Contingency Planning |
Executive Summary
Organizational planning is the process of setting short and long-term objectives for the organization. Once the plan has been approved by the senior leadership team, it is cascaded to lower levels of the organization to execute. However, as Mike Tyson is quoted “everyone has a plan ‘til they get punched in the mouth”. To account for the unexpected, responsible leaders invest in contingency plans to restore business operations in the event of a disruption. Senior management awareness about the value of resilience is increasing; 59% now admit cyber resilience effects revenues, versus 47% in 2016 (Ponemon, 2018). As this trend continues, organizational plans will evolve to incorporate more contingency planning to create tighter alignment to meet the strategic goals of the organization. This section will evaluate the tension between the two plan types in terms of pros and cons between each, key components, consideration of approaches to resiliency and finally a consideration of the factors between continued operations and full restoration.
Organizational planning is the process of setting short and long-term objectives for the organization. Once the plan has been approved by the senior leadership team, it is cascaded to lower levels of the organization to execute. However, as Mike Tyson is quoted “everyone has a plan ‘til they get punched in the mouth”. To account for the unexpected, responsible leaders invest in contingency plans to restore business operations in the event of a disruption. Senior management awareness about the value of resilience is increasing; 59% now admit cyber resilience effects revenues, versus 47% in 2016 (Ponemon, 2018). As this trend continues, organizational plans will evolve to incorporate more contingency planning to create tighter alignment to meet the strategic goals of the organization. This section will evaluate the tension between the two plan types in terms of pros and cons between each, key components, consideration of approaches to resiliency and finally a consideration of the factors between continued operations and full restoration.
Organizational plans contain the following; Vision, Mission, Objectives, Strategies and Actions. This is often expressed with the acronym VMOSA (Halla, 2016). The advantages to an organizational plan are; gives an organization a sense of direction, focuses attention on objectives and results, establishes a basis for teamwork, provides guidelines for decision making and helps anticipate problems and cope with change. However, pitfalls of organizational plans include; strategic planning horizon (time horizons outside most board of directors and investor view), cost-based thinking and self-referential strategy frameworks. The later means executives build a strategy around what they can control (Martin R., et al., 2015). This is important to note as leadership teams do not have control over unexpected events like cyber breaches or natural disasters, they do, however, have control over developing the capability to plan for and respond to incidents. Therefore, organizations must have the ability to withstand all hazards and sustain its mission through environmental changes (Sawnson, M., et al., 2010).
|
The critical components of contingency planning include: a business continuity plan (BCP) which provides procedures for sustaining critical mission and business processes during and after a disruption, incident responseplan (IRP) which enables security personnel to identify, mitigate and recover from malicious computer incidents and disaster recovery plans (DRP) which is an information system focused plan designed to restore operability of the target system, application or computer facility (Swanson, M., et al., 2010). The advantage of having a contingency plan is a backup can be activated in the event of a disruption with the goal to minimize disruption, ensure safety and resume operations. However, the main disadvantage is the cost. Specifically, it is a tax to the organization; meaning, in a
perfect world with no disruptions, this would not be considered as it wouldn’t support the objectives of the organizational plan. This becomes the tension between the organizational plan and the contingency plan. The organizational plan allocates resources to accomplish its objectives, the contingency plan usurps them. The common link between the two plans is risk. There is inherent risk for every organization and this justifies the investment in contingency plans. |