This week, Charlie discusses why scenario-specific plans are an important addition to business continuity plans.
Over the last couple of months, I have been part of the team working on two different standards. Firstly, rewriting the Business Continuity Institutes’, ‘Good Practice Guidelines’ (GPG). Secondly, the ISO 22361, which will be titled ‘Crisis Management – Guidelines for a Strategic Capability’. In both documents, I and a number of others are pushing the concept that there should be scenario-specific plans, at a crisis or strategic level. With that in mind, I will be sharing my thoughts on why these plans need to be included, and which scenarios should be dealt with.
In November of 2020, I wrote a bulletin called ‘The Difference Between a Generic Response and Contingency Plans’, click here to read. Here, I argued that business continuity plans should consist of two components, a generic element that looks at how an incident will be managed, and a scenario-specific element that focuses on your organisations’ response to a specific event. We have, for a long time had scenario-specific plans at the operational level. Ranging from emergency response plans for a particular hazard onsite, to plans of how an office-based department will move to a work area recovery location or to another office. About 15-20 years ago, the concept used (which is very old-school now) were to write plans for specific events. Plans were written for fire, floods, transport failures etc. They bared no resemblance to the threats the organisation had, and were basically all the same with different titles. However, most organisations have since moved on from this.
Although crisis management can deal with “abnormal or extraordinary events”, there are some crises that can be anticipated; they can be determined by the industry the organisation is in, its geography, possible operational hazards, its culture and structure.
Below I have listed examples of events that may become a crisis for an organisation:
- A passenger aircraft crash.
- Release of toxic gas, or a spill that presents an environmental hazard, affecting the public or the environment.
- A ransomware attack that locks the organisation out of their IT or causes a data breach, and perhaps both simultaneously.
- A major fire affecting your only manufacturing site.
Through good risk management, all the above events should already be identified and plans for dealing with specific events put in place. Airlines are required to have plans and procedures in place for dealing with an aircraft crash, as part of their license to operate. However, they should also have plans in place on how to deal with the media, communicate with key external bodies such as the regulators, and manufacturers of the aircraft. In addition to this, they will need to know how to deal with any criticism which follows after the crash investigation.
In a similar way, I have been writing playbooks for a government organisation on how their Silver Team are responsible for incident management and how they respond to a ransomware attack. The playbook includes ICO reporting, pay or not pay guidance, external communications guidance, and how an event will be managed.
So, the task I am setting you is to review the risks to your organisation, then think through which of them will have a strategic element and decide, is it even worth developing a contingency plan for that specific scenario?
Your plan should be written and then exercised!