[18th October : updated with reader comments]
By David Honour.
Navigating across desert areas is notoriously difficult. For years the terrain can remain the same, but a sudden wind-storm can change the landscape overnight. The business continuity profession sometimes feels analogous. Periods of stability are overtaken by paradigm shifts. This may be common in the development of any young profession but it can easily lead to confusion.
Business continuity evolved out of information technology disaster recovery during the early 1980s. For the first two decades of its existence it was a very nebulous area, with its definition and parameters varying from organization to organization. However, business continuity hit the headlines in 1999 due to fears of the so-called Millennium Bug, and soon after this the first serious attempts to codify business continuity best practices started.
When it came to standards, North America was first out of the blocks, breaking ground with the NFPA (National Fire Protection Association) 1600 standard (Standard on Disaster/Emergency Management and Business Continuity Programs). The UK followed closely behind, with the BS 25999 British Standard. This was published in two parts: a code of practice (2006) and a specification document (2007).
BS 25999 part two introduced the concept of the business continuity management system (BCMS), firmly moving business continuity away from the project focussed approach of the past.
2008 and 2009 proved to be relatively calm and stable years for the business continuity profession, with the existing standards widely accepted and with much activity focused on understanding their requirements and developing compliant plans and strategies.
However, in 2010 the winds of change are again blowing.
With both the BS 25999 and NFPA 1600 standards the aim is to be able to put in place strategies and plans which will enable the organization to quickly respond to any abnormal incidents that might occur. As BS 25999 puts it, business continuity management ‘provides the capability to adequately react to operational disruptions.’
This focus on response and recovery is now being questioned. Are BS 25999 and NFPA 1600 restricting the business continuity profession to an incident response mindset? And is this appropriate? These are questions which are now being raised and which a debate is required about.
From response to resiliency
The first challenge to the status quo is coming from those who believe that business continuity is best achieved by focussing on the resiliency of existing processes and infrastructure rather than the restoration of these after an incident. A resilient organization is one that has looked at all its critical areas, has hardened them against downtime and has added additional failover measures, which will kick-in should a system fail.
The argument for resiliency has been led by ASIS International, which, in 2009, jointly launched a new business continuity standard, ‘Organizational Resilience: Security, Preparedness and Continuity Management Systems’, with the American National Standards Institute.
The key difference between the new ASIS standard (SPC.1-2009) and the NFPA 1600 and BS 25999 standards is its insistence on the necessity for organizational commitment to incident prevention.
SPC.1 2009 stipulates that compliance will result in the following outputs (strategic programs, as it terms them):
- A prevention and deterrence program: to ‘avoid, eliminate, deter or prevent the likelihood of a disruptive incident’;
- A mitigation program: to ‘minimize the impact of a disruptive incident’;
- An emergency response program: the ‘initial response to a disruptive incident involving the protection of people and property from immediate harm’;
- A continuity program: ‘processes, controls and resources to ensure that the organization continues to meet its critical operational objectives’.
- A recovery program: the processes, resources and capabilities ‘to meet ongoing operational requirements within the time period specified in the objectives.’
While being able to return to business as usual within a stated time period (the recovery time objective) will mean that an organization has effectively met the main requirements of BS 25999 and NFPA 1600, this is not enough to fulfil all the major requirements of SPC.1 2009. The resiliency outcomes (prevention, deterrence and mitigation) must also be met.
The advent of risk management approaches
The second, and clearer, challenge to accepted business continuity conventions comes from the newest business continuity standard, AS/NZS 5050.
AS/NZS 5050, ‘Business continuity – managing disruption related risk’, was released in June 2010 by Standards Australia and Standards New Zealand. It aims to relate business continuity to the ISO 31000:2009, ‘Risk management – principles and guidelines’ framework and it makes risk assessment and management its central pillars.
AS/NZS 5050 somewhat aggressively sets itself up to be in direct competition with the other business continuity standards. In the foreword it states: “Unlike other guidelines in Australia, New Zealand and elsewhere in the world that address disruption-related risk, AS/NZS 5050 does not limit its consideration of risk treatments to those that only apply once a potentially disruptive event has occurred.” Even more clearly, in section 1.1 (the Scope) the standard states: “The approach has drawn on, but of necessity goes beyond, many of the concepts that in the past may have been described as ‘Business Continuity Management’ or BCM.”
