Monthly newsletter Weekly news roundup Breaking news notification    

Implementing a business continuity culture

IT is the logical home of business continuity, but how can IT departments foster a culture in their organisations where every executive and department takes business continuity to heart?

By John Robinson

Culture is about people, how they behave, interact and perceive things; it is, as one savant put it, ‘the way we are’. In a stable organisation, happy with its position, this is fine and the cultural spin-offs may be highly beneficial, with everyone facing in more-or-less the direction the business leaders would like. However, where change is needed, culture needs to be managed carefully, since, like a 20-ton truck, it has both inertia and momentum; it is slow to get moving and once rolling, takes great skill to steer or brake.

Get free weekly news by e-mailContinuity or risk culture can therefore be regarded as a function of the workforce’s combined perceptions and behaviours in the face of the company’s actual risk profile. The culture will be unique, reflecting the people, circumstances and history of the organisation. So it makes good sense for any initiative to take this carefully into account if changes made in the name of business continuity are to ‘stick’ and become a part of the corporate culture.

A relatively small number of large organisations have achieved this with great success, permeating their workforce with the knowledge, awareness and authority to manage risk and continuity effectively. Many more have dipped a toe in the water and achieved partial or temporary success.

This article draws on the author’s experience to briefly examine some of the techniques organisations have used to bridge the risk culture gap.

In many organisations, the information technology department is the logical home of business continuity. The reasons for this are only partly historical, but are becoming increasingly compelling. Business rationalises processes into applications, automating decisions that a few years ago might have been taken entirely by people. Each decision carries a risk with it and as a consequence (although the business still ‘owns’ the decision) IT now carries significant and growing risk responsibility.

However, IT doesn’t control all business and operational risks and many behaviours outside of IT directly and indirectly affect it. So, once it has accepted the continuity mantle, IT has the uphill task of trying to ‘grow’ a company-wide risk culture to minimise disruption and maximise its chances of survival. The problems faced by IT execs in achieving this (and the reasons why other departments are so reticent to take it on) include:

• A lack of executive authority from above and outside IT; this means they reliably cannot enforce ideas, methods etc, other than within their normal sphere of control. The cause may then become political, wasting effort, delaying and obstructing progress. However, they can’t realistically ‘go it alone’ since without business input, IT continuity measures become diluted, relying on educated guesses of tolerances and requirements.

• Organisations propagate sub-cultures and despite the efforts of management, differences and gaps in opinion and behaviour inevitably occur. The finance department is naturally risk-averse in what it does just as the sales department will be populated by natural risk-takers; any continuity initiative needs to balance these mindsets and the behaviours that are likely to stem from them. Members of either group is capable of introducing a virus, starting a fire or letting slip confidential information, yet we would not wish to dilute the benefits accruing to either group from these traits. Achieving culture consistency requires an understanding and careful manipulation of these differences.

• Budget is difficult to justify on a solely IT basis, since the risks being managed are generally poorly quantified, relying on individuals’ abilities to convince the board in vague qualitative terms.

• Continuity is as much about people as it is technology and IT often (and quite reasonably) doesn’t have the right skills on hand to do the job. At one end of the scale, responsibility may be handed to an evangelist who beats an irritating drum in the face of every exec as a business-critical ‘must-have’; at the other a junior member of the team may find him/herself ill-equipped to interview senior execs with authority. In the face of this, business people frequently find it hard to digest the value of continuity and fail to take the ‘whole business welfare’ stance. Consequently, they sideline or reject it and urgent continuity matters sink to the bottom of the in-box

• IT speaks its own language, necessarily and comfortably using acronyms, techno-speak and jargon to describe what it does. This has the effect of causing some ‘pure’ business people to simply ‘switch off’. For them, once continuity is aligned with IT, it becomes an IT-only issue and frequently they use this as an excuse to abdicate responsibility. Continuity also has its own jargon and also needs explaining in terms people understand; compound this with IT-speak and you may as well be selling your ideas in Swahili. However, if you don’t speak these languages, you can’t deliver continuity effectively.

• Time is a scarce resource, yet continuity is a long-term, full-time job, especially in large or fast-moving organisations, so making it the part-time responsibility of an IT staff member reduces its profile and its chances of success. New hires don’t know the business; old hands don’t know continuity; Catch-22. Continuity projects have a profile characterised by a high-intensity start followed by a long maintenance tail, again requiring a particular blend of skills. The chance of releasing or finding the right people with the right skills is slim and one reason why many firms employ consultants to complement existing skills.

• There is little incentive for people to become involved in continuity, yet as we explained above, to change a culture you must engage the workforce. Yet continuity is invisible to most people since they are not involved in tests or rehearsals, making it hard for them to succeed or see value. This implies a need for wider training and interaction so that staff are equipped to understand what is being asked. It suggests a ‘carrot and stick’ system that rewards people for participating in something they often don’t want to do when they don’t have time to spare.

