In today's bulletin, Charlie looks at the purpose of business continuity plans and what they are really used for.
Absolutely nothing? I thought this week I would allow Boris to Boris and leave the captured tanker with the Iranians, so instead I am going to talk about plans.
As business continuity people, I think ‘the plan’ is the expression of our trade. I am sure we have all had this conversation with employers and clients, ‘just cut the crap, don’t bother with the BIA and just give me the plan'. I thought for this bulletin I would explore some ideas about plans. I find myself sometimes going around in circles about what a plan is for and how to write and construct one. I am currently exploring some new ideas for plans, which I thought I would share with you.
I think the first thing we need to do, in the words of Edwin Starr, is think through what plans are good for. Plans can have a number of purposes:
1. They can serve as a guide on what we do on the day of an incident, and they give us a framework to follow. For this purpose, the plan should be written in the sequence that it could be used and should be quite minimalistic. Nobody at the operational or strategic (crisis) level wants to be wading through 50 pages in the middle of an incident, to try and find out what they should do.
2. We also have the generic plan of how to respond to any incident. This would detail how your organisation configures themselves to manage and respond to an incident. It shows what the incident hierarchy is, what the roles and responsibilities of each of the teams are, and the roles within them. It should also include how to activate the plan, who can do it and where the team will meet under different circumstances. This plan can be used to manage any type of incident and would be used for an incident that we have not planned a specific response for.
3. The plan could contain information on how to respond to a particular threat or risk. There could be a plan for dealing specifically with the response to a pandemic being declared, and how to manage it when your organisation is in the middle of the pandemic. A specific plan could be for a hurricane, which includes what annual preparations are needed for hurricane season, what to do when a hurricane is imminent and how to respond after the event. You may have a specific plan on how to respond to a ransomware attack, which would be different to how you respond after a data breach. This type of plan could also be a multi-agency plan, which details how all agencies would work together in response to an oil spill, or in high hazard industries, how to respond to a fire or an explosion. We must also mention the classic business continuity plan on how to respond to loss of premises, people, technology and key suppliers. The writing of hazard or installation plans could also be a key regularity requirement in the licence to operate.
4. Plans can be used to tell us how to carry out a procedure or give us a step-by-step guide on how to carry out a certain task. This is more particular in IT, where if you want to recover a server then you have a disaster recovery plan which tells you how to do this, down to ‘type in //126.96.36.1990 at this prompt’. This plan needs to be very precise and detailed. If it is 100 pages, that just illustrates the complexity of the task, and so having a long plan is not an issue.
5. Plans can contain information and reference material needed on the day of the incident. A plan can include the number of recovery seats each department has and a list of names of who will sit in each seat. It could also contain telephone numbers of the references, how to use a conference call bridge or the codes to invoke work area recovery.
6. Finally, a plan can contain Standard Operating Procedures (SOPs). These are processes or tools we use to manage an incident. So, for PlanB Consulting, we have a standard agenda we teach incident teams to use during their meetings. We have a circle of Situation – Decision – Action with a series of actions during each, and this is the way in which we manage the response to incidents. We hope that those in the incident team can remember how to use these tools, but it is often useful to have an aide-memoire (a plan) of either how to use them or a mnemonic to remind them of the constituent parts of the tool. We can also use aide-memoires to remind us of the constituent parts of the plan and provide a shortened version, highlighting the key parts the team members need to know.
In next week’s bulletin, I am going to look at who the audiences are for these plans and share new ideas of how we can develop our plans further.