This week Charlie compares the differences between a generic response and contingency plans.
This week has been very busy for me, and amongst other tasks, I have been conducting a debrief for a multinational company on their response to date on COVID-19. I have also been helping another organisation rewrite their plans, so I am very focused on plan content at the moment. For the organisation carrying out their debriefing, I learned that, although their plans didn’t cover the COVID-19 scenario, they used their incident management framework within their plans to manage the response to the virus.
Their plans for recovery centred around moving to another location and they didn’t envisage a situation where going to the back-up location didn’t actually help their ability to continue delivering their services. When I look at plans, which we see a lot of for different organisations, they are a mixture of generic incident management, interwoven with a number of plans and procedures for managing a particular incident.
The main scenario people write plans for is the loss of their building and they may have some other plans for loss of people, suppliers, or IT. Often the scenario plans, which I like to call contingency plans, are generic, contain little detail and do not align to the risk the organisation faces. It also has to be noted that a plan for dealing with the loss of a building is very different to a cyber response plan and dealing with a reputational issue.
The pandemic has shown us that incidents will come along which we haven’t prepared for and which we don’t have contingency plans in place for. Lots of organisations had carried out pandemic planning and this varies from a paragraph or two at the back of the plan, to the plans I helped prepare, where they even planned down to details such as (for a H1N1 pandemic) having a stockpile of Tamiflu, an antiviral medicine, and how to dispense it to staff and contractors. Nobody I have spoken to yet, had pandemic plans which included lockdowns and self-isolation. So this makes the point that we need to have a generic plan which contains all the details of how to run any incident, some of which we might have contingency plans for, and others which we won’t.
Figure 1 - Details of generic content of a plan
Figure 1 shows how I see the content of a generic plan, it contains all the details for managing a business continuity incident, whatever the cause and level of impact. The content of the plan should all be laid out in the BCI’s Good Practice Guidelines (2018), which I think is a good reference document to use for checking the contents of your plans.
Figure 2 Process for developing contingency plans
Figure 2 gives a process for developing contingency plans, which should be carried out as follows:
1. Identify the risk and threats to the organisation, which should be carried out as part of the analysis stage of the business continuity lifecycle.
2. The risks and threats need to be ranked to make sure that those which are most likely to occur and have the biggest likelihood are the ones to be addressed.
3. For each highly ranked identified risk and threat there are three options:
a. Put in additional measures which reduce the likelihood of the incident occurring or for it to have a lesser impact. This could be combined with b and c.
b. Develop a framework for managing the incident, so that if it occurs you have a list of possible impacts, decisions, issues and risks, as well as stakeholders and third-party support.
c. Develop capabilities which can be used to respond to the incident and recover quicker.
4. The options should be signed off by top management and then implemented.
Over time a number of different contingency plans can be developed to respond to different incidents. The resilience measures implemented can help prevent an incident occurring and sometimes capabilities developed can be used across multiple different contingency plans. Although it is recognised that the incident envisaged and prepared for may not actually be how the real incident manifests itself, but it will at least give the organisation a good start which can be adapted on the day. These contingency plans could be standalone documents, or they could sit as appendices to the generic plan.
I think only by splitting the generic response and contingency plans can we then start to look in detail at our organisations’ ability to manage an incident and our level of preparedness. By separating the contingency plans out of the main generic plan it will also make the response easier because the plan will not be full of details such as the response to building loss, when you are responding to a ransomware incident. Therefore, I am suggesting that readers of this bulletin review their plans, or we can do them for you, and then separate the generic details from the contingency ones.
On another matter, noticing the date, I was wondering if it would be worth doing a bulletin on the superstitious date of Friday the 13th and whether incidents actually occur more on this date or whether it’s just another day for incidents to take place!