So the battle lines have been drawn. The authors of AS/NZS 5050 clearly believe that the standard takes the management of disruption related risk to a new level, leaving business continuity management behind, as history.
Unsurprisingly, this has generated a strong response. The Business Continuity Institute (BCI), in particular, has led the questioning of the risk-based premise of AS/NZS 5050.
Writing to the Australian Chapter of the BCI, the organization’s technical director, Lyndon Bird, states that AS/NZS 5050 “does not follow what has become a generally accepted international view of business continuity management; a holistic management discipline that looks at an organisation’s products and services strategically to determine the most impact that would result from interruptions across different time horizons.” Mr. Bird effectively dismisses the standard, saying: “The BCI expect[s] the standard to have little international impact within the practitioner community, because the underlying principles are not in line with progressive BCM thinking.”
2010 sees the business continuity status quo being challenged. It would be disappointing if the profession returned to the days when every consultant had his or her version of what business continuity is and how it should be implemented. But the new challenges to the generally accepted thinking of recent years at least deserve to be discussed. Will they have an impact? Time will tell.
Make a comment.
Author: David Honour is editor of Continuity Central.
Note that all reader comments are the views of the individual concerned and do not necessarily reflect the views of Continuity Central or its editor, David Honour.
In response to Roger Estall, let me offer a view that will explain why I believe AS/NZ 5050 doesn’t work, and that it doesn’t matter how intelligently we apply it, we will actually increase the risk as false confidence sinks into the minds of the Executive.
AS/NZ 5050 is not a BCM Standard since it doesn’t present the philosophies required to respond and recover from ANY threat including Black Swans [ref http://en.wikipedia.org/wiki/Black_swan_theory].
AS/NZ 5050, requires you to generate a comprehensive list of risks and those that were not (or cannot) be identified are not “included in further analysis” – as a result, you will be exposed to Black Swans.
Of those that are considered, an assessment of likelihood is required followed by the development of a small number of representative scenarios from which risk treatment options can be considered. Likelihood is by definition a risky metric – and just because you accept the likelihood as being low doesn’t mean that you’re safe from that threat manifesting. Scenario consideration relies partly on the individual’s experience and partly on their imagination – again a risky basis for planning against any disruption. I can’t imagine a CEO or Minister standing in front of their stakeholders and apologising because “in all our planning and considerations we didn’t think that could happen - sorry.”
The application of a Standard, in say a corporate or government environment, is not trivial. It’s not something that you want to ‘try it’ as an experiment to see whether you will like it or not.
We don’t need another risk management standard: AS/NZS 31000 already covers that space very well.
Saul Midler, MBCI.
I'm a bit confused by the debate that's emerged here.
The definition of BCM that I've adopted and promoted over the years came from the BCI:
"Business Continuity Management is a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities."
Isn't the key distinction between business continuity planning and business continuity management the need for an organization to proactively manage the risk of business interruption?
Given this definition, I'm not sure that the various standards in existence and emerging are really in disagreement about what BCM should accomplish, but perhaps differ in where the emphasis should be placed: resilience or response.
My opinion is that organizations should focus on becoming resilient, but naturally need to have effective response plans in place. I believe a good BCM program should place 75% of the effort on proactively managing risk (both incident prevention and minimizing the impact of what you can't prevent) and 25% on developing reactive response plans (protecting life and property and ensuring continuity should an event occur). While we tend to speak of them as separate efforts, one naturally leads to the next - contingencies minimize the impact of an event and tend to become the response plan.
The key comes down to "what does resilient mean?" We define it technically as "the ability to withstand and reduce the impact of a crisis event," but ultimately as "the ability to meet customer demand in spite of a crisis event."
That's where the business value is and that's where competitive advantage comes into play. Do you want to promote your company as a "resilient" organization that is proactively managing all sources of risk that could lead to a business interruption, or one that's prepared to "respond" well? Do you want to promote yourself as a risk advisor/strategist or a plan developer?
Bottom line: I believe organizations need to do both (regardless of which standard it adopts), but it's within strategic and proactive risk management efforts where organizational value is created and where business interruption efforts should be focused. And it's through these efforts that a Chief Risk Officer will emerge as a needed and valued position; helping to get our profession at the executive table.
