Accepted business continuity good practice is to focus on the impacts on an organizations' key assets rather than to plan for specific scenarios, but does the usual ‘people, premises, resources and suppliers’ impact list have limitations? By Charlie Maclean Bristol, FBCI.

In teaching about the Business Continuity Institute's ‘Good Practice Guidelines’ (GPG) one of the points I stress is that in business continuity we do not look at scenarios such as flood, fire, pandemics, but we look at the impact on our organizations' key assets, categorised by PPRS:

I make the point that we should concentrate on the effect of an incident on PPRS, so it really doesn’t matter how our head office was destroyed whether it was flood, fire or terrorist attack. What matters in business continuity terms is that we have lost key assets and we need to implement our business continuity plans to deal with the situation.

However, the more I think about PPRS the more I see its limitations and I think it gives us too narrow a focus of incidents to deal with. I also think the business continuity manager should always be looking for opportunities to expand their role and to add value to their organization and increase its resilience. In doing so they should be looking at a wide variety of different threats. 

Some of the issues I see with PPRS are: 

I am not sure what the answer is, as the list of possible considerations needs to take into account, in the widest terms, the assets which could be lost and cause an incident, but also take into account intangible issues like reputation and issues such as kidnap and cyber breach.

Perhaps we need to look to risk management to give us a better list of threats that we should be addressing?

If you have a better list than PPRS and would like to share it with the wider Continuity Central readership we would be very pleased to hear from you.

The author

Charlie Maclean-Bristol FBCI, BA Hons, is Director of Training at PlanB Consulting. This article was first published here.

Reader comment

PPRS is a very useful tool for planning in that it points towards the areas that just about any disruption will affect, and so guides planners in the creation of their plans and the vulnerabilities relevant to that particular plan.

Charlie is right in that it does not cover everything, but I'm not sure creating an exhaustive list would be possible or helpful to planners. Having a strategic set of guide values is much better, as it allows for anomalies to be dealt with by encouraging invention and creativity on the part of the planner.

Continual, thoughtful horizon scanning is crucial to the identification of wildcard risks to delivery that don't appear covered in the plan. So whilst I don't have a better list, maybe I would add something to the existing one, H=horizon scanning.

John Ball AFBCI
BCI European Continuity /Resilience Manager of the Year 2016