As a business continuity planning professional, I hate the word, “plans”.
I have, on more than one occasion, been in a situation similar to this:
In an executive management or board meeting following a disaster recovery program review, I am asked, “What is the biggest risk to our organization?”
I answer, “A data center failure.”
Someone will answer, “That is not a concern to us, we have a Disaster Recovery Plan.”
I explain, “Yes, you have a ‘disaster recovery plan’ to implement a recovery capability, but you have no capability today. If your data center is compromised today, you will be out of business.”
“How can that be, I’ve been told we back everything up?!”
“Yes, you back-up all your software and data, but you do not have access to the physical equipment to recover to if your data center is destroyed by a disaster.”
The problem is, management asks their IT Manager (or Business Managers), “Do we have a recovery (or business continuity) plan?” And, the manager simply responds, “Yes”, without providing or being asked for an explanation – and, everyone is happy – and misinformed.
Or, how many times has this situation occurred?
A planning professional asks, “Do you have a disaster recovery / business continuity plan?”
The answer is, “Yes, we do.”
“Good. Can I see them?”
“Well, our plan is to …”
The person asking the question was asking if they have documentation to support a recovery capability. The person answering was saying yes, they have a recovery strategy or solution (or plan to implement a plan – see scenario above).
If you want to know someone’s disaster recovery capability, ask them what their capability is.
If you want to know if their recovery capability is supported by documented policies and procedures, ask to see their documented policies and procedures manual.
Otherwise you might get what you think is a positive answer which is really a misleading answer to an ambiguous question.
I have encountered numerous, misinformed and falsely secured business executives that are flabbergasted when I educate them on their real disaster recovery or business continuity posture because of the way people use and interpret the word, “plan”.
This is why I hate, hate, hate, hate, the word “plan” and suggest that planning professionals avoid its use altogether.