I have already discussed, and most of us already understand, that business continuity, disaster recovery and crisis management professionals are challenged by use of an inexact and often confusing jargon. We use terms such as business continuity, disaster recovery, resiliency, hot site, warm site, cold site, recovery time objective, recovery point objective, business impact analysis, contingency plans, etc., that are often used to mean very different things to experienced and practiced professionals – not to mention what they mean to the uninitiated. It can be confusing and often lead to misunderstandings and gaps between expectations and deliveries.
But, the one word I hate the most. The word that makes me cringe when I hear it. The word I try to eliminate from the vocabulary of consultants who work for me is … “plan”. Such a little, simple word – how can I possibly have such distaste for this common word amongst all those other confusing terms? Well, I’ll tell you.
What exactly do people mean when they say the word “plan”? And what exactly do people assume when they hear the word “plan”?
There have been more than one occasion where a consultant went into an organization and had this conversation:
CONSUTLANT: “Do you have business continuity (or disaster recovery) plans?”
CONSULTANT: “Can I see them?”
CLIENT: “See what?”
CONSULTANT: “Your plans.”
CLIENT: “Oh, there is nothing to see, our plan is to …”
What the consultant was meaning to ask was, “Do you have a manual of documented business continuity policies and procedures?” What the client heard was, “Do you have a business continuity solution in place?”
Then there was this rather uncomfortable moment I had in a corporate board meeting where I was reporting on the company’s business continuity posture:
CEO: “Okay, Joe, cut to the chase. You have been here a while, what is your greatest fear that could impact our ability to operate our business?”
JOE: “A data center disaster. This is the one disaster that will impact your operations world-wide and bring everything to a halt.”
CEO: “But, we have taken care of that. Our IT Director just gave us a presentation last month on his Disaster Recovery Plan in case of a data center disaster.”
JOE: “Yes, I saw that presentation. His plan is a plan to build out a recovery capability – but you have no recovery capability today. His presentation showed a backup site that he recommends be established but isn’t there today. If your data center goes down today … you are out of business.”
CEO: (Turning to the IT Director) “Is that true? We don’t have a recovery plan today?”
IT DIRECTOR: “No, we have a plan. It is just going to take us 15 months to get it up and running if the budget gets approved.”
CEO: “Oh, that’s not good! I was under the impression we had a plan in place and not just a plan to build a plan.”
I have seen it time and time again. The board of director does what it is told to do; ask if we have a plan in place. The responsible party gives a nice terse, “Yes” answer and everybody is happy. Then I come in later and explain, “Well, you might have a recovery ‘plan’ but you don’t have a recovery capability.”
I instruct my consultants: If you want to know if they have a recovery capability, ask them what their recovery capability is; If you want to know if their capabilities are supported by documented policies and procedures, ask them to see their documented policies and procedures.
My consulting plan is – avoid the word “plan” – and, be more precise by stating what you want that word to mean.