Pandemic Plans. Disaster Recovery Plans. Business Continuity Plans. As continuity practitioners, we hear these terms all the time in our daily activities interspersed with other topics and thrown around at whim. All three have common elements and address much of the same areas – not all areas mind you, but many common ones. Saying that, are they three separate plans or all part of one bigger plan?
Pandemic plans deal with people. If the Influenza virus (H5N1) strikes, it will hit people not mainframes and telephones. They’re also supposed to capture what to do when you vendors are hit by flu. How do you keep receiving your deliveries? How do you still get your manufactured goods out the door? Pandemic plans have caused the creation of multiple Human Resource policies but in a good organization aren’t there already HR polices to deal with absences and illnesses? I mean, I worked for a large service provider affected by the SARS outbreak in Toronto and we learned from it. Didn’t anyone else? Didn’t anyone else implement HR policies or was it a free-for-all? I’m simplifying the matter a bit I know but shouldn’t these types of pandemic causing activities already be in an organizations continuity strategy?
Then you have the Disaster Plan. I’m still not sold the idea that a disaster plan is a response to technology occurrences and disruptions. Every time I pick up an article or book about disaster planning, it contains a load of information on how disaster plans should address things such as, Critical IT resources, IT recovery activities, backup and restore procedures, off-site storage vendors, DR service providers and Infrastructure recovery. Once and awhile you’ll get something that covers what to do in a hurricane or tornado (they have the potential to be a disaster and sadly have been in the past). These seem more like IT contingency plans. Correct me if I’m wrong but if a disaster occurs don’t they cause the activation of numerous contingency plans?
Then we get to the Business Contingency Plan (BCP). These plans are for business areas and how they keep their operations going during times of incidents or disasters. Why only business areas? Why don’t all departments have a contingency plan? Unless I’m seeing things, people work in technology department too, which are all part of the overall business operation. These plans should cover contingencies on what to do when you technology, or other resources, isn’t available; or when your staffing levels fluctuate or are reduces; and what to do when you’re building is access restricted due to a fire at a neighbouring building. Correct me if I’m wrong but aren’t some of those covered in “Disaster Plans” (as I’ve described them above) and “Pandemic Plans,” as well as some other bits of information?
There seems to be so much overlap between the three sets of plans it’s no wonder organizations have a tough time distinguishing what they need a plan for and what they don’t. And we’re puzzled why employees and management don’t understand Business Continuity Management (BCM)? We have hospital workers dictating how a BCP or DRP should be structured yet they only have one view of what a disaster is; pandemic. Now, there’s nothing wrong with that view and hospital staff are key in all sorts of situation and thank God we have them however, a BCP can’t be build on one situation only. They must be more comprehensive and address other situations, of which a pandemic scenario or technology failure is but only two components.
A pandemic outbreak can be a disaster and activate many continuity plans. Some natural disasters cause continuity plans to be activated yet have no correlation with pandemic plans but could contain problems if one of your service providers is affected by the disaster (and you’re not). That’s still not your pandemic plan but it is part of you continuity strategy isn’t it? There’s overlap everywhere.
Traditionally, disaster plans and continuity plans have focused on technology and facility loss. What pandemic plans have done is provide a focus on people continuity plans but if an organization had a good continuity plan to start with they would have already addressed what to do when people weren’t available. I’ve always felt that people needed to be incorporated into the continuity strategy but then maybe that’s just me and the rest of the world is only catching up now. That’s why I ask, are these really different plans or the same plans just looked at from different perspectives?