Where next for business continuity?
Business continuity management has matured over the past few years, but as this process happens is there a risk that the profession becomes change-resistant? Standards have emerged, but could this emergence, coupled with a growing demand for accreditation and certification result in a lack of innovation? It is undoubtedly easier to follow tried and tested formulae, but questioning the status quo is always healthy and necessary so let’s ask some hard questions. Has business continuity arrived? Is it the finished product? Are the current standards and best practices the destination of two decades of evolution from disaster recovery? Or is the current stage simply part of a journey to a new and different destination? Are our current plan development methods and business continuity management strategies the pinnacle of what the profession can achieve? Or are we half way up the mountain taking a breather? My inclination would be the latter. Business continuity management as it stands is an interim stage of the development of something broader, more wide-ranging, more effective and more holistic. Personally I believe that it is possible that we are on a journey towards ‘organizational resilience’. Of course, business continuity managers have always understood that business continuity is inextricably linked with resilience but has the subject only partially been explored and incorporated by current standards? In the definition of business continuity management provided by BS 25999 we read that BCM is a “holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.” So it is clearly recognized that the aim of business continuity management is to provide a framework for organizational resilience, but what does BS 25999 mean by organizational resilience? It defines resilience as the ‘ability of an organization to resist being affected by an incident’ and it defines an incident as a ‘situation that might be, or could lead to, a business disruption, loss, emergency or crisis’. Therefore BS 25999 is clearly focussed on resilience in terms of response to an unusual incident, something which happens outside of the normal day-to-day activities of the organization. Organizational resilience within BS 25999 is closely related to incident response; a somewhat narrow view of organizational resilience? A wider view of resiliency is that it is as much about maximising the availability of systems and processes in day-to-day situations as it is about responding to unusual and disruptive events. So, whereas BS 25999 sees one of the major outcomes of an effective business continuity programme as ‘key products and services are identified and protected, ensuring their continuity’, in organizational resiliency ALL products and services and ALL processes are important to protect. And while recovery is important, the main focus is upon hardening systems and processes so that damage, downtime and outages are minimized. At the heart of organizational resilience is culture change. Its essence is the development of resiliency thinking so that resilience is not retro-fitted into systems and processes; instead it is designed into systems and processes from day one. And risk management and monitoring are not the role of a separate siloed department; they are the clear responsibility of every manager and every employee. None of the above is intended as a criticism of current business continuity standards, or of BS 25999 in particular. It is clearly fit for purpose for today’s market and profession. However, I believe that business continuity management can be the vehicle that allows operational resilience to fully emerge. But only if we allow business continuity management to evolve further. Only if we aren’t afraid to go back to the very basics when future revisions are made to business continuity standards. Only if we encourage those who think outside the box. And only if we admit to ourselves that we are on a journey rather than at the destination. Reader comments I think you are missing the boat when it comes to your commentary on BC. From my perspective BC and DR will emerge as an element of enterprise risk management (ERM). This will be promulgated by the credit rating agencies lead by S&P. S&P, this year, will begin to factor into their credit worthy ratings assessments, ERM. From a non-biased perspective, ERM is the wave of the future (based on recent Wall Street events) that will sweep up BC and DR as part of a much bigger corporate strategy for assessing and mitigating risk. Unless there is governmental legislation requiring every company to have a BC/DR plan, only the ratings agencies will push the BC/DR boat ashore through ERM...only then will BC/DR be recognized by the Cs as a necessary element and strategy for doing business long term.
The publication of BS 25999 marked a significant point in the evolution of the subject because the discipline of writing a standard forces one to analyse how you do something, and document it clearly enough for someone else to follow. Before the standard the BC expert could claim his recommendations were based merely on 'experience' now there is a clear auditable process which can be followed from BIA through strategy to plans and exercising. This more scientific approach has also led to the questioning of various assumed truths. Unexpected events are more frequent than we perceived them to be - but the usually quoted statistics of organisational failure I think our next challenge is to establish the statistics of our discipline. Do the incident management structures we put in place reduce the impact of all incidents - and by how much? How many organisations fail after disruptions - why and would a BC plan have saved them? Do we produce a return on investment - or is BCM just a cost? We believe we know the answers to these but relating what we do to the accumulated facts will help to refine our methods - and should make selling what we do a lot easier! Ian Charters, FBCI
I agree whole-heartedly with the sentiment of the article.
At a philosophical level, this article makes good sense. We are indeed somewhere along a continuum in the evolution of the BCM profession. And we have certainly not yet arrived at the ‘end game’, whatever that may be. In the meantime, standards notwithstanding, the profession has a more practical dilemma it faces daily. People in the profession are losing their jobs, entire BC departments are being disbanded, and consultants are having a difficult time locating projects, at least in the US. BCM is regrettably been what we might call a ‘first to go’ kind of activity. When companies must reduce expenses, they typically look for overhead (translated: expense) situations whose contribution can be (in their humble opinion) eliminated with minimal damage to the company. BCM is one of those. In some vertical markets, such as finance, regulations can ensure - to a limit - that the BCM activity won't be entirely scrapped. However, in other verticals, there is no such safety net. In short, the profession needs to focus on reinforcing its intrinsic value to an organization; otherwise it's not likely to survive cost-reduction activities. The way to do that is another discussion entirely.
I agree with your article, I have been a BCP, DRP practitioner for seven years in various industries, the thinking amongst organizations here in Australia has been consistent over that time, i.e I haven’t yet seen an explosion of organizations requiring BCM services, which tells me that organizations see BCM as what they have always seen it, should have a BCM program, but not high on the priority list, and will develop one when someone tells me (eg Auditors, regulators or reacting to an event). However I am not sure whether bandying the word ‘resilience’ will make a difference, this I suspect is where we as practitioners come in. The resilience part will be an education to organizations. Standards I see really as a means to an end. Michael Mitchell
I think the next generation will be business resiliency where a resiliency strategy is like a corporate umbrella with business continuity and enterprise risk management as key components. I had followed the Business Resilient Certification Consortium and it now appears they are no longer active. I thought they were on the right track, but suppose their attempt to have a certification scheme similar to the BCI hasn't panned out. The fundamentals are sound. David B. Bledsoe, MBCI
Where next? On the current course, to the brink of a very large chasm. That chasm is irrelevance. I agree that tracking business continuity narrowly with incident response and crisis management is the wrong road. BS25999 and most of the other available standards marginalize business continuity to be a tool needed ‘if’ something happens for the ‘critical’ aspects of the work. So, what's wrong with this? It does not consider my work important. Who am I? The majority people working for most businesses and organizations that believe critical is important. Is business continuity a finished product? There is not even a clear definition of what the product of business continuity is. It is not a BC management system. It is not the plethora of terms that glorify the ‘fire fighter’. And, most important it is not about technology. The product of business continuity professionals is preparedness. And, the prepared are the people that make up and organization. All the best practices are directed there. However, without an awareness of what the goal is, you won’t know when you get there. Is it done? No. Can it be done? No. Because, arriving at the understanding that continuity is about people is begin of the journey to make business continuity a core competency of every business model. Philip Oppenheim, CBCP
•Date: 23rd Dec 2008• Region: World •Type: Article •Topic: BC general |
