| The ‘tick-a-box’ approach to business continuity
By Andrew B. McCrackan In today’s world of power crises, cyber hackers, terrorism and increased climatic threat, there is a perception that businesses and government are squarely focused on the implementation of business continuity management capabilities. While this perception is correct in reflecting the flurry of activity in this area that has ensued in recent years the drive from executive management seems largely unrelated to addressing these very real threats to operation. Instead, the focus of executive management seems to be to put a ‘tick’ in the proverbial business continuity box to satisfy audit requirements. The majority of executive managers I speak with have, albeit privately, what I term a laissez-faire approach to business continuity management. Unbelievably, many are still of the opinion that it won’t happen to them or if it does, their staff are skilled enough to be able to invent an appropriate plan of action and execute it in real time. I don’t believe that I am entirely alone when I class this type of view as naive. For such executives the drive for business continuity management capabilities often comes as a consequence of the internal or external audit program. Increased regulation, legislation and standardisation in this area and on related subjects have become catalysts for change in business and government alike. This, on the surface, looks quite positive. However, such ‘rule setting’ is not always the most efficient path to change. If rules are not supported by cultural change and education then the outcome will often be reduced to a ‘tick-a-box’ mentality. Standards are rarely completely proscriptive, particularly in an area such as business continuity, which is more a philosophic principle than a set of processes and procedures. Business continuity principles can be implemented in vastly different ways and to different extent, depending on the organisation concerned, therefore standards are not able to be entirely comprehensive. BCM touches every aspect of the organisation and there are simply too many variables to be considered. It follows then that standards are reduced to a set of principles or guidelines that should be followed in the implementation and operation of business continuity capabilities. This calls for a significant amount of interpretation in application and hence a significant amount of leeway when it comes to assessment. BCM and related standards will typically include such requirements as the development of a business continuity plan. It is not particularly practical, however, for the standard to dictate the quality of the business continuity plan in any quantifiable manner. This often drives the response in the organisation of developing a document that can be bound in a folder and placed on a shelf and labelled ‘Business Continuity Plan’. This will usually be placed within pointing distance such that it can be easily identified to auditors. Business continuity management is a highly specialised field. The implementation of BCM requires the expertise of an experienced practitioner. In line with the emphasis placed on this subject by executives within many organisations, business continuity projects are often conducted utilising ‘spare’ resources within the organisation. The fabled ‘special projects’ people are often seconded for the task. The old adage of staff understanding their business more than consultants may be offered here in justification. This may be the case, but the information provided by staff needs to be organised and set within a reference framework that is usable in a Business continuity management context. I travel to work in my car every day and am very familiar with its operation, but don’t ask me to re-design the engine to make it less prone to failure. I would probably arrive at a design roughly equivalent in quality to many of the business continuity plans that I review. Not unlike many that are given the task of delivering Business continuity management to their organisation those that are tasked with the audit of business continuity arrangements are often also suitably unfamiliar with the subject. An audit against a particular standard will typically consist of an assessment against a checklist. This checklist may consist of identifying a BCP or even a check of the various phases that were followed in the development of the BCP, such as a business impact assessment. Only the experienced practitioner will be in a position to assess the quality of the outputs of the business continuity management process. If per chance an experienced business continuity practitioner does conduct the review, he or she may be challenged on any findings that cannot be completely justified in terms of the standard. Disagreements about how the BIA was performed, for example, are easily rebutted on the basis that the standard does not describe the activity to this level of detail. Suffice to say that the glowing reports that corporation and government stakeholders receive about their organisations being ‘on track’ with business continuity initiatives or being ‘fully prepared’ for disaster can often be far from the reality. Unfortunately there would need to be a disaster for this deception to be uncovered. Some executives are playing a dangerous game in relying on this business continuity management bluff not being called. Certainly in the case of terrorist acts, we can only wish that they are correct. It is my belief that what is needed is a more subjective certification that is made by a suitably qualified business continuity practitioner. Guidelines and standards are useful and have a prime place in achieving advancement in this field; however, they should be interpreted and followed by those with a thorough understanding of this complex discipline. The Business Continuity Institute (BCI) and the Disaster Recovery Institute International (DRII) are moving in this direction with the creation of their respective training and certification programs. The development of more comprehensive business continuity management methodologies and capability rating frameworks may overtake existing standards in this field. Business continuity is currently moving at a fast pace as regulators, watchdogs and stakeholder groups continue to refine their thinking on this subject and come to a point of equilibrium, balancing the BCM rule book with the ever changing type and likelihood of threats that exist today. Andrew McCrackan is the founder of Continuity Assurance International and author of a Practical Guide to Business Continuity Assurance, Artech House, Boston, 2004. andrew.mccrackan@continuityassurance.com Copyright 2004, Andrew B. McCrackan
•Date:
16th November 2004 •Region: N.America/World
•Type: Article •Topic:
BC general |
