Business continuity management is often not as holistic as it should be, says Tim Armit.
Over the last few weeks I have begun to despair about our profession, or maybe I have begun to realise that my expectations of are not what we really aim to achieve. With the report on Eurostar’s winter problems being published recently and Toyota’s disaster happening as I write, I continue to despair as to where the business continuity plans are.
I have worked in business continuity full time for 21 years making me one of the most experienced practitioners around. I have been fortunate enough to work on some of the world’s largest projects and in every sector around the world. This year I have begun to realise that my vision for this industry is not really what we do. We claim we want business continuity management but in reality we are physical disaster based emergency planners.
Last year we saw amongst others Lehmans, HBOS, Northern Rock, RBS and many others fail and either disappear or come into partial and full public ownership to keep them alive. Where were their business continuity plans? Ah now here is the rub, the Financial Services Authority and others would use many of these companies to advise them on business continuity, to hold them up as paragons of business continuity. In fact one senior BC manager from one of these companies (which no longer exists) still insists it was not a business continuity event. This horrifies me, surely a business that does not continue clearly fails in business continuity; is the clue not in the name?
In the last week or so I have been to two events which continued to show we may be wasting our time and maybe it’s time for us to accept that we are just IT and facility people and that no one does holistic business continuity. I went to a seminar of experienced BCM practitioners and was preached at that unless you have been in the military or emergency services you should not be on a crisis team. I am sure an ex-army major or a fireman would have solved all the credit crunch issues if only they had been there! This not only insulted every board of directors but meant that there is no point in training people in BCM as they can never learn unless they have been in the military, so again we are wasting our time...
I then attended a conference where the UK Tripartite, (Bank of England, FSA, HM Treasury) stated, on public record, that their remit was just physical events, focussing on terrorism, floods and pandemics. When challenged that there is hardly a single piece of evidence that any major company has ever failed from one of these and why aren’t they interlinked into the real events that close companies, we were told that is not in their remit. So the UK financial sector is to focus on risks, and invest heavily in areas that are known NOT to close companies; again are we wasting our time? At the same event the UK National Risk Register was discussed which again did not include financial risk. Does anyone think an imagined terror attack could ever do as much business impact as the current recession? In the almost 1000s of terrorism attacks we have had in the UK over the last 30 years the financial impact has, in the main, been less than this winter’s snow.
And finally, we come to the real events around us. Eurostar, an international key infrastructure provider linking the UK to France, failed over the Christmas period. A report was read out on all news channels stating they had either no or inadequate emergency plans, no or inadequate business continuity plans. And no one was surprised. Did they not employ anyone in this field? Did they not do any testing? Was again their scope limited to the comfort zones of competence and not challenging? Toyota is daily seen to be imploding on the televised news with ever-worsening stories and appalling crisis and media management. Again where were the plans, what was the testing?
I am sure there will be, as ever, a litany of excuses. The main one being scope of responsibility. But that is not good enough. This profession is now over 20 years old, it’s not an IT profession; we must focus on ALL and EVERY risk and if we are not competent enough we must admit this and bring in business people to work with us who are. We must interlink with operational risk and stop our exercises being limited. Or we must just admit there is no such thing as holistic business continuity management; and accept that we only do physical events, just leaving the other risks to someone else. It is time for our industry to grow up.
Author: Tim Armit, Clifton Risk Management Ltd, firstname.lastname@example.org
MAKE A COMMENT
Well said Tim, I share your despair.
The narrowly defined scope of business continuity is supported in standards, making it easier to get certification. So what chance do we have to get people looking at a wider range of risks?
Potentially many BCM programs are not seen as relevant by executive management and therefore will not be engaged by the business to address other than these basic risk areas.
I hope we can find the way for the industry to grow up.
Wow, what a bleak view of the world! Whilst I agree in part with some of the above, I’m pleased to say I have a much more positive view of the future for the industry (I’m an optimistic pessimist – I know things will go wrong, but I do feel there is something we can do to get things right).
Unlike Tim I‘m not one of the most experienced practitioners around as I only have ten years experience in this area, but I have had the opportunity to work with a wide variety of people in many different countries and in many different industries and whilst there is an obvious lean towards looking at physical events and impact, I’m pleased to say that with some degree of relationship building and education, businesses and business leaders are quite responsive to developing an understanding of how to manage and react to risks which don’t immediately scream ‘disaster’ at them.
It is true that in recent weeks there have been yet more events which have tested the ability of companies to react effectively to a crisis, but they were found lacking. But this really shouldn’t be any reason to despair on our part. Every event of this nature will provide the rest of us with ammunition which we can use to great effect in our training and presentations to our senior managers. The lessons learnt from Toyota and other recent events are just as important as those learned by the more physical events of the recent floods in Cockermouth and the severe snow fall of February this year.
What we must do is look to layer the lessons learnt from these events in our training and our cycle of continuous improvement within BCM, and in particular within the crisis management teams who will be the ones who react to such events. In the training that I undertake I focus heavily on leadership through a crisis; what this looks like, what makes a good leader, what does a leader need to know, do and act like. I agree with Tim that it doesn’t matter about the background (ie. Ex army) of the individual, only that they can contribute openly when a significant event occurs.
To be fair to the UK Tripartite, their focus is clearly directed by the UK National Risk Register which places these physical events right at the top of their agenda, so it’s little doubt they wouldn’t even consider more dramatic (and more likely) events the like of which we’ve witnessed over recent months. I actually believe the real blame should not be levelled at the Tripartite but squarely at the government who seem reluctant (in my humble view) to take a tougher stance on requiring businesses to have BCM practices effectively in place. SMEs are left to fend for themselves and to discover their own path through the murky waters of crisis management, contingency and disaster recovery plans! Little wonder then that these smaller companies are impacted immediately by floods (physical risk) or economic down turn (strategic risk).
Tim’s final point re Eurostar is an interesting one and in stark contrast to my own (personal) view of how it was handled. Firstly, I hadn’t heard the report stating that they had no contingency plans, however I can say that I was personally impressed with the speed of reaction to the incident. Difficult decisions were made to cancel trains. Priority was given to those who had already booked tickets, whilst informing others to delay travel etc. There was an open and honest apology for the inconvenience caused and the reason for the breakdown was (whilst being quite shocking) honestly reported. Now, I appreciate there will be a dozen things that many will say could and probably should have been done, but to the point of the Eurostar ‘incident’, I believe it was handled as best it could be. I’m sure there are many lessons that have been learnt and they are being worked on as we speak (yes, my glass is always half-full).
As Tim states, we do need to get the business to consider risk in its widest sense and this starts with us. We must engage with the business at every level and look to exploit every opportunity open to us to get BCM onto the agenda. Will we succeed every time? No. But will things get better? Yes. The profession is indeed over 20 years old, but risk and risk mitigation (of which BCM is part of) has been around far longer. If we are frustrated at the industry and the world-at-large because nobody is taking this seriously enough or thinking on the topic deeply enough, then we need to change our approach. If we continue to do the same thing we’ve always done, we’re going to get the same results we’ve always got.
So, stay positive... BCM could also stand for Belief, Commitment, Motivation. With these in place you’ll succeed – eventually. (In the words of Bon Jovi – Keep the faith!)
•Date: 5th March 2010 • Region: UK/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED 30TH MARCH