• It takes time to achieve lasting change; the beneficial effects of a six-month project will last perhaps two to five years. Beyond that the people change, they forget, the profile drops and the continuity measures lose their value. Add to this the fact that the drivers are sporadic; continuity is a fashion item driven by event enthusiasm; a major systems failure will remain in the foreground of people’s thinking for only a short time. Unfortunately, sticking-plaster reactive continuity measures have a greater chance of rejection than designed-in measures, yet these are the most likely to be applied following such a failure.

That was the bad news. The good news is that all of these points can be addressed and fixed by adopting a sensible approach. The fact is that in isolation, IT cannot hope to provide for the continuity of the organisation. Without near-constant interaction it may be oblivious of planned changes, industry events, business cycles, revenue trends, tolerances, priorities and timeframes for resumption. Continuity plans written in this state of ‘near-darkness’ risk being vague and, at worst, blatantly inappropriate for the business units they are meant to support. They create a dangerous and false sense of security.

An integrated approach is needed if we are to square the circle drawn by these obstacles and there are different degrees and different ways of achieving this. These include:

• Limiting interaction to top-level dialogue between business and IT executives. This aligns expectations and allows each department to get on with its own continuity plans and provisions, minimising political interference. But taken in isolation this approach is wasteful and prone to assumption and optimism.

• Treating IT as a pure service-provider, simplifying the continuity interface it offers to the business to the point where business users’ dialogue with IT is in terms of application service delivery to desktops against a timeline. This is a highly effective approach, simplifying dialogue and increasing acceptance. However, unless formalised, it can result in service provider and consumer each assuming the other has responsibility for recovery of the key IT asset– information.

• Increasing the level of interaction by appointing IT liaison officers for each business unit, each charged with aligning business operational requirements with IT continuity provision. This has the beneficial effect of containing IT-related detail and providing a ‘friendly’ interface to the business.

There are many other degrees of integration possible and in most cases a blend of those listed here is appropriate, generally requiring specialised profiling expertise.

“How can IT continuity build credibility within the organization and gain the necessary business credentials to make continuity work? “
IT is already recognised in most organisations as the credible provider of continuity services, but is not always seen as the owner of the business continuity issue as a whole. In many senses, this is an acceptable condition, neatly sidestepping many of the pitfalls described earlier in the article, provided an active and fully bought-in board-level business sponsor is appointed. With this in place, IT can obtain the mandate to extend resilient practice throughout the business, conferring risk ownership on departments instead of absorbing ever-more business risk itself.

The Five-E formula developed by my company, JRCPL, offers solutions for IT execs who want to extend the resilient culture outside of IT. They are:

• Educate. Start at board-level, explaining how the benefits are accrued by the various stakeholders in the business. These include customers, employees, suppliers, regulators as well as shareholders. Extend this to the management team, then key staff and then all staff.

• Evaluate. Maintain an accurate, quantitative business impact analysis (BIA) that clearly sets out what is at stake in dollar terms. Use this to justify all expenditure and prioritise all continuity activities.

• Empower. Get buy-in and keep it. Ask the board to appoint a permanent sponsor who is required to report formally on continuity status at least every quarter.

• Enforce. Formulate a continuity policy backed by a relevant standard. Section 11 of ISO EC17799 is a good starting point. Position continuity in terms that reflect the business’ actual stance; generally, this is along the lines of ‘continuity is not a core business goal per se, but is a necessary pre-requisite to achieving our business goals’.

• Engage. Find ways to interact positively with the workforce so continuity becomes a familiar and second-nature part of their everyday responsibilities. These include:
- Allow the business to influence IT recovery timeframes by completing a quantitative business impact analysis.
- Identify an IT-literate business continuity champion and empower that person as an internal auditor.
- Hire an expert to inject fresh ideas and impetus.
- Generate PR internally whenever a continuity event occurs.
- Set up intranet pages and update them regularly with information and interesting material.
- Allow the business to be wrong. Every business head believes their area to be ‘critical’.
- Eliminate IT-speak outside of the IT department. Concentrate on prioritising the services that IT provides, not how it provides them; requirements, not solutions.
- Make participation an enjoyable instructive and rewarding experience. Highlight success so people want to be associated with continuity.
- Make continuity considerations an integrated part of every new project both in and outside IT.

So, should IT be the home of an organisation’s continuity culture? For all practical and operational purposes, the answer seems to be a resounding yes; however, where people, politics and culture are concerned, it may be less painful and distracting to employ a different tactic. This involves drawing the business together at the highest level and allowing it to hear what IT has to say and offer from a culturally strong but politically neutral standpoint.

Aside from this, it seems reasonable to expect IT to remain the main provider of continuity in most organisations, with risk responsibility growing alongside business volumes and technology advancement. Managing acceptance of such risks is a serious business, extending immediately into legal territory with issues of governance affecting the company as a whole. IT executives therefore need to adopt their position with care, ensuring that IT and upstream continuity provisions remain aligned with the actual business risks.

John R Robinson FBCI MSc is managing director of business continuity consultants www.jrcpl.com Contact John on info@jrcpl.com

Copyright © August 2003 JR Consulting Partners Ltd All rights reserved.

MAKE A COMMENT

Date: 29th August 2003 •Region: UK/Worldwide •Type: Article •Topic: BC general
Rate this article or make a comment - click here




Copyright 2005 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help