| Unravelling business continuity terminology There is a great deal of confusion when it comes to business continuity terminology. Continuity jargon seems to perplex business managers and practitioners alike. As in many cases, where business continuity is concerned, communication is the key. Poor communication can itself lead to continuity related issues. No less threatening is the case of miscommunication of business continuity principles. Indeed, the ensuing confusion can undermine the most carefully constructed business continuity programme. How does this confusion arise? The answer lies in the origins of the discipline and requires a brief history lesson to explain. Business continuity did not originate in one place, which gives some hint of the root cause of the problem. The discipline as it exists today is the result of both the evolution and convergence of a number of previously discrete functions. The essential contributing facets of modern business continuity management are emergency management, IT disaster recovery (ITDR) and operational risk management. While less IT intensive and more labour centric organisations focused on emergency management, institutions dependent on technology such as those in the finance and telecommunications sectors were beginning to suffer as a result of their dependency. Their reliance on technology combined with inherent reliability issues and high rates of change resulted in escalating systems outages that these businesses were beginning to feel the effects of. This resulted in general developments in the area of availability and recovery management. Initially focused on recovery, organisations devised procedures that could be followed to restore business critical systems following an unscheduled outage. These procedures took the form of disaster recovery plans (DRPs). Later combined with IT threat and risk assessment this formed the core of what was to become the discipline of IT security, for a time. Following some experience of using these principles in anger, organisations soon realised that recovering IT systems was of little use unless you also had staff to operate them. This was the beginning of the concept of work area recovery and what was soon to be called business continuity planning (BCP). As the name implies this is to people and underlying business processes what the disaster recovery plan was to the IT system. The business continuity plan did not replace the disaster recovery plan but was executed in parallel, as was the organisation’s emergency management plan (EMP). While the emergency management plan dealt with stabilising the organisation following a usually physical event, the next plan jumped straight into business recovery. There seemed to be a key step missing in this process, being the very crucial process for decision-making, communication and general coordination. Essentially deciding which plans to invoke at what time and in what circumstances; modern day crisis management was borne. This introduced the crisis management plan (CMP) into the mix. The crisis management plan was soon expanded in charter to include the transition from incident to crisis, as it was soon realised that serious events were not always physical in nature and hence the emergency management plan was not always relevant. We therefore arrive at a point where we have an EMP, CMP, BCP and DRP. I almost forgot the plan that involves switching back to business-as-usual following recovery, otherwise known as a business resumption plan or BRP. So that’s five different sets of plans so far, all of which represent a response phase following some type of continuity impacting event. Of course the holistic process that outputs all of these plans, and associated capabilities, is termed business continuity management (BCM). Most people have no idea of the relative sequencing of these plans and therefore use the terms interchangeably. Typically people don’t want five plans for one end-to-end process so they consolidate into one all singing and all dancing plan which unfortunately is labelled with one of these acronyms, even though the consolidated document may represent all of these phases of resumption. Herein lies the root cause of the confusion around business continuity terminology. It is worth noting the difference between what most people refer to as business continuity planning and business continuity management. BCP is a historic term relating to the fact that business continuity functions produce plans; lots of them as we have seen. Someone that does this is, not illogically, called a business continuity planner. This may seem sensible but it emphasises, inaccurately, the reactionary nature of business continuity. The modern approach is as much proactive as it is reactive, and hence the term business continuity management is more appropriate. It is this transition that has caused the much discussed ‘overlap’ with operational risk management. Which I think takes us nicely through to present day. This may seem like a semantic discussion but I believe that it is imperative that business continuity professionals use consistent terminology to avoid confusing people, and avoid convoluted terms appearing in reports, such as ‘BCP/DR planning’ and the like. Apart from anything else it’s unprofessional to not know exactly what to call such an important function. It demonstrates a lack of understanding of business continuity in general. My other favourite is the use of tautologies such as ‘Crisis Management and BCM.’ These are often deliberate and are a result of the business continuity manager trying to explain the function in terms that business managers may understand. The problem compounds when you have someone joining your organisation that is used to a BCP function whereas you have a BCM function. It would be much simpler if we all understood the terminology and used the right terms in the right context. Andrew McCrackan is the head of business continuity for a private banking group. He is a Fellow of the Business Continuity Institute and the author of a Practical Guide to Business Continuity Assurance, Artech House, Boston, 2004.
Mr. McCrackan's article parallels my observations of the business continuity profession, although the confusion about the terminology has a source: the IT services industry. While the roots of BC planning reach back to mainframe DR, the practice of proactively managing risk by planning how to restore critical operations after an unplanned interruption have little to do with IT, except where the enterprise is in the IT services industry. But that industry has hijacked the term ‘business continuity’ as a euphemism for DR, which is what they know. In the US, roughly 90 percent of BC programs are managed out of the IT department. The notion that BC is a risk management (business) discipline, rather than a technical discipline, is lost on most companies. As a result, I am advocating surrender of "business continuity" to the IT folks, and adopting "contingency planning" as my professional practice. Gregg Jacobsen, CBCP grewjac@ix.netcom.com
•Date: 15th April 2005 •Region: UK/World •Type:
Article •Topic: BC general |
