Monthly newsletter Weekly news roundup Breaking news notification    

The loneliness of the business continuity manager

Get free weekly news by e-mailBy Amanda Chapman, MBCI.

We’re all employed in companies that trust us and are fully behind the current business continuity efforts we are making, right? If only this was the case – unfortunately in the vast majority of organisations it’s not like that. Many business continuity professionals feel isolated in their roles and it’s now time for that to change. It’s time for us to start pointing out where things are failing and what can be done better. We shouldn’t moan for no reason but we need to start telling the truth so that we can find out where we really are, rather than where we are pretending to be. From the past five years of talking to business continuity professionals, I can confirm that almost all of us will have to struggle to get past layers of incompetence, indifference or downright negligence to get anything done and we always end up upsetting someone.

This also means that we have to surpass this incompetence, indifference or negligence to be able to do our work properly. Naming no names, I’ve heard of managers lying to the board to assure them that business continuity planning is moving into the maintenance phase when plans haven’t been written; departmental managers who ask temps to write the plans for them; IT staff who decide what their customers’ business continuity requirements are; and BIAs being developed by people who don’t know what a BIA is. We’ve all known of people who’ve hidden findings to protect their career; who we’ve then had to pretend to respect afterwards.

Given that (I would hope) the reason we do this job is not only to line our own pockets but to help the organisations that we work for, at some point someone needs to start telling the truth about what is really happening out there, so that as professionals we can retain some sense of integrity and as an industry we can continue reaping the rewards of our efforts.

BS 25799 and BS 25999 will go a long way towards enabling our clients to get their houses in order, but without a continued effort to train employees in why business continuity will help them, we will get nowhere. Business continuity can’t continue being a once a year pain in the proverbial, we need to publicise, prioritise and polemicise. The increasing international attention focused on business continuity is of course to be welcomed, but in order to merit the attention, business continuity professionals need to start telling their clients what it actually means for them.

Too many organisations are reading the documentation, shrugging their shoulders and hoping that business continuity will go away. Too many consultants have been shrugging their shoulders at inadequate plans to ensure that their bills get paid. We’ve allowed too many senior management teams to continue with the view that they are in a secure position BC-wise so that a confrontation is avoided and our contracts extended. Sooner or later, as a group of professionals, we need to realise that tolerating this level of artifice has to stop. This isn’t being written to bring the industry into disrepute, rather to help us get our house in order. We all know what’s wrong out there; we need to start talking about it so that we can share our experiences and ways in which we resolved problems.

BIAs
Recently someone made an attempt to create controversy when they suggested that we didn’t need BIAs anymore. To a stressed management team this would seem like a great opportunity to save some consultancy money. To a risk manager this would seem like a courting potential inaccurate information and reporting. To a business continuity consultant it sounds like what it is – a publicity attempt. How would we know what we are trying to protect when we write a plan? Perhaps there are too many words in the title – why don’t we call it a ‘risk report’? Fancy not writing one of those? Rather than courting controversy – why don’t we start by attempting to help one another out?

The irony of BIA development is that our clients often think they know what they need to put into one before they have written it – and in some cases this can hinder true intellectual investigation of what needs to be protected, because identifying different requirements can be seen as controversial. Business continuity consultants can use BIA development as a way of increasing their understanding of an organisation. Internal BIAs can be used as a method of checking that you’ve got your priorities right. To achieve the best results for all involved it’s hard to argue with figures that have been achieved in an agreed fashion, whatever the politics in the companies we work for. The business continuity manager or consultant needs to be aware of this – and attempt to ensure that they steer well clear of the politics by impartially reporting what’s been found. One of the continuing problems consultants find is that those departments seen to have a more minor risk according to the BIA need to be treated very carefully. Lower risk doesn’t mean no risk.

It’s well known that BIAs also identify those sections of a company that aren’t as risk-important, by omission. A business continuity manager’s lot is to attempt to explain the benefits of this to staff whose feelings are instinctively hurt – being told you aren’t important does hurt, whatever level of seniority you are. It’s easy to emphasise the benefit of being able to leave the burning building behind you and go home whilst still being paid, but as a group we need to look into the best way of imparting news of their status to people so that we don’t upset them and still keep them on the side of BCM. If we lose them at this stage our plans won’t be accurate and we may well lose potentially valuable planning resources as well.

There are so many different BIA templates and risk assessment documents floating around that there are frequent discussions about what its actual aim is and staff can become quite attached to their own BIA templates and introducing a new one can cause issues with existing business continuity staff. At some time, we need to clarify this so that our clients understand what it is that we are asking for and BS 25999 can help us with this.

