The business continuity resistant organization
What makes an organization resistant to embracing business continuity planning? This article will focus on the ‘business continuity resistant organization.’ I will provide an overview of the characteristics of organizations that seem to resist developing or internalizing business continuity as a way of doing business. This includes resistance to planning as an integral part of achieving corporate goals and objectives. The list of characteristics that is presented is by no means meant to be comprehensive. For the purposes of this article, I offer the following definitions: Crisis: ‘A disruptive event that is amplified, elevated and magnified.’ Business continuity: ‘All initiatives taken to assure the survival, growth and resilience of the enterprise.’ Characteristics of a business continuity resistant organization Companies that resist business continuity planning generally share the following characteristics to some degree. Many exhibit several of the characteristics strongly; many passively resist the business continuity process, giving lip service to development while doing everything to subvert program development. In either sense, the failure to achieve continuity as part of the business creates hidden vulnerabilities that often explode to the forefront when an event occurs that disrupts the ‘apple cart.’ Here, in no particular order of relevance, are the characteristics that are most common. Please note that this list is not meant to be comprehensive: * Organizational culture – it can be passive, aggressive or somewhere in between; whichever it is, culture plays a significant role. From denial to ‘only good news is reported upward’ the range of behavior that companies create can cause a program to succeed or fail. * BCP is viewed as a necessary evil – business continuity planning is seen as an adjunct to the business that the company is involved in and therefore never gets integrated into the business. From tactical level response to strategic level assessment of corporate goals and objectives business continuity planning is an afterthought if thought of at all. * Lack of focus – the business continuity program lacks focus, is fragmented and therefore not well coordinated. Due to the lack of focus the plans generated do not mesh well between elements of the organization. Fragmentation also leads to hidden cross-functional dependencies being overlooked until they manifest themselves during a disruption. * Organization silos – while most organizations exhibit to some extent silo structure, the effect of a strong silo structure can virtually choke a business continuity planning initiative. The effect of silos is often to create information gaps within the organization. These information gaps can create, for the holders of the information, power niches. The ‘gotcha’ game then can ensue as information, perhaps critical to developing effective business continuity plans, is either totally withheld or parceled out piecemeal in response to requests for comprehensive information. This often happens when the organization communication process is such that passive forms of resistance are found in the selectivity of what information is released. Information is power, why should I share it? * It can’t happen here – and if it does we don’t need a plan to work through it! This is often the case with smaller organizations and with extremely large organizations. Smaller organizations often are misguided in their thought process; thinking that they are too small to need a plan. This is often because they view business interruptions at extreme ends of the spectrum; either it is too insignificant to affect them or it is of such magnitude that no plan will help them stay in business. Even the self-employed consultant with a practice consisting of a personal computer, intellectual capital and a home office needs to have some plan for contingencies. This can be evidenced by the loss of data from a computer glitch to getting mugged and losing the computer. Large organizations also fall prey to the ‘It can’t happen here…’ trap. Take some of the largest organizations in the world and begin to assess their ability to sustain operations when faced with a crisis situation. Now think about the dinosaurs and extinction events. Large organizations, much like small organizations, are often misguided in their thought processes regarding the value of a business continuity plan. Rather than thinking that they are too small to need a plan or that most events are too insignificant to worry about or that they are large enough to sustain operations even when the magnitude of the event is widespread; they tend to think that are immune. We are immune because we are diversified. We are immune because we are geographically dispersed. Diversification and geographical dispersal do not create immunity. * Business continuity planners often do not know the business of the organization well enough to develop plans that are meaningful. Even if the planning staff has worked within the organization for many years there is no guarantee that they know the business. They may know how many computers, desks, chairs, etc. are needed to recover the impacted location. But hardly any attention is ever focused on the business – read this – customers! As currently practiced by many, the business impact assessment (BIA) is merely an analysis of internal needs. Correct me if I am wrong, but it comes to me that if I lose a customer that represents