| Business continuity on a limited budget: part two
Many companies that find the funds to initiate comprehensive business continuity management programmes can’t find the funds to finish them in the same way. Conducting risk assessments and BIAs is one thing, but deciding on a strategy that doesn’t break the bank is quite another. Many companies go through extensive business analysis for the purpose of business continuity only to find that their requirements far outweigh their budget. This is usually when requirements are ‘tempered’ by executive management. This is a nice way of saying they take to your critical business process list with an axe. The results can be less than ideal. So how does this happen. One would assume that you have determined some baseline, semi quantitative criteria by which those imputing into the BIA process can gauge what is critical and what is not. It’s more than likely that you have, but the catch is that only one of the assessment areas is financial. Other impact areas such as reputation, health and safety, regulation, operational and so on can be partly quantified in financial terms but there are other aspects which I would hope cannot be assessed in this way. Therefore, what happens when a list of critical processes and associated continuity strategies are delivered out of the BIA process and cannot be justified to the business in financial terms? This creates somewhat of an ethical dilemma. Say we are dealing with a process that, if stopped, could have an unacceptable safety impact on staff. The cost of ensuring zero downtime for this process could be prohibitive for the business, which gives rise to a possibly equally tangible unacceptable financial impact to the business. This is somewhat of a conundrum. How can we deal with this? The only ethically correct answer is one that may not be very popular. Safety is paramount, so the required continuity capabilities must be put in place, whatever the cost. This is simply a cost of doing business in a modern (and civilised) world and has to be accounted for in goods and service prices to the organisation’s customers. If the market will not bear these costs then the business is simply not viable as an ethical, going concern. Some will argue that if the business fails then people will be out of work, which clearly impacts them significantly; possibly not as significantly, however, as being injured, or otherwise unavailable! It’s very common to see results of BIAs presented to executive management only to come back somewhat less complicated than they were delivered. Unfortunately this practice is fraught with danger, not only in the health and safety sense. I was recently asked to manage a BIA for an organisation that had just completed a two-year initiative involving full business continuity management implementation, right down to a technical disaster recovery facility with a price tag in the low millions. Unfortunately the resulting solution when tested didn’t work due to fundamental process and technical dependency issues. Management had modified the initial BIA results to give what they described as a ‘pragmatic balance between contingency capabilities and expenditure.’ Two years on they were starting the process again. The solution price tag would be higher this time, but not as high as the price of having to go through the process twice. Factoring for the risk exposure to the organisation over the two year period for which they had very limited capabilities, the result of going cheap on business continuity could have been devastating. The message is simple; to be able to implement business continuity management capabilities on a budget will always involve a level of compromise against the requirements as determined by staff. Going against financially driven critical processes can rarely be justified in pure financial terms, so the compromises will mostly fall in other impact areas such as health and safety, where the organisation may have a slightly larger risk appetite. It should be noted that most would perceive an event that has significant health and safety impact extremely unlikely and therefore acceptable to take some level of risk position on. It is not a flagrant disregard for safety but a belief that such an event is so unlikely that a reasonable person would not expect such a scenario to be addressed. In the year 2004 this is no longer a plausible argument. Andrew McCrackan is the founder of Continuity Assurance International
and author of a Practical Guide to Business Continuity Assurance,
Artech House, Boston, 2004.
Reader comments: I found myself a trifle concerned about the suggestion in Mr. McCrakan's article regarding the notion that contingency planners face a moral dilemma when their client/employer takes an axe to the list of critical processes. On one level, it is true that planners owe their clients/employers balanced assessments of risk exposure, gaps between recovery requirements and capabilities, and the like, but the moral dilemma is truly and completely laid at the feet of the executive staff. They are the ones for whom that bell will toll, should "bad things" happen. Yes, enterprise leadership is certainly within their authority to weigh the risks and decide to limit mitigation costs: that is the core of risk management. But if the "bad thing" happens afterwards, the perfect science of hindsight will be harshly brought to bear by the stockholders, the board of directors, and the stakeholders (employees, vendors and customers/clients). So, if a contingency planner is still feeling some pang of conscience because their management drastically underfunded the BC/DR budget, so be it. There are positions open everywhere at firms more apt to support a suitable program. Otherwise, they wouldn't be looking for the help. Gregg Jacobsen, CBCP, President, Association of Contingency Planners, Los Angeles Chapter
The intended tone of the article was really focused on the ethical dilemma of the organisation, in generic terms. Where I imply the role of the planner, I am really considering this as a function of the organisation, rather than a specific individual, if that makes sense. All that said, you have raised an interesting point about the ethical responsibilities of the individual BCP professional. Most professions operate on an ethical code of conduct and I can’t see any reason why BCP should be any different. In the medical profession, there are certain procedures for certain types of people that no respectable doctor would perform, no matter what their client wanted and how much they were willing to pay. This should be no different with BCP. My experience has demonstrated that there are ethical issues in this field of BCP, and sometimes individual consultants have done the wrong thing. This is particularly prevalent in audit and review work, which may seem trivial but often encourages executive management down a particular decision path. I suppose that if advice given by consultants did not carry a level of professional and ethical responsibility, our indemnity insurance wouldn't be quite so high! Thanks again for your comments. I realise that some of these issues can be controversial and that there will be those with different opinions and those that flatly disagree with mine. I hope though that this all serves to be useful in terms of raising awareness, sharing ideas and furthering discussion in this ever-evolving field.
•Date:
26th November 2004 •Region: World •Type:
Article •Topic: BC
general |
