any number of other influential stakeholders to ‘have a plan’.
Unfortunately, when an organization’s motive is to simply ‘check the box’, their approach often lacks utility. In such cases, organizations look to plan for one particular scenario, like a hurricane, that seems most likely because they see it as the easy way to get a plan on the books without having to invest the time and resources necessary to develop a business continuity management program and truly resilient organization.
Ideally, organizations should develop business continuity plans to document the strategies and procedures that will be activated in response to a disruptive incident, as well as how to operate in recovery mode until the organization returns to normal. Basically, giving your response and recovery teams a tested game plan telling them where to go, what to do, and when to do it.
It’s important to note that good business continuity plans are the result of thoughtful analysis (business impact analysis and risk assessment), and strategy identification, selection, and implementation.
Many organizations struggle to identify appropriate business continuity strategies and instead jump straight to documenting plans. In doing so, plans fail not only to provide an effective framework for response and recovery, but also do not account for resource requirements and strategy gaps. A well-executed risk assessment that considers resource requirements can be used to highlight the resource loss scenarios with the highest likelihood and impact, and can help focus business continuity planning efforts.
Keeping this in mind, it’s important to guardrail against over analyzing. Organizations can easily find themselves in a state of “analysis paralysis” if they begin to evaluate every minute threat, probability metric, historical detail, and control. Instead, cover the full scope of threats by breaking the assessment up into measurable components such as risks to a particular technology, facility, vendor, or group of employees. Some basic research and/or participation by subject matter experts should provide the requirements needed to develop a sufficient analysis. When an organization has an understanding of recovery and risk gaps as inputs into strategy identification, they can then focus their efforts on high priority gaps, which subsequently require identification of closure options, along with a cost-benefit analysis (CBA) for each option. These steps set-up the organization for investment in the most pertinent business continuity and disaster recovery strategies, as well as focus the business continuity and disaster recovery plan development effort.
For more information, please review the following resources:
- Effective Business Continuity Program vs. Plan
- The Relationship Between the Business Impact Analysis and Risk Assessment
- Business Continuity 101: Common Questions
- Business Continuity 101: Key Activities & Outcomes
Risk Assessment / Gap Analysis / Strategy Recommendation for Tech Company X: The savvy business continuity professional at Tech Firm X has been working through the business continuity lifecycle and identified existing capabilities or workarounds. She uses her findings from the risk assessment below to make a case for resource loss-based plans vs scenario-based plans in a meeting with the firm’s executive leadership.
(Note: The above example is for illustrative purposes only and does not capture the complexity most organizations face.)
BC Professional: “Ladies and Gentlemen, I know there has been growing concern regarding the potential Transit strike and some of you have approached me about creating a business continuity plan to deal with the scenario. Some of you suggested that we work with a ride-share company (e.g. Uber or Lyft) to get voucher codes for employees affected by the strike. Others suggested that we shift our working hours away from peak commuting times or reimburse employees regardless of the alternate transportation option they choose.
While those are very creative and potentially effective recommendations, I would like you to take a look at the risk assessment, gap analysis, and strategy recommendation I’ve provided you. Based on the business continuity policy and standard operating procedures you put in place almost a year ago, we have identified the resources and activities that support the delivery of our critical products and services. We have also identified existing strengths and workarounds that we can leverage as we build resource loss-based business continuity plans to recover from a wide-range of disruptions. Now, I know some of you may be confused because we just did a drill to test our active-shooter plan, which is scenario-specific plan. There are some very sensitive and unique scenarios, like an active-shooter, that require detailed plans. However, our active-shooter plan is the exception, not the rule.
As long as we have an effective crisis management structure and communications plan in place to let employees know to work from home, we should experience little to no impact from the NJ Transit strike. As we’ve seen in the past ten years, we can experience a wide-range of disruptions in this city. From a tragedy like the attacks on 9/11/01, a super storm, or even Occupy Wall Street; disruptions are unpredictable and, due to the specific and inflexible nature of plans responding to each, we would have to maintain a large number of plans. Whether there was a NJ Transit strike, fire in the building, or even a street closure for a marathon – which kept employees from entering the building – we would leverage the same resource loss-based plan to mitigate the disruption and recover.
Based on the assessment, we are much more vulnerable to a loss of technology or supplier. I suggest that we prioritize evaluating the recommended strategies to mitigate these higher risks as we move forward in our continuity planning effort, rather than focusing on individual threats. We already have the capabilities in place to deal with inaccessibility to our building.”
A few weeks later, the executive at Tech Firm X that had been clamoring for a scenario-based plan to address the pending NJ Transit strike found he was wise to take the business continuity professional’s advice to fund and support strategies that mitigate against a loss of supplier or loss of technology. The firm stood prepared as it learned that Verizon© would be making the very product offering Tech Firm X relies upon unavailable by the end of April 2016.
Don’t get me wrong, there certainly is a place for specific scenarios in the business continuity lifecycle… and that’s during exercising. Aside from setting prioritization and benchmarking, the risk assessment provides a menu of scenarios and events to use during exercising, and even for subsequent injects. It goes without saying that an organization benefits the most when personnel have participated in exercises before a similar event occurs. Conducting exercises around the most likely scenarios not only keeps participants engaged, but also drastically improves preparation since exercise lessons learned can be applied to strategies, plan documentation, and awareness materials. For further information on this topic, view Avalution’s perspectives on exercising and testing.
However, when developing your response to a disruptive incident, it doesn’t matter if it’s a transit strike, loss of supplier, or natural disaster interrupting your business. Effective business continuity and disaster recovery planning, in line with ISO 22301, is meant to ensure that response and recovery efforts align to expectations of all interested parties and provide a repeatable approach to minimizing downtime. Being able to adequately respond depends on having the right response structure in place, and having performed the appropriate resource loss and recovery planning to enable the resumption of critical activities within defined timeframes.
Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help.
Please contact us today to get started. We look forward to hearing from you!