One of the curses of standards, is the temptation of their authors to coin new expressions – particularly adjective-noun combinations, then capitalise the words, then reduce them to (typically) a three letter acronym and then assert that a new truth has been created – often so fundamental, in the minds of the authors, to rank alongside gravity and the periodic table as immutable explanations of the universe.
A useful test of such expressions is to strip away the capital letters and reorganise either the words or their tense and see what is conveyed by their ordinary English meaning. This is an interesting test to apply to “BCM” (an expression coined, by the way, "down under"). Whatever the content of its practice, does BCM actually provide what is needed to ‘manage the continuation of a business’? If not, isn’t that title both misleading and, for those who peddle its wares, somewhat dishonest?
In its Foreword, AS/NZS 5050 makes an interesting observation about the ‘continuation of business’ by pointing out that “Ensuring business continuity requires a variety of conventional management techniques such as strategic and business planning, continual development of products and services, retaining and acquiring customers, recruiting new staff, raising finance, acquiring technologies and constant attention to quality and efficiency.” Can this be disputed? In which case, does “BCM” provide advice about any of these matters? Of course not. One can’t run – and continue - a successful business by “BCM”. It can help only in certain circumstances and in some of those, the best answer could be “don’t” continue. By contrast, AS/NZS 5050 at least starts with an honest title – making clear that it deals with that part of achieving continuity of business which requires disruption-related risk to be managed.
Peter Power’s quotation from Machiavelli is so apposite. “there is nothing more difficult to plan, more doubtful of success, nor more dangerous to manage than a new system. For the initiator has the enmity of all who would profit by the preservation of the old institution".
Having read the angst of AS/NZS 5050 readers (none of whom actually identify why it doesn’t work), the words of another enduring author - Theodor Geisel (a.k.a. Dr Seuss) in his book Green Eggs and Ham  – come to mind. “Try it, try it, you will see” Sam repeatedly urges his sceptical friend, assuring him this is so whatever the situation and whatever the environment. After vehement refusal “not in a train, not in the rain; not in a tree, you let me be”, Sam’s friend relents, only to say in astonishment: “Sam! I like green eggs and ham! I like them in the rain, I like them on a train. I will eat them here, I will eat them there. I will eat them everywhere!”
What is it about AS/NZS 5050 that is so scary? If it is applied intelligently what is it about it that can produce an unwanted outcome – especially given that it is based on the needs (objectives) of the business and their appetite for risk .... rather than, the views of the consultant as to how their client’s world should be?
I am currently a risk manager for a large UK public organisation. Prior to that I was the Business Continuity Manager in the police service – part of the emergency planning team. I have quite a lot of experience in that line of business. I have my feet in two camps. Appreciating its importance, I’d like to leave the standards issue to one side and focus upon practicalities and the perspective of the executive who is focussing on overheads, production costs and profit/better services.
One of the things not mentioned so far is ‘proportionality’. This word is a key feature in Management of Risk (MoR) and was at the forefront in the recent UK review of the Flu Pandemic response. Also MoR is increasingly recognised as a ‘behaviour’ necessary in good management. I would argue with anyone who assumes that this occurs naturally as part of a routine. The behaviour element relies on an understanding of threat perspectives or else get it hopelessly wrong due to (eg) over-confidence or inability to listen for longer than 10 seconds. Effective MoR helps deliver good decisions, assurance, compliance and efficiency. So I view BC increasingly as a vital response to business risks for all the reasons previously stated. For example, I’d go as far to say that BC not only protects supply chains – but IS PART OF that chain as it provides assurance around delivery and hopefully, corporate social responsibility. Yes, it’s all about reputation!
A big potential plus for BC is that the BIA element not only informs planning but should also inform the executives about their business – they will not know everything. There should be a prize for any BC manager who can get this on two pages of A4.
So if BC and MoR are closely related then why not – as has already been suggested – put it all under one roof with compliance, health and safety and insurance. Time for a bit of Lean Thinking perhaps?
Alan Pawsey MA CIRM
I believe this discussion originated after the BCI’s Lyndon Bird wrote that the new AS/NZ 5050 standard “does not follow…a generally accepted international view of business continuity management” and that 5050’s underlying principles were “not in line with progressive BCM thinking.” Perhaps he can be forgiven for staging an attack on the Unbelievers from Down Under, as he was provoked: the SAI Global web site says AS/NZ 5050 “goes beyond many of the concepts that in the past may be been described as ‘Business Continuity Management’ or ‘BCM’”, and the Standards New Zealand web site said 5050 “[builds] on earlier concepts (often called ‘business continuity management’).” So can we all agree that the Aussies and Kiwis started it?!
