Where Plans and Playbooks Meet Reality
I want to write about plans: security incident response plans, recovery and resolution plans, crisis management plans, pandemic plans. Playbooks that explore possible misfortune and lay out action steps for, “What comes next?”
A major problem with plans is that they look good on paper, especially after an army of MBAs and a phalanx of lawyers polishes the PowerPoint. But as a famous military quote goes, “No plan of operations reaches with any certainty beyond the first encounter with the enemy's main force.”
More broadly (and modernly), no plan survives contact with reality intact. Real life laughs at plans, and real risk management isn’t a matter of simply pulling a response plan off a shelf and flipping to page one. (If only!) No matter what scenarios we envision in planning, they will never unfold exactly as imagined, so some parts of plans may turn out to be moot, unnecessary, or insufficient.
In a true crisis, with information flying in many directions from many sources, and with numerous stakeholders trying to discern the terrain, the first step is, crucially, observation:
Is what is happening what I think is happening?
Is something else happening in addition to what I see on the surface?
Is something else entirely happening, something unexpected?
Is it possible that nothing of import is happening? (Sometimes an error or crash can cause alerts that, if misinterpreted, could mimic a more serious incident)
If something is, in fact, happening, then it’s time to activate the plan.
But you just said plans aren’t accurate.
That doesn’t mean they’re useless. In the chaos of a fast-changing situation, you’ll be glad you made a plan, because if you had to write one from scratch during a crisis, it would probably not be good. Plans written while panicking rarely are. The real value of a plan is not its perfect accuracy. The value is that it was created by calm heads in calm moments, to whom you offloaded a lot of heavy lifting in considering and prioritizing and running the math on various options. With a plan, at least you have a starting point. You aren’t starting from zero.
Plans’ strength is also their weakness: in calm moments, we can’t truly understand our many uncertain possible futures. But that mainly causes problems if we expect too much from our plans—if we view them as immensely detailed maps with every gas station and restaurant marked for thousands of miles. That’s a false image and an unattainable goal.
Focus on getting the process right, not predicting every detail
So, planning doesn’t mean mapping out every detail in advance. Instead, it means mapping out the main pathways for a response process: communication, mobilization, productive use of data, and decision-making under uncertainty. Uncertainty requires flexibility, and a good plan understands this and is designed to assist it. Evolution is a natural part of plan activation.
I vividly recall the 2008 financial crisis because, as a newly hired regulator, I had a ringside seat to the abyss. Through many years of work during and after that crisis, I became convinced that good planning is a differentiator. Good planning means:
Accurate data that can be assembled quickly, used productively, and queried easily;
Good communication up and down through organizational reporting lines and channels;
Key people, goals, and milestones identified for response procedures;
Testing plans to the degree possible (via tabletop exercises, practice runs, and simulations).
Plans change. Unexpected events are the rule. Plans need to take that into account, because you will almost never see the specifics of an event coming in advance. Plans that target too many specifics are targeting shadows. Plans that target an effective response process are more likely to prove useful in the breach.
Plans. Important yet not always predictable. I write Intentions for my day. Sometimes it works. 😃
Stephanie -- Your first couple of paragraphs reminded me of one of the VERY BEST sports quotes of all time. The Heavyweight boxer, Mike Tyson, not known for his eloquence once said "Everyone has a plan until somebody gets punched in the face".
My early career 15+ years were in heavily regulated businesses that were genuinely complex and the consequence of error was risk to human life. Both the manufacture and operational training for flying aircraft whether military or civilian or the construction and operation of nuclear power stations were managed similarly. Full mockup simulators and the costly testing of all sorts of scenarios was just the cost of doing business. Most importantly each new wrinkle on which operators should be aware could be layered into training. As the years went by it became apparent to me that the layered cost of all this preparation was a burden and likely made any additional complexity (cooler airplanes or advanced reactors) highly unlikely. They would simply collapse the ability to fund such things especially after the collapse of the Soviet Union. I think that is why only nation states like China have attempted to enter the spaces with near unlimited budgets.
What is interesting now only a generation later is all sorts of businesses operate with MUCH LARGER risks and complexity yet they lack the regulator oversight to demand true simulators. I believe we just roll the dice with technocrats in the background deployed to fix the oops when and if the genie is out of the bottle. Maybe too expensive to make the underlying business workable. We are at the mercy of one by one plans, hopefully practiced frequently enough.