Assumptions have no place in a Disaster Recovery Plan
Assumptions are the land mines of Business Continuity and any disaster recovery plan. They can be anywhere and are usually in the Mission Statement and Objectives and they have the potential to destroy a Business Continuity or Disaster Recovery process in an instant.
So what can a Planner do to minimize the exposures they face because of them?
A section titled “Assumptions” should never exist in a plan. There may be times where setting a an assumptions may be useful, but most often it is an excuse to absolve the plan writer of responsibility should the plan’s execution fail.
Some examples of assumptions that were almost all proven wrong on 9/11 and the recent weather related events of 2013:
- Access to the building will not be prohibited for more than 48 hours
- All personnel listed in this plan are willing and available to work when and where assigned
- In the event of interrupted access to IT systems, access to original documents will be made available.
- The corporate network will remain accessible to all other operating locations.
- All critical IT Applications & Systems with be restored within “X” hours.
- The plan is not applicable during quarter- or year-end periods.
These are real assumptions found in real plans. Shown together like this, the emerging pattern seems petty, silly, and obviously self-serving. Yet they exist. These and many like them appear in a majority of plans that organizations rely on.
If the assumption does not occur exactly as cited, the Business Continuity Plan fails. An assumption is an obstacle placed in a highly visible spot – assuring that the writer cannot be blamed if the assumption doesn’t occur. A Plan with multiple assumptions is an accident waiting to happen. .
A Better Way
When the initial premise of a Business Continuity or Disaster Recovery plan focuses on the cause of a potential disruption, an assumption may seem necessary. But that need not be true. The solution:
- Plan at a more Granular Level — Assumptions are a way of coping for a difficult issue. A better way is to try planning for the disruption of the individual business processes or IT applications housed in that facility. Even drilling down to plan for the disruption of a Department may allow for more targeted recovery strategies (and fewer assumptions).
- Stop focusing on the result of the event — Documenting the strategies (and tasks) required to recover that asset is possible – and why access was lost isn’t necessarily relevant. Sure it’s possible to lose multiple assets, but if you develop recovery strategies for every critical asset, you’ll still have options during a disruption.
- There’s more than one Path — In the real world, the path to recovery may branch, loop back on itself and change over time. By focusing on asset recovery, and documenting multiple recovery strategies for those assets (ex. Alternate site, alternate team, manual process, etc.) recovery is possible under any scenario. Just pick the best recovery strategies for the circumstances.
If you a make assumptions a critical component of a Business Continuity Plan, you diminish its odds of success. Why plan for failure? Stop focusing on what your plan can’t do, and plan for all the potential options that could lead to success.