I teach the BCI’s five-day entry-level training course, and I believe the BCI-prepared slides for that course reflect the BCI catechism on risk management (RM) and business continuity management (BCM). The orthodox BCI worldview is that RM is part of BCM, not the other way around (course module 2). Here’s the “umbrella” slide from an earlier version of the BCI course; note RM over there on the far left under the BCM umbrella. BCI acolytes also learn in the course that “formal risk management has limitations in dealing with unlikely but feasible catastrophic risks.” Lyndon Bird’s comment just reiterates the BCI’s long-held belief that BCM’s “progressive” priesthood focuses on consequences, not causes.
1) I wrote in “Is the BCM profession a dead end?” that I know of no company or entity anywhere in the world where RM is subsidiary to BCM. That’s a vision – a revelation – that BCI alone sees. But so what? It serves BCI’s commercial purpose to propagate that theology, even if there are few devout worshippers in the congregation. It’s not fatal to the competent practice of BCM, and it provides a few moments of levity on day 2 of the BCI course. I tell the novices they must believe it fervently - until they finish the exam. But it strains credulity to call it “progressive.”
2) If Risk = Likelihood x Impact, then that formula does become considerably less useful as Likelihood approaches zero. No risk or BCM professional would have predicted, even at 8:30 a.m. on Tuesday, September 11, 2001, that three airplanes would crash into buildings in the next hour and change the world; the likelihood would have been thought close to zero. The BCI course specifically says (module 2) that BCM is the only risk treatment for the consequences (impact) of highly-unlikely catastrophic events, the ”traditional BCM area of activity”. Fair enough, but what is your future as an Assistant Vice President in a Department of Extraordinarily Unlikely Events? To be relevant and useful, a resilience professional must contribute to executive thinking about many kinds of events that organizations think of as risks. Can it be reactionary or old-fashioned for two countries’ leading resilience thinkers to decide to start from an all-hazards risk perspective in AS/NZ 5050?
Managing both risks and impact competently is essential to organizational resilience. To those who care about which comes first or about whose adherents are more “progressive,” I commend the words of that earlier, progressive thinker, Rodney King: “Can’t we all just get along?”
Mr. Nathaniel L. Forbes, MBCI CBCP
This is a wonderfully complete and focused analysis of the plethora of standards developed over the past few years. While I agree that time will tell, what will also tell is the emergence of an ISO standard that can be adopted everywhere. We can only hope that this first ISO standard will have the courage to cross the boundaries of the various control professions and unite them in a single program, helping to end the artificial professional divisions that have evolved and will include risk management, op risk, physical security, logical security, emergency management, crisis management, records management, insurance, and all of the other currently separated professions, each of which must be considered in order to take into account all of the sources of disruption and the means to mitigate their probability and their consequent damages. Continuity of the business is about all of this. My hope is that BCM will get through its adolescence quickly and will lead the charge for this kind of unified approach. We did it in IT when the CIO position was created; we can do it here with the creation of the all-encompassing Chief Risk Officer.
Kathleen Lucey, FBCI.
This article and the associated reader comments offer a thought-provoking look into a maturing professional discipline. All sides offer interesting perspective, but I think we all must be careful to avoid using absolutes (e.g., Standard X does this but not that) and we need to remind ourselves as to why standards exist in the first place.
First, I disagree that we should describe one standard as superior or inferior, particularly if we are doing so based on age, country of origin or alignment to past ‘best’ practices. In essence, the strength or value associated with a standard is how each unique organization uses it to improve performance and overall preparedness. Some may find BS 25999-2:2007 fits their needs, others may choose a risk-based model such as AS/NZS 5050:2010. Still others may find value in a hybrid approach that captures critical elements from multiple standards. Outside of pursuing organizational certification to one specific standard, organizations have the right to review multiple standards and model their respective risk management programs based on what works for them and the environment in which they operate. Standards offer us ideas and perspectives, but no guarantees. By definition, standards are consensus based and therefore never perfect.
