All Hazards vs. Scenario Based Continuity Planning Approach

  • January 8, 2013
  • Andy Vanderhoff

In the old days, the approach the industry used to take to continuity planning was called scenario based. In this approach you would try and think about all of the bad scenarios that could affect your organization; ie flood, fire, earthquake, hurricane, tsunami, terrorism etc… Then you would risk rate each scenario and build a specific plan for the highest risk scenarios.

The challenge with this approach is that you would end up with very large plans potentially thousands of pages for medium size organization. Large plans are hard to use and very cumbersome to utilize during an event. In my experience large plans typically tossed during the heat of the moment by decision makers and they end up shooting from the hip.

The second weakness of scenario based planning is that the events we planned for were very rarely the scenarios that occurred. Who would have predicted both of the twin towers would be destroyed at the same time, or that the entire east coast would black out for days, or that new Orleans would be under 8 feet of water for months, or that an earthquake off of the coast of Japan would trigger a massive tsunami that in turn would damage generators a nuclear reactor and cause melt down. But all of these events have happened recently.

This is the reason I now advocate an all hazards based approach to building business continuity plans for organizations. In an all hazards based approach you build your plans around your business processes/functions and their related dependencies (vendors, locations, systems, staff, equipment). For each dependency document how you would keep your critical processes running if the dependency was impacted by a disaster.

It doesn’t really matter why your building isn’t available (fire, flood, chemical spill) the fact is it down. How do you get your critical processes running? This approach will ensure your organization is prepared no matter the scenario.