Let me begin by stating my position very clearly: I do not write scenario-based business continuity plans.

I don’t think that it’s appropriate to base your continuity protocols on a series of unfortunate events so specific that your strategy is obsolete if the disaster isn’t a power outage on a Tuesday afternoon in May. That said, there is value in giving adequate consideration to risks and threats to which your organization is susceptible. So, three questions come to mind:

  1. How do we address these risks and threats without writing specific scenario-based plans?
  2. Is there ever a time when a scenario-based plan is appropriate?
  3. Where DO I use scenarios?

Let’s get to it.

How do we address risks and threats to which our organization is susceptible?

One of the main pillars of a Crisis Management / Business Continuity program is the Risk Assessment. This should be done in partnership with your organization’s Enterprise Risk Management team and should identify the top five or ten key risks facing the company. The Risk Assessment will identify the likelihood (probability) and the impact of each risk. Focus on the risks that have moderate-to-high probability AND moderate-to-high impact. But instead of addressing these risks at the PLAN level, address them at the PROGRAM level. Make sure that your strategies, solutions and plans adequately address each prominent risk. I have a client with an office in London. Given the UK’s current terrorism threat level, we make sure that we have appropriate emergency communications solutions in place and that their people can work remotely in case something affects their workplace. I don’t have a “Terrorism Plan”, or a chapter in the plan dedicated to terrorism. I make sure that at a program level, we philosophically address the significant risk that faces the company and that appropriate tools and solutions are in place to help us execute our plans effectively. Another major threat facing virtually every organization is cybersecurity. Do I write a separate plan for every possible cyber related incident? Well…. it’s complicated. Look at the next question.

Is there ever a time when a scenario-based plan is appropriate?

Yes. Well, sort of. I have a client in the Caribbean and yes, we have a Hurricane Plan. It would be negligent to not address the most likely threat to their business. I have also written Privacy Breach Response Plans for clients and a cybersecurity playbook for another client that addresses key decisions to be made if they encounter a breach or ransomware request. While these documents could be considered ‘plans’, they are not full-on business continuity or crisis management plans. They have a different audience and do not contain all the things that you would typically include in a full plan. So really what I’m advocating is that you build a Crisis Management Library that contains core plans and supplemental plans / documents for specific situations. For instance, your library may consist of: A Crisis Management Plan, Business Continuity Plans for each department, a Disaster Recovery Plan for the purpose of recovering technology. You may also have a Privacy Breach Response Plan, a Cybersecurity Playbook, a Pandemic Plan and an Emergency Preparedness Plan. You could argue that I’ve just laid out a bunch of ‘scenario-based’ plans and I guess that’s true. But I haven’t written a crisis management or business continuity plan that is based on a specific scenario. I keep those as generic as possible in order to cover the various scenarios.

Where DO I use scenarios?

Two places. One additional document that goes in my library is a Crisis Management / Business Continuity Overview that documents how the organization is protected by the overall program. In this document I list the top key risks (as discussed above) and describe how the program’s various plans address and mitigate the impact of those risks.

The main place I use scenarios is in my exercises. To me, the scenario is the reason that we are called together and is key to the overall success of your exercise. For example, my Caribbean based client runs a hurricane drill every year. They have a specific protocol that must be followed when their island goes under a hurricane watch. We run through that process. For other clients, I will run a ransomware tabletop exercise to show who the technical teams and the crisis management team will respond to that situation. We’ll run a crisis management and business continuity exercise that is based on a tornado hitting the building and making it inaccessible for an extended period. Scenarios allow the exercise participants to get their heads around why they are there and why their actions matter. Simply put: It provides context and perspective for the exercise.

I urge you to give some thought to the scenarios that you use in your exercises. They need to be plausible so that you don’t spend time during the exercise arguing the validity of the scenario. If necessary, engage the exercise participants ahead of time and seek their input and guidance.

Conclusion

Scenarios are good for adding context to an exercise and can make you think about how your program addresses key risks that face the organization. I don’t recommend that you build your plans based on a specific scenario. I’d rather see you build a complete library with documents that address specific risks as required.
Good luck!

Related:  Disaster Planning – Interview with Mark Hoffman