Quick question: How many practitioners does it take to assure a high degree of likelihood that a plan will succeed when it is needed?
In a "Best Of All Worlds" situation.
By my count, three.
Someone needs to create the plan.
Granted, in some really big organizations, there are multiple people charged with creating a plan for this or that location.
And, granted, that there are folks in functional units - HR, Facilities, IT, etc. - who may write a mini-plan for their unit, hopefully under guidance from the enterprise planner.
But one practitioner is charged with overall plan creation.
Someone needs to vet the plan, to assure the plan is complete.
True, walk-throughs and desktop exercises go a long way to exposing plan deficiencies, but the deficiencies probably will be more obvious to an outside practitioner who has extensive planning experience but no direct connection to the plan to be vetted.
Finally, the plan needs to be audited.
The auditor isn't looking for plan deficiencies. Instead the auditor is looking to assure than what the plan requires can be provided. If the plan assumes something will be in place, the auditor will confirm that the "something" is indeed in place, or the auditor will report that the "something" is missing and due to that, the plan may be in jeopardy.
Depending on the size and dynamics of an organization, the planning practitioner may be either a staff practitioner or a consultant. This person will take up the lion's share of the time and money required to create, vet, and audit the plan.
I would recommend that the person selected to vet the plan be a consultant.
This person must have a wealth of experience, more than the plan developer and more than the auditor.
It's OK if the plan developer and the practitioner selected to vet the plan know each other, but they should not come from the same "stable" (agency). Ideally, they will not have created a plan together in the past. Independent minds are needed.
If the plan developer and the person vetting the plan have a good working relationship, that's wonderful. If this is an adversarial relationship, the process is doomed.
The ideal auditor will have an understanding of business continuity, albeit not necessarily a practitioner's experience. The auditor's function is not the review the plan for deficiencies - that's the vetting practitioner's job. The auditor needs to make certain that the avoidance and mitigation processes agreed to by management are put into place; the auditor needs to confirm that exercises have been held and critiqued, and that the "To Do" list has become the "Was Done" list.
The development practitioner and the vetting practitioner need to work together as "almost peers," with the vetting practitioner being slightly senior.
In the vetting role, the practitioner needs to diplomatically work with the plan developer to "enhance" the plan, to "fill in any holes." The practitioner vetting the plan needs both extensive experience in creating plans and ferreting out risks - to borrow from Star Trek, to go where no (planner) has gone before, and to an equal amount of charm, diplomacy, or "presence" to convince the plan developer to rethink all the threats.
The auditor also should be a master of tact.
Finally,, there needs to be a referee; in most cases, this would be the 800-pound gorilla plan sponsor.
While the sponsor may - and should - agree that the vetting practitioner is correct in the practitioner's assessment, the sponsor may end up ruling for the development practitioner due to any number of reasons, including the organization's ability to implement the vetting practitioner's recommendations.
It may only take two to tango, but I suggest it takes three to fully develop a plan that will survive almost anything.
- A practitioner to develop the plan.
- A practitioner to vet the plan.
- A person with risk management "awareness" to audit the plan.
If I wrote it, you may quote it.Longer articles at https://sites.google.com/site/johnglennmbci/