Second, I think all of the standards advocate – in a flexible manner - a focus on mitigation/resilience (where warranted), response and recovery. There is certainly a difference in specificity among them, but they all touch upon each of these issues. We (as business continuity professionals) need to prepare to react to unique executive sponsor preferences. Some executives prefer “to keep the bad stuff from happening in the first place”, therefore prefer to emphasize mitigation. Others are intimidated by evaluating risks/threats and feel that they cannot possibly think of everything, therefore they prefer a more reactionary response/recovery model. Regardless, standards should (and do) provide flexible models to address diverse needs and perspectives.
Overall, let’s focus on the positives and learn from the various consensus-based standards introduced as of late. With an open mind, consider using the content to assist in improving performance and readiness in your organization.
Brian Zawada, Avalution.
This is an interesting article and will hopefully provoke some equally interesting discussions. As a BC consultant it’s worth comparing what we see our clients asking for against the changing environment.
This may be an statement of the very obvious but when BS25999 was launched the business/organisational environment was not the same as it is now. Indeed, as 25999 can trace its roots back through the PAS stages to the BCI GPG which had been around for a few years prior to that, so it can be seen that today’s broad environment is no longer the environment against which the standard was created. This alone ought to provoke businesses/organisations into testing whether the standard remains correct for them to use. Less than a hundred years ago the standard for motor vehicles was to have a man with a red flag travel in front of them....
The arrival of BS25999, along with the Civil Contingencies Act (in the UK) hastened a period of increasing maturity about business continuity within businesses and organisations. This maturity (or adoption) curve has continued, just like any other, with the early adopters now assessing what they’ve gained from the new standard. At the same time, these early adopters are looking at a period of significantly lower economic optimism (than the time when the standard was launched). As businesses / organisations are now on different positions on the maturity / adoption curve, the early majority (in classic terms) are looking back to see what can be learned from the early adopters experiences. This inevitably leads to increased scrutiny of the standard and, as can be seen with almost anything new, the arrival of some kind of competition. So while the BSI was leading the way with a standard for BC management, the very success of this standard made it inevitable that other (national) organisations would look at it and to see how they could create their version and enter the market with it. So why should we be in any way surprised that there’s now a multiplicity of overlapping and competing ‘standards’ for business continuity? This is just human nature and evolution in action. The BSI built a mousetrap, and now the world is building other (perhaps better, but certainly different) mousetraps. Only time will tell which will be the dominant standard in the future.
I think it unlikely that we will return to a time when every consultant has their own version of a standard. The genie is out the bottle, and the market knows that the yardstick of an agreed standard is the only way to measure quality against. Glen Abbot’s multi-national clients are not asking for different standards. They’re looking for the best of breed or perhaps the standard which best meets their needs (organisationally, culturally and geographically).
I look forward to other responses to this article, but agree with the author that there are interesting times now. One thing is for sure, the plethora of competing standards makes it hard to say what the standard really is!
Andrew Sinclair, director, Glen Abbot.
As a company that works with a wide variety of clients, I would support Lyndon Bird’s view that business continuity is a holistic and flexible process. It is interpreted by our staff as an important part of covering aspects of organisational resilience. Whilst BS25999 is not perfect and is undergoing development – as is normal in any standard – it does provide a very solid basis against which to build resilience.
The key rests with interpretation of what an organisation wants and needs, and ensuring that is delivered to the expectation they have or need. There is a danger of trying to provide a one size fits all new standard that will become unwieldy and too broad.
We deliver organisational resilience to clients and that encompasses those aspects they need (as also described briefly in Leslie Whittet’s well written recent piece) which may be security related, information assurance, intelligence or many other facets – some of which have related standards.
It may be time that a guide on the varying facets of ‘organisational resilience’ would be timely but not as a standard most likely. It is also worth noting that standards are a business for many and there are therefore also differing drivers at work to add to the herd that already exist.
There is a real risk in trying to create something that can both reach across such a wide horizon and deal with the detail, whilst being of real value to organisations.
Dominic Cockram, managing director, Steelhenge Consulting
A very well written piece. Change can be good in many cases, but I feel that the latest standard AS/NZS 5050 seems to have created a different approach just to stand out in the crowd. Which as you say is a shame considering how far business continuity professionals have come in terms of joined up thinking: not on everything but at least the general principles.
