I received an email from a respectable source today telling me I needed to develop a "pandemic plan."
Been there, done that.
I agree that the threat of a pandemic, or even its near kin, epidemic, needs to be addressed; it is (they are) after all, a "threat to business as usual."
Pandemic: occurring over a wide geographic area and affecting an exceptionally high proportion of the population <pandemic malaria>
Epidemic: affecting or tending to affect a disproportionately large number of individuals within a population, community, or region at the same time <typhoid was epidemic>
Definitions compliments of Merriam-Webster Online
But is there a value in a separate plan?
In two words: Why and No.
There are several reasons WHY I want to avoid a separate pandemic plan, just as I want to avoid a separate strike plan or IT plan or earthquake plan or hurricane plan or any other name-the-threat plan.
What is the difference in impact between H5N1 and a "sick building" or strike or any other "empty building" scenario? The avoidance/mitigation, the preventive measures, may be different, but the impact is essentially the same.
The italicized "weasel words" are to acknowledge that a building emptied because of a *demic might need to be disinfected before it can be reoccupied, unlike an empty building caused by a strike or a parade or a police cordon due to a crime across the street.
A second "why?" is "Why create, maintain, exercise, and support another risk management (business continuity) plan?"
We have enough trouble getting Very Senior Management to sign on to ONE plan.
Think about it. What makes a building emptied by a *demic different from one emptied by any other reason?
Let's say you live in a Rochester, NY suburb and there is an unusually heavy snowfall. Since you are tucked away on a side street's side street, it could be days before a plow comes by to clear a path -- and that same plow might pile snow up 6-feet at your driveway's exit to the street.
Are you going into the work place? Of course not.
If the organization manufactures something -- say 16-inch valves for aircraft carriers -- the local production line will be shut down. The plan - the enterprise risk management/business continuity plan - must consider the threat, impact, and the response.
The difference between a snow day and a *demic for office staff is that for the former the staff may feel OK to work while in the latter many will be nursing their illness or those of their loved ones. Either way, the threat, the impact, and the response must be considered by the enterprise plan.
I will concede that there are other differences between a snow day and a *demic event, but the overall bottom line is the same, and in each case, the threat, impact, and response must be considered.
So why a separate plan?
Moreover, creating a separate plan takes resources - from the risk management staff, from the functional unit staffs, and it interferes with management's time.
I wrote earlier that I had "been there and done that."
I was on a corporate pandemic team for a then-Fortune 50 organization. (It has since slipped.) The corporation had a number of independent divisions, but corporate in its wisdom (and for a change I agreed) wanted a corporate plan.
To be honest, this organization neither had, nor understood the logic of, a corporate business continuity plan, but that's another story.
We worked long and hard to develop a plan. The organization invested in experts to advise us. We spent hours on conference calls, time we could have better spent on other "regular" work.
It was interesting and it did force the divisions to update their contact lists (if nothing else).
But in the end, Very Senior Management decided that the bird flu had flown and we (the corporation) really didn't need a plan so all the work was either shelved or, worse, discarded. A year after the
H5N1 scare I was hard pressed to get local management support to update the contact list.
If there is an enterprise, all-threats plan, it should include all threats, all possible impacts, and the associated responses.
Having a separate plan for specific threats is, to my mind, counter productive in so many ways.
Think in terms of "economies of scale." With one all-inclusive plan, you
- Save development and maintenance effort
- Eliminate multiple interruptions for functional unit subject matter experts
- Save one document that is less likely to be lost (or deleted)
- Only have to get management approvals for one project
By the way, there are times when I encourage "mini plans."
I think each functional unit should have - and maintain with practitioner guidance - its own business continuity plan.
I also think each project should have its own mini plan to consider all the things that can go wrong on the way to project completion. I learned that lesson with a retail giant that wanted a simple round trip
plan for its data center. The problem: The decision makers never showed up to make decisions. But there are other things that frequently do go wrong - equipment failing to arrive on time, utilities yet to be connected, critical staff absent or removed and not replaced; the list goes on.
Obviously -- based on the lede paragraph -- there are those who will take issue with my contention there should be only one, all-inclusive, enterprise plan.
I've heard some good arguments for multiple plans, but I've yet to hear a convincing argument.