The case for generic plans
Those in risk management would let you think that they have everything under control. All possible risks have been identified for their organisation, the likelihoods and impacts calculated, and the ‘top risks’ have been identified. Mitigation measures have been put in place to prevent them materialising and if they still happen, specific plans or playbooks have been developed for managing them. The chaos and unpredictability of the world has been tamed through the power of risk management.
Bo***cks! In the end, risk management’s ability to tame the world and predict the future is no better than that of a fairground clairvoyant. They miss the ‘black swans’ because they are risks that they don’t know exist and haven’t happened yet. They may be able to produce a reasonable list of possible risks, but as the profession develops the list of possible risks expands and becomes more comprehensive, and in terms of calculating impact and more importantly likelihood, the risk management is flawed. Risk managers can deduce, reasonably accurately, the impact of a risk maturing, but it is only an estimate as they can’t always foresee the impact of a risk occurring. We may think that a power cut for an hour, for a manufacturing organisation, would have a very minor impact. If their production machinery is offline, then they could work an extra hour in the evening to make up the time and get the manufacturing schedule back on track. What they may not know is that the power cut could cause the machinery control system to trip out and damage it, which could require a lengthy repair. If a power cut has never happened before, then the organisation wouldn’t know the actual impact, and so might rank it as low as opposed to if it actually happened it would really be high. So sometimes we cannot know the full impact of a risk materialising before it actually happens.
Don’t get me started on likelihood! This is an even bigger guestimate. How do we estimate with any clarity the likelihood of an incident occurring and more granular, the matrix we use, whether it be 5x5 or even 10x10, the higher chance of error in trying to accurately work out the likelihood of a risk materialising? An actuary may be able to calculate the chance of a building burning down, but unless you have deep pockets and pay them, their likelihood is generic and does not apply to your actual building. Yours could be old and rickety and so much more likely to burn down or could be ultra-modern and less likely to have a fire. You can have three one-in-a-hundred-year-storms in the space of 10 years and it doesn’t mean you will be spared for the next 300 years. If an event could occur regardless of whether it has a likelihood of high, medium-high, medium, medium-low or low, then should we not be preparing for it as it could happen? Likelihood is a key component of calculating risk, but often there is little science in calculating it and it is a best guess.
Even if our risk assessment has been done well and we have correctly identified our top risks, we often just ignore the risk and concentrate on a different risk which is more tangible to us and easier to plan for. A pandemic was on the UK national risk register at the highest impact and greatest likelihood, but only a few organisations had pandemic plans and I haven’t seen one organisation which had plans in place for dealing with the issues associated with COVID-19. Even when we saw the pandemic coming at the beginning of 2020, countries were closing their borders and locking down their population, did we do anything to prepare our organisations? I wrote my first bulletin about COVID-19 on the 31st of January and was surprised when the first UK lockdown occurred on the weekend of the 21st of March. There was a ‘grey rhino’ charging towards us (I am presently reading the book 'The Gray Rhino'), but we were nearly all mesmerised by it charging towards us and did nothing, we were flattened by it.
My first point is that if we are rubbish at foreseeing risks, we concentrate on preparing for the wrong ones and even if a risk is materialising and heading towards us, why would we write specific plans for specific incident? Looking at our experience of risk management, we are likely to prepare for the wrong type of incident and so our playbooks or contingency plans will be a waste of time, as they will be irrelevant to the incident which we are facing. Plans with specific incidents in mind cannot be easily adopted. If we decided that our number one risk is product recall, and we have a cyber-attack, no part of the product recall plan is useful for helping us with this response. Even if we guess the incident correctly and prepare the playbook, then the incident usually doesn’t fit the plan and so we will have to adapt it to the incident as it occurs.
What you need is a generic plan for the organisation, which is flexible enough to deal with any incident, and then rely on the expertise of those within the incident team to respond appropriately. They will have the knowledge to do this without the ‘guidance’ of a partially relevant playbook. How much better to have those in the organisation responding who actually have detailed knowledge and experience of manging this particular incident, rather than a half-hearted plan or playbook written by a business continuity generalist who doesn’t really understand the recovery process and has limited time with those who have the knowledge.
In my opinion, a generic plan is not a huge ring binder which sits on the shelf, is full of irrelevant information that nobody ever reads and is probably out-of-date. In today’s fast moving, agile business culture there isn’t time for this. Plans must be short, relevant and to the point. There are a few items which I think a generic plan must contain:
- How to identify and assess an incident.
- A list of likely incidents which would cause the plan to be activated – recognising that this is not a comprehensive list of all possible incidents.
- Calling out the incident team.
- Team members - team and individual members roles and responsibilities.
- Team meeting location and ways of working.
- List of stakeholders and responsibilities for communicating with them.
- Relationships with other incident management teams in the organisation.
- Assumptions, authorities and objectives.
I think this is sufficient to be a framework for managing an incident, working on the premise that if you put the right people in a room or on a video call, they should be able to solve any incident which befalls the organisation. The generic plan is all that is required.
In conclusion, due to the possibility of preparing a playbook for the wrong incident and not correctly guessing the next incident, preparing specific plans, however good your risk assessment is, is a waste of time. Even if the next incident is correctly identified and a playbook is written, the incident may manifest itself differently to the way you envisaged it and so again all that work will be wasted. Thirdly, playbooks written by business continuity generalists may be poor as they are not experts in the areas they are writing on. It is much better to write a slim and agile generic plan, which caters to any incident, than put a team of experts together and they can decide how to respond. As I always say, when teaching business continuity ‘the next incident is always the one you haven’t thought of’.
About the author
Director, Business Continuity Training Ltd