Playbooks are the future, business continuity plans are the past
The 2020 pandemic that continues to plague us in the new year is putting rocket boosters under change. Business continuity and crisis management are both suffering the bucking bronco of change like so many others. The two have long been uneasy bedfellows, both vying for dominance, but when Covid-19 was unleashed the balance shifted and crisis management took hold of the reins.
Disrupters are generally seen as the tech giants largely coming out of California. Mark Zuckerberg’s famous motto: ‘Move fast and break things’ became the mantra for tech innovators. Covid-19 came along and almost overnight tried to break everything. The Covid disrupter has messed with the hight street, musicians, actors, the holiday industries, bars, restaurants, airlines and many more. It has dug deep into our society and has found traction in unlikely places. Business continuity is one of them.
Ring-bound and covered in dust
A traditional busines continuity plan is a big beast, often the War & Peace of disaster recovery documents. It’s on the bookshelf of business continuity departments, in HR and in the offices of the C suite and elsewhere. It is often ring-bound and covered in dust as it typically goes unread. The word that should be attached to such a document is ‘generic’. Although there may be specific crises mentioned in the plan its role is to dig a firm out of any kind of disaster. If you suffer a cyber-attack, if there is an active shooter in your building, if the water supply fails in your block, if you can’t get into your offices your BC plan will provide guidance. In theory this sounds good but in practice they are too long and too detailed.
IBM business continuity plan
Take a look at part of a plan supplied by IBM. They see it as a ‘source reference at the time of a business continuity event or crisis and the blueprint for strategy and tactics to deal with the event or crisis’. Warning: It contains a lot of objects.
- Strategy: Objects that are related to the strategies used by the business to complete day-to day activities while ensuring continuous operations
- Organisation: Objects that are related to the structure, skills, communications and responsibilities of its employees
- Applications and data: Objects that are related to the software necessary to enable business operations, as well as the method to provide high availability that is used to implement that software
- Processes: Objects that are related to the critical business process necessary to run the business, as well as the IT processes used to ensure smooth operations
- Technology: Objects that are related to the systems, network and industry-specific technology necessary to enable continuous operations and backups for applications and data
- Facilities: Objects that are related to providing a disaster recovery site if the primary site is destroyed
Assembling all that information is not the work of a lunchtime and will take many months to put together. There’s no question it will have value and must be sourced, maintained and held where it can be accessed. The problem is that say you have an active shooter in your building then it’s unlikely to be the document you will want to lay your hands on in such an emergency.
An active shooter playbook will set out how to keep staff safe, list the phone numbers you need to call, and will hold message templates. It will address regulatory concerns and legal obligations and it will contain notes on how to manage crisis communications. That is just a quick sketch and it will probably hold a great deal more, but all of it will be relevant to the particular problem at hand.
Think of it very much like the checklists used by airline pilots. They know how to fly a plane, but they need a handrail to guide them through the process to make sure they keep on track. A playbook is practical advice delivered in short form to cover a specific incident. Firms will need to conduct a risk assessment to figure out what playbooks they need. These will likely also include playbooks for a cyber-attack, a protest, a terror attack, and a product recall.
Data breach response plan
Interestingly, an insurance company recently put out this statement: ‘When it comes to a data breach, time is money – quick, well-organized responses often end up costing less. So, if you invest in a sound data breach response plan now, you may find that it pays for itself several times over in the years ahead.’
They aren’t talking about a BC plan they are looking specifically at a data breach response plan which is a playbook by any other name. What might such a document contain? A Canadian colleague, Mark Hoffman, who works out of Toronto, has done some work on this.
He suggests leveraging your existing crisis management team (CMT) and building on their roles and responsibilities. He sees the need for an expanded CMT to look like this:
A cyber security lead becomes the subject matter expert who liaises between the technical team and the CMT. The Cyber Lead will report the details of the incident and any ransom demands and provide insight regarding the level of exposure of data and the systems affected.
The insurance lead will be familiar with your cyber insurance policy. They will likely be a member of your legal team and already have a relationship with staff at the insurance agency. As Hoffman says: “The Insurance Lead is responsible for interfacing with your cyber insurance provider, including notifying them of the incident, filing a claim and engaging the insurer’s response team.”
There is also a need for a Business Lead who will engage the department heads from the business units affected by the attack. They will relay important information to the CMT on the impact the attack is having on the business.
Thereafter you will need contact details for those you need to reach, boilerplate comms messages for internal and external audiences. A decision tree as to whether there are any circumstances in which you would pay a ransom demand. No doubt there will be plenty more but whatever it is, the information must be practical and entirely based on your cyber security needs and concerns.
Combined with a series of playbooks you will also need some form of mass notification platform to send out messages and alerts to enable you to communicate effectively with stakeholders. Sharing documents and communicating via secure chat channels should also be part of the package.
Covid is the exercise no one can avoid
Covid-19 is placing great emphasis on crisis management. It’s the crisis exercise no one can avoid. As business continuity increasingly becomes a subset of crisis management so business continuity plans must take a backseat to playbooks.
Don’t get left behind. Use a business continuity plan as a home for all your business continuity thinking, but for tackling a live crisis then a playbook is the future. As Covid disruption forces crisis management blinking into the foreground so playbooks become a required resource for the crisis management team.
About the author
Crisis Management Director, YUDU Ltd