Business continuity, disaster recovery and crisis management professionals are challenged by the use of inexact and often confusing jargon. We use terms such as business continuity, disaster recovery, resiliency, hot site, warm site, cold site, recovery time objective, recovery point objective, business impact analysis, contingency plans, etc., that are often used to mean very different things.
This creates a challenge for experienced and practiced professionals, not to mention the uninitiated. It can be confusing, and often leads to misunderstandings and gaps between expectations and deliveries.
But, the one word I hate the most, the word that makes me cringe when I hear it, the word I try to eliminate from the vocabulary of consultants who work for me is: "plan." Such a short, simple word. How can I possibly have such distaste for this common word, amongst all those other confusing terms, you ask? Well, I'll tell you.
What exactly do people mean when they say the word "plan?" And what exactly do people assume when they hear the word plan?
There has been more than one occasion when a consultant went into an organization and had this conversation:
CONSUTLANT: Do you have business continuity (or disaster recovery) plans?
CONSULTANT: Can I see them?
CLIENT: See what?
CONSULTANT: Your plans.
CLIENT: Oh, there is nothing to see, our plan is to...
What the consultant was meaning to ask was, "Do you have a manual of documented business continuity policies and procedures?" What the client heard was, "Do you have a business continuity solution in place?"
Then there was this rather uncomfortable moment I had in a corporate board meeting, in which I was reporting on the company's business continuity posture:
CEO: Okay, Joe, cut to the chase. You have been here a while: What is your greatest fear that could impact our ability to operate our business?
JOE: A data center disaster. This is the one disaster that will impact your operations world-wide and bring everything to a halt.
CEO: But, we have taken care of that. Our IT director just gave us a presentation last month on his disaster recovery plan in case of a data center disaster.
JOE: Yes, I saw that presentation. His plan is a plan to build out a recovery capability, but you have no recovery capability today. His presentation showed a back-up site that he recommends be established, but isn't there today. If your data center goes down today, you are out of business.
CEO: (Turning to the IT director), "Is that true? We don't have a recovery plan today?"
IT DIRECTOR: No, we have a plan. It is just going to take us 15 months to get it up and running if the budget gets approved.
CEO: Oh, that's not good. I was under the impression we had a plan in place and not just a plan to build a plan.
I have seen it time and time again. The board of directors does what it is told to do: Ask if we have a plan in place. The responsible party gives a nice, terse "yes" and everybody is happy. Then I come in later and explain, "Well, you might have a recovery 'plan' but you don't have a recovery capability."
I instruct my consultants: If you want to know if a company has a recovery capability, ask what its recovery capability is; if you want to know if the company's capabilities are supported by documented policies and procedures, ask to see documented policies and procedures.
My consulting plan is -- avoid the word "plan" -- and, be more precise by stating what you want that word to mean.
For more information, please visit www.safeharborconsulting.biz.