The numbers alone make you question its dedication to BC AS/NZS 50 50 (fifty fifty or should we say half and half).
The idea of widening the business continuity mindset from incident response to include prevention, deterrence and mitigation not only makes sense, but is something that has always been a natural part of any work that I do for a client. I have not studied SPC.1 2009, but there are some obvious questions as to how far an organisation needs to go to be compliant with a prevention and deterrence program that aims to ‘avoid, eliminate, deter or prevent the likelihood of a disruptive incident’. It is, at the moment, not possible for an organisation to prevent natural disasters such as floods, earthquakes, and volcanic eruptions occurring, but how far should an organisation go to avoid these threats? For example, on the face of it, I would think that no organisation based in San Francisco could become compliant because they know that they can avoid an earthquake by moving their operations out of the earthquake zone. Similarly, no organisation based in Docklands in London could become compliant because they know that they can avoid a flood by moving their operations out of the flood zone.
Regarding AS/NZS 5050, it never ceases to amaze me how anyone can place so much reliance and importance on risk assessment and management. The assessment and management risk is something that every individual and organisation does every day, and it is a useful and necessary discipline. However, all you can do is lower the chances of something happening and lessen the effect when it does happen. Risk management doesn’t stop events happening, and what is worse, it can give you a false sense of security – the “if it’s on the risk register and we’ve taken mitigating action then everything’s OK” syndrome. Just ask the banking industry, they had some of the most sophisticated risk management that money could buy.
There will always be challenges to accepted business continuity conventions, but at the end of the day business continuity is all about being prepared for disruption, being able to keep the essential activities operational, and surviving. As such, the core of the discipline will always be focused on understanding requirements, determining strategies, and developing and exercising plans.
Nothing could or should stand still forever, especially so in the world of Risk/BC Management, so it is not in the least surprising that BC ‘standards’ beyond 25999 have and will, continue to emerge. If since the UK standard was written some years ago, others are now seeing issues from a difference perspective it could be a sign of health within the global world of Risk/BC, rather than a schism, providing and this, for me, is the crucial bit, countries, regions, communities and business increase their resilience (call me old fashioned but I prefer that to resiliency) as a result - in a world of expanding and escalating threats. At least that is the way I prefer to see it. Better still, if we did all move collectively towards a more visionary attitude where synergy replaces silos there will, in theory, be no requirement for entrenched behaviour. But this does pose a real problem that David Honour has identified in his article: “It would be disappointing if the profession returned to the days when every consultant had his or her version of what business continuity is and how it should be implemented”. Therein lies the rub: How do you synergise different views to avoid a schism that could propel us back to the old days, whilst agreeing core international principles?
While some BC practitioners/institutions take up increasingly trenchant positions, many users have done the obvious and progressively focused on a wider and more visionary concept of enterprise risk management (ERM) / resilience and realised that, ultimately, so much of this is about managing risk. Take for example, the recent 2010 publication by Marsh entitled EMEA business continuity benchmark report and you will spot on the first page that “The main discovery in this year’s result is around the integrated nature of risk, with BCM now as a component part of an ERM programme. This integration allows firms to leverage the synergies of combined risk management and BCM information when analysing their risks”. Also, a report published a few weeks ago by the Royal United Services Institute "Interoperability in a Crisis" recommends (amongst other suggestions) that within our country wide emergency response setup a "stronger framework for national resilience in the UK is needed". I could not agree more with both reports and I sense many readers feel likewise.
These days so much business planning across the globe is routinely predicated on the basis of corporate uncertainty, so too much rigidity and stubbornness by BC practitioners simply will not work. Neither will the abandonment of all the good work over the past years that has promoted BC beyond all previous recognition. But unless we move towards a more flexible approach there could be bigger problems ahead.
The solution it seems, is to realise that the Marsh report has identified what is already progressively happening while we debate. To integrate risk with BCM under a wider ERM/resilience umbrella and then to reassemble the components of BC to identify and then define a series of agreed/core international BC principles that will be less than exist now, but to then locally refine them as a fresh system to suit different regions without fear of emasculating institutions such as the BCI.
Change for the better seldom happens without first disobedience. For many years I have had a quote on my study wall by Niccolò Machiavelli written over 400 years ago, that includes the words “there is nothing more difficult to plan, more doubtful of success, nor more dangerous to manage than a new system. For the initiator has the enmity of all who would profit by the preservation of the old institution". Curiously relevant today perhaps?
