WHEN THINGS GO WRONG: WHAT BUSINESS CONTINUITY PLANNING ACTUALLY REQUIRES
Most organizations don't discover gaps in their business continuity planning during a calm review on a quiet Tuesday afternoon.
They find them when a system won't come back online, when a vendor goes dark without warning, or when the person who knows how something works is suddenly unavailable. And the plan that was supposed to help turns out to be outdated, too complex to execute under pressure, or written for a version of the organization that no longer exists.
After more than 30 years working in business continuity and disaster recovery, Scott Wilson has seen this scenario play out many times. He joined 2Oaks Consulting to bring that experience to financial services organizations across Canada that are serious about building resilience that actually holds when it's needed.
TLDR; Key Takeaways
Most continuity programs fail not from lack of planning, but from failure to maintain and test plans over time.
The most damaging disruptions are often mundane rather than catastrophic.
Good continuity planning focuses on what the organization genuinely cannot afford to lose, not on cataloguing every possible disaster.
Recovery strategies only work if real people can execute them under real stress.
Organizations that treat continuity as an ongoing capability outperform those that treat it as a one-time project.
The Problem with How Most Organizations Think About Continuity
Most continuity programs start from the wrong place.
They're built around fear and "what if" scenarios. They catalogue worst-case disasters, imagine everything failing at once, and construct elaborate response plans that look thorough on paper.
That framing has two practical problems. First, it's exhausting, which means people avoid engaging with it seriously. Second, it leads organizations to plan for dramatic scenarios that may never happen while underinvesting in the everyday disruptions that actually do.
A more useful starting point is a simpler question: what does this organization need in order to keep functioning when something goes sideways? Maybe not perfectly or without friction, but well enough to keep serving customers, protecting revenue, and maintaining the trust that takes years to build and very little time to damage.
The ITIC 2024 Hourly Cost of Downtime Survey found that 90% of mid-sized and large enterprises lose upwards of $300,000 for every hour of downtime. That number makes the case for continuity planning. What it doesn't capture is how often organizations have a plan on paper but lack an actual capability. That gap is where Scott's work begins.
What Good Continuity Planning Actually Involves
Effective continuity work isn't complicated in concept, but it does require a willingness to look at the business honestly rather than optimistically. Most organizations already know, at some level, where their vulnerabilities are. The work is in actually doing something about them.
Identifying what genuinely matters. Not every process is mission-critical, but without a clear framework, everything starts to feel urgent. Good continuity planning realistically separates the functions that truly keep the business running from the ones that are important but recoverable. That clarity alone tends to make the whole exercise feel more manageable.
Mapping dependencies with open eyes. Most operational risk lives in dependencies that go quietly unexamined: the vendor that handles one critical function, the employee who holds knowledge no one else has documented. Surfacing those dependencies can be uncomfortable, but it's also where the real exposure tends to hide. The 2Oaks article on mastering business process mapping explores how organizations can systematically document these relationships before an incident forces the question.
Building recovery strategies people can actually follow. A recovery plan that requires heroic effort or specialized knowledge to execute is more likely to fail under pressure. A useful test: could a capable but stressed team member follow these steps on a bad day, without being able to reach the people who wrote them? If the answer is no, the plan needs work.
Testing in ways that teach something. Running through scenarios where everyone already knows the answers doesn't build real capability. The point of testing is to find the gaps before an actual incident does, and to build enough familiarity with the plan that people can act on it without hesitation when the situation is real.
Treating continuity as an ongoing practice, not a one-time project. Organizations change constantly. Vendors change, systems change, teams change. A continuity program that isn't regularly revisited drifts out of alignment with reality, often without anyone noticing until it matters. This is the same principle that applies after any major system implementation: the work that happens after go-live determines whether an investment delivers lasting value. The 2Oaks article Beyond the Go Live covers this dynamic in the context of software implementations, and the lesson applies equally to continuity programs.
Scott describes the pattern he's encountered repeatedly in his work. Organizations invest in business continuity tools or write thorough plans, then consultants leave and the plan sits on the shelf with no one actively managing it.
"We put together strict processes around managing the business continuity within the organization," he notes, "which they weren't doing. They'd get consultants in, write the plan, consulting leaves, the plan sits on the shelf, no one manages it."
That kind of program builds false confidence. The documentation exists. The capability doesn't.
Scott is direct about which of these five tends to be the biggest stumbling block in practice:
"Ongoing practice. That's always been the biggest thing, and that's always why we get called in. People drop the ball on this sort of stuff."
The second most common failure point, in his experience, is following the recovery strategy when an incident actually occurs. Someone steps up and starts directing people differently, and confusion sets in quickly.
Ready to take an honest look at where your continuity program stands? Contact 2Oaks to start the conversation.
What Separates Organizations That Handle This Well
Organizations that have genuinely worked through their continuity planning tend to share a few traits.
Scott describes the clearest signal he looks for when walking into an organization that handles disruption well: business continuity is properly managed by a risk team with executive sponsorship, and disaster recovery is properly handled by the technology groups, with clear communication and collaboration between the two.
"When you don't see that," he explains, "when it's managed through an IT organization, a lot of the time they don't truly understand the business requirements. And vice versa, when it's managed purely by a risk group and auditors, they know what causes them problems, but they don't understand the requirements around what is actually needed in order to achieve the level of resiliency they're looking for."
The organizations that handle disruption well have had honest conversations about where they're actually vulnerable. They've tested their assumptions before an incident forced them to. And they've made resilience a shared responsibility rather than something that lives in one person's job description.
That shared ownership is also what separates organizations that sustain their continuity programs from those that let them lapse. The 2Oaks Business Operations Excellence service works with organizations to embed exactly this kind of ongoing operational discipline as a capability that becomes part of how the business runs rather than just a one-time engagement.
As stated above, the result isn't perfection, but you will gain the ability to stay composed when disruption occurs, make clear decisions under pressure, and keep the business moving.
Resilience is a practice. What matters most isn't the plan sitting in the drawer; but the thinking, testing, and honest self-assessment that went into building it. If your organization is wrestling with how to keep continuity documentation current as the business evolves, the 2Oaks article on the problems nobody wants to solve is worth reading for context on how that challenge is changing.
That's the work the 2Oaks Business Resiliency practice is built around. If your organization is taking a fresh look at its continuity planning, or finding that existing plans haven't kept pace with how the business has changed, we're happy to start that conversation.
About Scott
Scott Wilson leads the Business Resiliency practice at 2Oaks Consulting. He brings more than 30 years of experience in business continuity and disaster recovery across financial services, insurance, and public services organizations. To discuss your organization's continuity program, reach out.