|
 Zachary
Djimas responds to Continuity Central’s recent article which
asked “Are
we making business continuity too complex?”
I preside over a Business Continuity consulting
service for high-risk, high- volume, and highly diversified Global
2000 clients.
In response to your article, let me posit...
Twelve challenges to ‘mis-simplification’:
(1) Use simplicity to manage complexity
Ideally, the methodology of business continuity should always be
simple and
clear enough to be effective, otherwise it would bog down managers
in
managing the methodology, as opposed to getting the job done. This
does not mean, however, that there isn’t complexity in the
thing you manage: The unwitting may be daunted by not realising
that - like all project management - you never actually manage the
entire problem at once, but the discrete pieces in succession.
(2) The devil and his details
There is a real-world, big-dollar danger in downplaying the details
and
their dependencies as a universal axiom for business continuity
management.
I'm concerned that David Honour, the author of the article in question,
states that: “Business continuity risks going down the TQM
route: turning a relatively simple business process into an overly-complex
management discipline.”
The simplicity or complexity of what you manage is relative to the
simplicity or complexity of your organisation. The business continuity
management process is just a vessel for consommé or goulash:
the nature of your organisation dictates what fills it.
(3) Cakewalk to oblivion
If Continuity Central readers conclude that business continuity
management is just a cakewalk from the perspective of management
awareness, they might not ask
all the necessary questions and drill down to all the little details
that can become show-stoppers at the worst possible time. It's the
little details that say we care.
(4) Warning: objects in ideality appear easier than reality
How managers think of business continuity management is critical
at the start: If you over-simplify business continuity management,
you can tragically under fund awareness, research, deployment and
testing efforts, all of which are necessary ingredients for quality,
recoverability and risk mitigation, as per the six items listed
in the article.
(5) Reality is unforgiving
Contrary to the article, I think most senior managers need a more
realistic
understanding of the complexities within their own environments
- both from
the viewpoint of business processes and technology infrastructure.
Whatever you manage, you should always manage with facts and with
a thorough
situational awareness of your organisation, which can mean dealing
with
complexity, however detailed or difficult it may be.
Problems don't resolve themselves and reality doesn't care if you're
having
a bad day.
(6) Cheating yourself
Without decision-making and thorough planning grounded on facts
and
situational awareness you will not maximise the ROI (return on investment)
on your business continuity management initiatives.
You cannot shirk the heavy-lifting of thinking through your business
continuity management processes and expect to get your money's worth.
(7) Quality is not an afterthought
Quality must become integral to the design of your business continuity
management program, especially in a long-term maturity model that
incorporates business continuity management as part of business
as usual.
(8) Glossing over governance to live in interesting times
When you imply the business continuity management effort is just
a snap, some decision-makers might gloss over implementing otherwise
well-conceived business continuity policies and standards, realistic
guidelines, and fail to think through all the actual processes and
procedures that make sense within the context of their organisation.
(9) Most of the iceberg lies underwater
Nobody has the luxury to assign serious effort and manpower to something
unimportant or that merits little attention. But what happens when
their
perception is wrong? What happens when they point to an article
that says
there's no need to over analyse the gash on the side of the Titanic?
(10) Organisational domino theory
When the officers in the bridge don't see the iceberg coming, the
crew in
the engine room don't know to reverse power. Similarly, a culture
of
misperception at the top can trickle down to tactical managers making
bad
decisions about requirements and lead to systemic weaknesses with
horrible
results when orders come for contingency invocation.
(11) Do you feel lucky?
If, at the outset, you don't apply high standards of quality to
business continuity processes, maturity, methodology, and planning,
you risk misspending or misapplying whatever business continuity
management funding you have, ensuring tactically inadequate recoverability,
while lulled into a false sense of security.
I see these behaviours all the time in the industries I support
for business continuity.
Money is allocated and spent from a vacuum of planning, just to
keep
deliverables as simple as you have recommended in your article.
(12) Enterprise operational risk? what's that?
The bottom line: If you haven't done the arithmetic, you can't add
up the
risk.
Overly simplified plan documents, tests and quality reviews at the
business and technology level may appear enough to satisfy business
continuity management requirements. This leads business units to
create false assumptions for integrated recovery testing, clearly
owing to a lack of scope management and awareness.
These, in turn, contribute to the unreported systemic risks in recoverability,
because unwitting managers tend to treat business continuity management
as just another picnic in the park, trading expedience for granularity.
Finally, when David Honour asks:
“As new business continuity standards and guidelines continue
to appear
around the world are we risking over-complicating the subject?”
... The answer is NO.
We do not place business continuity management itself at risk by
giving it the relevance and importance it merits. It's not business
continuity management that's complicated: it's how the infrastructure
and lines of business behave within a diversified organisation.
Also, the "subject" of business continuity management
is not what's at risk: it's the organisation. That's why you need
business continuity management to mitigate risk. It's odd to ask
if the thing that manages risk is at risk.
Your publication needs to focus instead on real-world problems common
among
most firms, such as the lack of business continuity management governance,
internal standards, guidelines and policies that managers tend to
gloss over, precisely because they think business continuity is
just a picnic.
This is why so many firms find it difficult to manage and control
their planned and actual recoverability efforts, why they have little
ROIs to show for these efforts, and why they cannot gain control
of their operational risk or calculate loss values for enterprise
exposure.
Thank you for providing a forum for discussion and exchange of ideas.
Zachary Djimas, PMP, President, TruContinuity, Inc.
ADD
YOUR COMMENT
•Date:
5th October 2004 •Region: World •Type:
Article •Topic: BC
general
Rate this article or
make a comment - click
here
|