Peter Power, FBCI
It is all about execution!
Standards and documents are excellent reference points, but they will not create the impact - people, teams and execution will!
Whether consultants or in-house business continuity leaders have their version of what business continuity is or isn’t, organizations must find a way to adapt it to their teams, and make sure it is cascading throughout to be most effective - it is all about execution!
There is value in all the work being done by DRII, NFPA, RIMS and others to educate practitioners on tools to use, BUT...
Regardless of all the preparation, once it comes time for response and recovery, it is all about execution!
Michael W. Janko MBCP, ARM
I certainly understand why some BCM professionals may not embrace or may even resist AS/NZS 5050. Firstly, I think it is important to understand another AS/NZS standard, namely AS/NZS 4360 Risk Management.
AS/NZS 4360 defines risk as - “…the possibility of something happening that impacts on your objectives. It is the chance to either make a gain or a loss. It is measured in terms of likelihood and consequence.” AS/NZS 4360 goes on to define risk management as “the culture, processes and structures that are directed towards realising potential opportunities while managing adverse effects”.
There are a few keys words in the abovementioned definitions worthy of discussion.
1. Objectives - risk management is based on the organization’s objectives, while the BCI Good Practices Guidelines (GPG 2010) focuses on products & services.
In my opinion, the organization’s mission and objectives are what I perceive as the top tier or pillar. While products and services may be reflected in the organization’s mission statement and objectives set, they are definitely not the entirety of what stakeholders will be measuring.
2. Potential opportunities - risk Management seeks to turn risks into opportunities; GPG 2010 says
“The organization’s level of awareness will be constantly changing as personnel join and leave. Internal and external events may also lead to a sudden increase in awareness and knowledge of BCM issues. As these often fade quickly, the BCM programme should be ready to seize on and develop opportunities when they arise”.
Although I am a loyal member of the BCI and had firmly believed in GPG prior to 2010, I read GPG 2010 with skepticism due to the content found in the Introduction under BCM and Risk Management. One would suspect the intent is to maintain the BCM silo while acknowledging that risk management exists. Furthermore, when GPG 2010 published the following statement, the lines between risk management and business continuity became blurred:
“For those products and services that are deemed out of scope, the business risk of loss or non-availability is not mitigated by complete BCM, and has to be managed by alternative means. The choices available to Top Management are:
* Acceptance – accept that it is at risk of being disrupted
* Transfer – transfer the risk of disruption to a third party
* Change, suspend or terminate the product or service
The detailed implementation of these measures generally falls within the remit of risk management and do not follow the full BCM full Lifecycle”.
Imagine conducting a BCM project and telling the client - Here is a risk, how do you want to mitigate it and pass it on to the risk management system? Unless you have clearly defined what risks are in and out of the BCM project’s scope, it’s going to become an issue. This is what I call the blurred lines between risk management and business continuity and why I think many are debating the positioning of BCM.
Secondly, let’s take a look at the evolution of AS/NZS 4360.
* 1995 - The original AS/NZS 4360 standard
* 2004 - AS/NZS 4360:2004 released
* 2009 - AS/NZS ISO 31000:2009 released
* 2009 - ISO 31000:2009, Risk Management released
While every national Standards organization was entitled to representation in the ISO Working Group on Risk Management, reports I have reviewed lead me to believe that those folks from down under were certainly influential and the underlying framework revolved around AS/NZ 4360. As a result, ISO 31000 is a reality.
In summary, Risk Management is objectives based and intended to address all risks. Under the auspices of Risk Management, insurance and business continuity are better positioned as mitigation strategies and risk treatments. While business continuity is a superb mitigation tool for sudden, unexpected disruptions to operations, it doesn’t do anything for a financial crisis, economic downturn or the Bernie Madoffs’ of the world. How many organizations do you know that implemented their BCP for such events?
From an international perspective, I do not see AS/NZS 5050 as a viable threat to the BCI or the GPG, just another blurred line from down under. In my opinion, the real challenge is for the BCI to find a better way to position BCM with risk management while maintaining the BCM discipline and accreditation.
David B. Bledsoe, MBCI
•Date: 3rd Sept 2010 • Region: World •Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED 18TH OCTOBER 2010