BCM staffing
As a consultant, you often get what you see in business continuity management. Some staff are beyond the point of caring, some see BCM as something to be endured, some don’t know anything and don’t want to know, some hate you by sight (they could write the plans without you) and some, if you are really lucky, have a vague interest in it but don’t have the time to devote to it. Sometimes, you’ll get all of these personality traits within the business continuity team. The worst and most dangerous character in the BCM world is the know-it-all. These people are to be avoided at all cost. They’ll have the bosses enthralled with their techno-babble (‘meta-data’ anyone?), a controlling influence on the direction of the department and quite often no real knowledge of business continuity management. There are only a few ways to deal with this. One is to quietly offer to teach them about BCM, another to ignore them and another to undertake a relentless campaign to exclude them from all business continuity meetings. This rarely works. It isn’t made any easier by the fact that at the end of the first round of BCM work you’ll no doubt know more about the organisation than they do and they will surely become aware of it. At this stage be very wary, they may do everything that they can to make your position untenable as you present such a threat to them!

Seriously, you’ll often have to deal with people who haven’t got any time to help you because your organisation doesn’t have the capacity to deal with much additional workload. You’ll be perceived as a nuisance, trouble maker, on the make, being a member of security staff and often as someone to be treated with care. Often people will think you can see things you can’t and have an all seeing eye. Understanding your customer’s motivation is key in being able to produce a good plan. Despite this, as business continuity professionals our duty is to make their lives as easy as possible without neglecting the aim of BCM – to get and be able to use a decent plan. Don’t think the staff are weird, it’s more likely that we are – would you like an outsider sniffing around your work to see how important it is? Would it make you feel comfortable (probably not). We need to start recognising and dealing with that fact – we aren’t all from the army and nor are our clients, we can’t just go in there and expect instant compliance with our requests, we need to be more understanding and open as a profession to the impact we have on the people we work with. Getting staff on your side is only the start of it – sooner or later you’ll have to produce a business continuity plan.

The business continuity plan
The aim of business continuity management is to produce a plan that we or our clients can use confidently in an incident and that is easy to understand throughout the organisation. You may well have found that the key processes that need protection (identified in your BIA) were different from those your management team expected to see. You’ll have had to explain to them how your figures were calculated and who approved the calculation methods. Once you’ve jumped through that hoop you’ll have to plan and in some cases your plan may involve even more money being spent. Many organisations will only think your plan is good if it involves spending as little money as possible. A successful business continuity plan is easily implemented and doesn’t involve your clients being spendthrift when they invoke it.

Most people you’ve engaged with (see above) will regard your documented output as a nuisance. If you then tell them they will need to spend more money, they’re going to like the results even less. At some point we need to start presenting the benefits of business continuity management better and in particular the benefits of implementing adequate BCPs. In the UK the FSA expects adequate business continuity plans to exist in companies that fall under its remit, but doesn’t really check them. There are plenty of organisations that trade shares but don’t really fall into their remit. Many business continuity professionals walk around with the sure and certain knowledge that some of the biggest organisations globally would have no real idea how to react to an incident defined as a crisis and yet we aren’t in a position to cause a song and dance about it because if we do we are often made redundant.

Redundancy
The ultimate business continuity plan receiver’s revenge. Within disaster recovery and business continuity there are myriad stories of staff being made redundant because they shone the torch into some dark corners. Job insecurity is the main downside of BCM if you can cope with the politics. A BCM project shouldn’t be undertaken lightly and the potential downsides should be discussed openly when it’s initiated – there is no point in painting sweetness and light whilst preparing to plan for darkness. We have to start opening up to the fact that the job can reveal nasty truths, carefully protected vested interests and fiefdoms within the organisations we work for. It’s better to mention this before we know what they are. If we tell our clients and employees this before we start, they (and we) are less likely to have a nasty surprise when they get the results of our investigations. Many is the organisation that is completing a business continuity project – and has been for the past ten years, because as soon as a nasty fact is uncovered the investigator is made redundant.

Ultimately, although we will always upset someone, there are ways we can make the upset smaller, protect ourselves and get the planning done. Business continuity planning work is not for someone who is worried about their job, status or promotion prospects within a company. Redundancy sometimes does follow report production. BCM departments are often amongst the first to be cut by people who were told they weren’t important. If you are contemplating initiating a BCM program for someone it’ll make your life a lot easier if you tell them the truth at the start. It could make the difference between business continuity and corporate or personal disaster. It’s easy to be flippant about BCM, but it isn’t an easy job, it’s potentially political, pressurised and highly visible throughout organisations. You can inadvertently tread on people’s toes, shatter lies, discredit internal management practises and make enemies inadvertently. You will always upset someone. The sooner we start accepting this and talking about how we minimise the upset to our clients as an industry the sooner we will begin to be accepted.

Amanda Chapman is a business continuity management and project management contractor. She is an MBCI and Prince 2 Practitioner, with a BCP background in the city, utilities and the BBC.

Make a comment

Date: 2nd Nov 2007• Region: UK/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here




Copyright 2008 Portal Publishing LtdPrivacy policyContact usSite mapNavigation help