Planning for Impact, Not Scenarios

Business continuity planning often starts with scenarios: fire, flood, cyber-attack, pandemic. Organisations prepare for the threats they believe most likely. That approach has a fundamental weakness — it assumes we can predict the next disruption. In practice, causes vary but many disruptions produce the same set of impacts. By planning from impacts and the likely cascades they create, organisations capture a far broader set of threats and build responses that remain useful when the cause is unfamiliar.

"Plan on impacts, not scenarios. Consequences are predictable, causes are not."

Scenario-Down Planning — The Limits

Scenario-down planning builds detailed responses to named threats. It feels concrete and reassuring, but it is brittle: when reality deviates from the script, plans can fail to apply. Scenario lists also grow unwieldy — every new threat adds another plan — and they encourage checkbox compliance rather than systemic resilience.

Impact-Up Planning — A Better Approach

Impact-up planning reverses the logic: identify the business impacts you must avoid or mitigate, then design capabilities to address those impacts regardless of cause. Typical impact categories include:

• Loss of site access — staff cannot reach offices or data centres.
• Loss of critical systems — core applications or communications fail.
• Loss of key people — absence of subject matter experts or decision-makers.
• Supply chain disruption — vendors cannot deliver goods or services.
• Reputational impact — customer trust or regulatory standing is threatened.

Designing for these impacts produces controls and capabilities that apply across many scenarios. A capability to restore communications within 30 minutes helps in a flood, a cyber-attack, or a mass transit strike.

Case Study: COVID-19

The UK and many organisations planned for the wrong pandemic. The pathogen differed, but the impacts were familiar: closed schools, disrupted workplaces, overwhelmed health services. Planning from impacts — workforce displacement, supply chain strain, and surge demand — would have produced more transferable readiness than pathogen-specific playbooks.

Mapping Cascades and Interdependencies

Impacts rarely occur in isolation. A single failure can cascade across people, processes, and suppliers. Mapping these cascades is central to impact-up planning:

• Identify primary impacts and the immediate business functions affected.
• Trace secondary impacts that follow from the primary failure — for example, loss of payroll capability leads to staff attrition risk.
• Map third-party links and the points where vendor behaviour amplifies or mitigates cascades.

Use simple visual tools — impact trees, dependency matrices, and swimlane diagrams — to make cascades visible to decision-makers. Visibility enables targeted controls where they matter most.

Prioritisation by Impact Tolerance

Not all impacts are equal. Prioritise by the organisation's tolerance for each impact using measurable thresholds:

• Recovery time objective (RTO) for each critical capability.
• Recovery point objective (RPO) for data and transactional integrity.
• Maximum acceptable outage cost expressed in financial, regulatory, or reputational terms.

These metrics convert abstract impacts into actionable priorities and guide investment decisions.

Designing Impact-Based Capabilities

Once impacts and cascades are mapped and prioritised, design capabilities that directly reduce impact or shorten cascades. Typical capability classes include:

• Alternate work arrangements — remote access, hot desks, and temporary sites.
• Data and application recoverability — tested failover, backups, and data integrity checks.
• People resilience — cross-training, role redundancy, and documented decision authorities.
• Supplier resilience — secondary suppliers, contractual SLAs, and vendor exercise participation.
• Communications resilience — multi-channel stakeholder messaging and pre-approved templates.

Design acceptance criteria for each capability that tie back to the impact metrics. This ensures capabilities are judged by their effect on business outcomes, not by activity alone.

Testing Impact Resilience with Scenario Exercises

Scenarios remain essential — but their role changes. Use scenarios to exercise whether impact-based capabilities hold up under realistic conditions. Good exercises:

• Focus on the cascade: start with a plausible trigger and observe how impacts propagate.
• Include third parties and suppliers to validate integration points.
• Test decision-making and communications under time pressure.
• Exercise both automated and manual recovery paths.

After each exercise, convert findings into tracked remediation items with owners, acceptance criteria, and mandatory re-tests.

Governance and Decision Design

Impact-up planning requires governance that links impact thresholds to clear authority and pre-approved actions. Design decision rules that specify:

• Which impact thresholds trigger which actions.
• Who has authority to act and under what conditions.
• Escalation paths when impacts cascade beyond predefined thresholds.

Clear governance reduces hesitation and ensures that precautionary actions are taken when they matter most.

The Human Dimension

Impact planning forces organisations to consider people as both vectors of impact and sources of resilience. Practical steps include:

• Support for employees with caregiving responsibilities during school closures.
• Clear guidance for remote working and wellbeing checks during prolonged incidents.
• Training and role rotation so critical knowledge is not concentrated in a few individuals.

When employees see continuity as practical and supportive, they are more likely to adopt resilient behaviours that reduce organisational risk.

Practical Roadmap for Impact-Up Planning

1. Identify impacts — run workshops to list primary impacts and plausible cascades across functions.
2. Measure tolerance — assign RTO, RPO, and outage cost to each impact category.
3. Map dependencies — create impact trees and dependency matrices that include vendors and critical interfaces.
4. Design capabilities — build or buy capabilities that directly reduce impact or shorten cascades; define acceptance criteria tied to metrics.
5. Exercise end to end — run scenario exercises that validate impact resilience and include third parties and communications tests.
6. Track remediation — convert findings into tickets with owners, deadlines, and mandatory re-tests before closure.
7. Govern decisions — codify thresholds and authority so actions can be taken quickly and consistently.
8. Review regularly — revalidate assumptions after changes to infrastructure, suppliers, or operating models.

Conclusion

Scenario lists are useful, but they are not a substitute for impact-based preparedness. Many different causes produce the same harmful consequences; planning from impacts and mapping their cascades produces capabilities that are broadly applicable and more resilient. Scenarios should be used to test and refine those capabilities, not to define them.

"Plan on impacts. Test on scenarios. Impacts build resilience, scenarios prove it."