Generic plans, specific playbooks and asymmetric attacks

At the heart of crisis management and business continuity there’s always a push and pull between planning for specific and nonspecific threats. The essence of a sound business continuity plan is its ability to counter threats of almost any nature. At their heart BC plans are typically generic and don’t seek to ameliorate a particular threat but act as an organisation’s first line of defence against an array of possible crises.

Screenshot 2019-03-31 at 16.14.57.png

Some consider this old-fashioned thinking and put their faith in what are commonly called playbooks. Organisations now typically have at their disposal cyber and terror playbooks which set out in some detail how to tackle one particular type of emergency.

In an interesting article entitled Planning for the Unexpected published in Strategy+Business the authors seek to tip the balance in the direction of traditional BC and promote the idea of non-specific planning because of what they call asymmetric threats.

They ask the question: Typical crisis planning focuses on specific potential shocks. But how do you prepare for an unforeseen ‘asymmetric’ threat — one that comes out of nowhere, with no rule book to follow?

The authors suggest there are four types of asymmetric threats.

Unprotected infrastructure

A terror attack or a natural disaster can play havoc with critical infrastructure which includes utilities such as water, gas and electricity supplies along with transportation. Ports and financial exchanges could also be at risk.

Vulnerable technology

Computers, the internet, the internet of things and company IT represent an enormous risk with cyber-attacks being reported almost daily. The hackers may be pressure groups, cyber criminals and operatives from nation states seeking to destabilise a country or steal intellectual property.

Underestimated disasters

This is a threat that is thought to be understood but pans out in ways that were completely unexpected. When Hurricane Katrina raged through New Orleans it looked initially as though the city had escaped the worst only for the levees to break and the city to be submerged. In March 2011, when an earthquake and tsunami struck Fukushima, Japan, it was at first seen as manageable. But when the nearby nuclear powerplant was affected, events spiralled out of control. In a telling comment, the chairman of the Fukushima Nuclear Accident Investigation Commission said: It was ‘a profoundly manmade disaster that could and should have been foreseen and prevented.’

Innovative geopolitical attacks

As already indicated this threat will likely come in the form of a cyber-attack from a nation state. Like other forms of espionage, state-based cyber-attacks are intended to control events in other countries. For example, Stuxnet caused considerable damage to Iran’s nuclear programme and while no one has taken responsibility it is thought to have been developed jointly by the US and Israel. Russian President Vladimir Putin has said artificial intelligence will likely determine the course of future wars, using drones and other technology, rather than traditional battle field weapons.

It is undeniable that crises can have infinite or asymmetric causes. So, you might ask, quite reasonably, if there are infinite causes how can you prepare a plan that will cover all eventualities? If you try to develop a plan for every possible scenario, you would drown in a sea of paper and end up with a crisis plan the size of the Bible.

But you can do two very useful things: First review the risks that represent the greatest threats to your company. If you rely on IT as most companies do these days then you need to factor in resilience, back up IT, and perhaps a recovery site. The second is to prepare a flexible framework, which can respond rapidly to the unexpected.

This will almost certainly include a BC plan but might also include a threat specific playbook. The two are not mutually exclusive. Ultimately, a firm and its CEO are judged not on how accurately they predicted the precise nature of a threat but rather on their response.

In these uncertain times, a plan, that’s been tested during a crisis simulation, combined with proven crisis management protocols are still the best ways to overcome a crisis whatever the nature of the crisis might be.

Jim Preen: Head of Media

Richard Whitby