An article was recently posted on the Business Continuity Institute's website titled 'Don't just download a business continuity plan'. It contained sage advice for those who would download a template, fill in the blanks and then believe they had actually created something of any value.
What struck me however, is how so many people think that a document is the end game. In many respects I think it's because we keep using the word 'plan' as in business continuity plan, incident management plan, emergency management plan etc. etc. It creates the perspective that the goal is to produce a document that will followed in the event of a major operational incident and, because of this, it trivializes the whole concept of what should really be thought of as resilience and response management. In my more recent work, I don't believe that I have created a plan. What I have done is creating capabilities that:
- raise the tolerance of an organization to operational interruptions (i.e. we have increased the organization's threshold to tolerate a potential disruption) and;
- put the organization in a position to respond and recover if the incident is particularly severe
Of course, much of this was documented so that it could be communicated to interested parties and used internally for review and assurance activities (i.e. so that we could periodically refer to what we had put in place and confirm whether or not it was still fit for purpose). Other aspects of our capabilities were supported and facilitated by specialised applications and information systems. All of it came together as an integrated set of capabilities that increased the threshold of tolerances the organization had in place to withstand the root causes of operational disruption, together with the capability to respond to an incident that was sufficiently severe to compromise current resilience arrangements.
But it wasn't a plan - it was framework. Some aspects of it were described in documents, other parts were integrated into "business as usual" and others were systems and applications that either helped with managing the information that we had created for the framework or which would be used in the event of a particularly severe incident.
So let's stop putting the 'P' word at the end of business continuity - try using the 'F' word (for framework) or the 'C' word (for capability).
Steve Dance is the managing partner of RiskCentric, which specialises in the automation and rapid deployment of compliance and standards management systems. Steve is also a regular contributor to the Business Resilience Forum which can found at www.businessresilienceforum.com.