I have participated in a number of conversations where people argue what the basis for business continuity plans should be. Some people say you should have plans designed for specific threats inherent in your environment and others say that “what” happens is not important; plans should be based on the impacts of what happened and not the event itself. I say, they are both right, in a way.
Business continuity planning, I think, has evolved over time and has expanded in scope of what it tries to achieve. I’m not sure why we have gotten away from the term “contingency plans”, but I think Business Continuity Planning today includes both emergency response components and contingency planning components.
Considering these two components of the overall program, I think the Emergency Response part, that part that addresses how an organization responds to an incident should, in fact, have scenario specific components for the known risks and threats in the area where you do business. If you have facilities in hurricane regions, you absolutely should have Hurricane Preparedness Plans. Same goes for if you have facilities on fault lines; in flood plains; near active volcanoes; near nuclear power plants; etc. When specific threats arise, like pandemics, for example, your organization should develop a scenario specific plan for prevention and contention techniques for that exact threat.
But, on the contingency side of things, the focus should be on the impact. Contingency plans should be developed based on impacts, such as: loss of access to the building; loss of access to technology tools, applications and data; interruptions in workflow; depleted or immobilized work force; etc.
Then the entire program should allow a cross mapping of the two plan components. The threats, for which you have specific plans, could result in any or all of the impacts for which you have contingencies. Take Pandemic Plans for example. Many companies attack this issue as if it is an entirely new challenge and try to develop Pandemic Plans as holistic, stand-alone, programs. Once you realize that the impacts of a Pandemic might be a depleted or immobilized work force and interruptions to critical workflows, you realize that you should be able to leverage those contingency plans already developed and focus on the health and safety of your work force and work environment for the particular pandemic that poses the threat. The pandemic response might be unique to this threat, but the contingencies could be leveraged for any event that impacts your work force availability, such as; transit strikes; civil unrest in the area; etc.
So, if you are responsible for developing plans that address both response and contingency components of the overall program, I suggest that you will be doing both – developing scenario specific and impact based policies, procedures, strategies and solutions. Then, you may even create a matrix that identifies which contingencies might come into play under each specific scenario. I do, however, think you still need that generic response plan to handle those scenarios for which specific response plans have not been created. These plans should focus on the logistics for getting decision makers together to address the challenges of an unplanned for interruption in an effective and efficient manner and adequately communicating decisions and instructions to the impacted parties.
Good luck. No one said this job was going to be easy.