Stop using the “P” word

Business Continuity Plan

An article was recently posted on the BCI website titled “Don’t just download a business continuity plan”.  It contained sage advise for those who would download a template, fill in the blanks and then believe they had actually created something of any value.  You can read the article here.

This article was written by Steve Dance, Managing Partner of RiskCentric

RiskCentricRisk Centric specialise in creating automated management systems for business continuity, compliance and standards compliance. The .Connected platform works with  existing document based content and can be implemented within hours

What struck me however, is how so many people think that a document is the end game.  In many respects I think it’s  it’s because we keep using the word “plan” as in business continuity plan, incident management plan, emergency management plan etc. etc. It creates the perspective that the goal is to produce a document that will followed in the event of a major operational incident and, because of this,  it trivializes the whole concept of what should really be thought of as resilience and response management.  In my more recent work, I don’t believe that I have created “plans”. What I have done is creating capabilities that:

a) raise the tolerance of an organisation to operational interruptions (i.e. we have increased the organisations threshold to tolerate a potential disruption)  and;

b) put the organisation in a position to respond and recover if the incident is particularly severe

Of course, much of this was documented so that it could be communicated to interested parties and used internally for review and assurance activities (i.e. so that we could periodically refer to what we had put in place and confirm whether or not it was still fit  for purpose). Other aspects of our capabilities were supported and facilitated by specialised applications and information systems.  All of it came together as an integrated set of capabilities that increased the threshold of tolerances the organisation had in place to withstand the root causes of operational disruption, together with the capability to respond to an incident that was sufficiently severe to compromise current resilience arrangements.

But it wasn’t a plan – it was framework. Some aspects of it were described in documents, other parts were integrated into “business as usual” and others were systems and applications that either helped with managing the information that we had created for the framework or which would be used in the event of a particularly severe incident.

So let’s stop putting the “P” word at the end of business continuity – try using the “F” word (for “Framework”) or the “C” word (for “Capability”)