How Your Business Continuity Plan Is Like Swiss Cheese

How Your Business Continuity Plan Is Like Swiss Cheese

If your business continuity plan is like most of the plans we see, then it is highly likely that it bears more than a passing resemblance to Swiss cheese.

We don’t mean that it would taste very good served with ham on rye.

We mean that it is probably full of holes—of omissions of key provisions and information whose absence would sharply reduce its effectiveness if and when you had to turn to it to help your organization get through a disruption, and which might even make it fail altogether.

In today’s blog, we’re going to bullet out some of the more common business continuity plan holes—and also explain what can be done to plug them.

Are any of the following holes baked into your organization’s BC plan?


Your plan’s successful execution of conditions unlikely to be present during a disruption.

We see this most frequently with plans on the DR/IT side, providing Disaster Recovery for Information Technology systems. Plans are often written to be successful during a test. But such tests are typically run under conditions that are unlikely to be present in a real event. If your plan depends on those conditions, and they are absent, it may not work.

How to plug this hole: This problem is not easily eliminated, but its effects can be accounted for. Describe any special conditions which existed during your successful tests in a separate document or an appendix. Having knowledge of these at hand can provide insight that will increase the chances of the plan succeeding under real-world conditions.


The plan lacks sufficient detail in the instructions for performing critical functions.

Plans typically provide instructions on how to carry out different kinds of procedures, with the purpose of enabling a reasonable professional operating in that position to follow the instructions and accomplish the task. However, most instructions included for this purpose are inadequate. Typically, they are too generic and lack the kinds of company-specific details needed for the operation to be carried out. This information, sometimes referred to as the proprietary details, includes such things as the codes that need to be applied to create a purchase order or the necessary configuration for a database. In writing these instructions, people tend to make assumptions regarding the knowledge of the people who will be called on to follow them, and these assumptions are often incorrect. It may be that the primary person knows the proprietary details, but what if a secondary or tertiary person is called on to do the task? Moreover, often when plans do provide detailed instructions on how to do something, it’s a very basic, generic task that the ordinary capable professional in the role already knows how to do.

How to plug this hole: Ensure that your procedural instructions contain sufficient detail and proprietary information so that the average competent professional in that area, who does not know the information coming in, can accomplish the task.


The plan does not explain unique aspects of the company’s operations.

Organizations and departments often set up unique states and arrangements, frequently for sound reasons. However, these arrangements have the potential to confuse an average competent professional coming in without knowledge of them to perform a certain function in the context of recovering from an event. Such a person could waste time and resources trying to normalize a situation that, within the context of that organization or department, is normal and expected.

How to plug this hole: Include in your plan details of any unique or unusual arrangements or states that have been established at your organization or department.


The plan contains too much narrative and too few checklists.

Too many plans are heavy on narrative, in the form of descriptions of strategy or the purpose of an activity, and light on checklists containing step-by-step tasks to do, in order, with explanations for how to do them. Strategy descriptions are fine for the appendix. But the heart of your plan should be checklist-type, step-by-step procedures guiding the person through the task. They should say, “Do this, then do this, then do this.” The “what” and the “how” goes in the main part of the plan. The “why” and the descriptive part goes in the appendix.

How to plug this hole: Make detailed, in-order checklists the heart of your plan. Put the strategy and descriptive information in the appendix.


The plan lacks sufficient information on alternative ways of obtaining critical equipment.

Often it is assumed that providing access to alternate equipment means supplying computers and phones only. Plans often overlook the need for providing access to such equipment as handheld scanners.

How to plug this hole: Make sure your plan provides for a way for your people to obtain all the equipment they need to do their jobs, not just computers and phones.


The plan lacks up-to-date contact information.

Is the contact information in your plan up to date? If it isn’t, it might be difficult or impossible for people at the organization to reach key internal or external individuals when the need is greatest.

How to plug this hole: Up-to-date internal and external contact lists don’t necessarily have to be in the plan, but they should be referenced in it so people can find them. Verify and update the information on these lists frequently. When you receive notice that someone’s information has changed, update it on the lists referenced in the BC plan.


These are a handful of the holes that we most commonly see in organizations’ BC plans.

By plugging them, you can decrease your plans’ resemblance to Swiss cheese, and increase the odds that they will serve the organization well when they are needed most.


Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.

Business continuity consulting for today’s leading companies.

Follow Us

© 2024 · MHA Consulting. All Rights Reserved.

Learn from the Best

Get insights from almost 30 years of BCM experience straight to your inbox.

We won’t spam or give your email away.

  • Who We Are
  • What We Do
  • Blog