a significant portion of my business earnings – that is a business impact! Yet, plans and planners continue to overlook an assessment of the customer as part of the continuity planning process. * Process focus – George Odiorne in his work, ‘The Activity Trap,’ identifies how focus on process and procedure can become an end to themselves. Processes and procedures are developed to achieve an objective (usually in support of a strategic objective). Over time goals and objectives change to reflect changes in the market and new opportunities. However, the processes and procedures continue on. Eventually, procedures become a goal in themselves – doing an activity for the sake of the activity rather than what it accomplishes. Many business continuity plans are reflective of the ‘activity trap’ – doing an activity (planning) for the sake of the activity (publishing a plan) rather than what it accomplishes (it should facilitate the achievement of corporate goals and objectives in the face of disruption). * The business continuity plan does not reflect corporate goals, objectives – business is driven by strategy carried out in the form of plans by people who operate in existing and evolving markets. Every organization’s ‘strategic plan’ (developed either formally or informally) identifies the company’s critical objectives. * Our customers are captive; they would never desert us! False assumptions or overlooking the obvious. Are your customers really captive? What if your product or service suddenly is not in demand (as may be the case in a pandemic)? Could your company realign itself to stay in business – is this a business continuity issue? I think that limited planning assumptions create limited value plans. * False or limited planning assumptions – often overlooked are the events that have the greatest potential impact but due to highly improbable occurrence are not planned for. Or, events are not included in the planning mix (loss of major customers, etc.) because they are beyond the limited focus of the business continuity practitioners. Because we are asking the wrong questions precisely, we are getting the wrong answers precisely; and as a result we are creating false positives. For example, an article, entitled Disaster Preparedness, featured in CSO Magazine By Jon Surmacz August 14, 2003,vi cited two-thirds (67 percent) of Fortune 1000 executives saying their companies are more prepared now than before 9/11 to access critical data in a disaster situation. The majority, (60 percent) say they have a command team in place to maintain information continuity operations from a remote location if a disaster occurs. Close to three quarters of executives (71 percent) discuss disaster policies and procedures at executive-level meetings, and 62 percent have increased their budgets for preventing loss of information availability (source Harris Interactive). Please note that the above is a classic example of creating a false positive. Read the previous paragraph carefully and you will clearly see that the executives are referring to the ability to access information and to maintain information availability. They are not saying that their companies are prepared for the loss of personnel, loss of facilities, loss of access to normal business environments or any of the other potential problems that could be encountered in a disruptive event. This is not to say that they have failed in any way, shape or form. I am merely pointing out that the above statement could make senior management, stakeholders, etc., think that they are prepared to handle a disruptive event, when in fact they are only partially prepared! * Misapplied concepts – some planning concepts, like incident command systems (ICS) have been misapplied and cause the organization to minimize the value of ICS. Another concept that is often misapplied is the BIA, often ending up being a list of systems and applications not an assessment of impacts to the business (i.e., loss of customers, effect of changes in product/service demand, etc.) * Planning tools (software) are not reflective of the business – many of the planning tools (software) available is focused on systems and applications recovery and not on business resumption in the sense that operations elements focus on – that being meeting corporate objectives and goals. * Misapplication of planning focus – you don’t know what you’ve got until you active it. Suddenly, people, human factors seem to be the buzzwords in business continuity planning (this, the result of concern over a possible pandemic). Where were business continuity planners focused before? Systems, applications? People are the core of any business and therefore should predominate planning – they generally do not. * Pyramids and sandcastles; rarely a cathedral. Plans that reflect pyramids are generally monuments to one person, serve a single purpose and are generally non-sustaining. Sandcastle plans are vulnerable to adversity, built on a shifting foundation and are not made to adapt or last. The cathedral plan on the other hand is self sustaining, serves multiple purposes and acts as a growth engines for future development. Overcoming resistance Author References Sikich, Geary W.; Integrated Business Continuity: Maintaining Resilience in Uncertain Times (PennWell 2003) Surmacz, Jon; Disaster Preparedness CSO Magazine August 14, 2003 Copyright© Geary W. Sikich 2008. World rights reserved.
•Date: 1st February 2008• Region:US/World •Type: Article •Topic: BC general |
