WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

The tragedy of business continuity

By Alan Walker, MBCI.

Introduction

Most work that goes on in organizations around the world has a defined purpose, defined objectives, defined goals and measureable benefits. Everyone can see these benefits, the improvements, the savings, so organizations have no problem committing effort and resources to achieve these aims.

Business continuity is one of those niche, specialist, subjects that offer tremendous value to organizations but are still perceived by many to be an unnecessary drain on the balance sheet. The result is that the full benefits of a business continuity programme are often not realised, exploited or appreciated.

This article will look at five ‘tragedies of business continuity’: ways that organizations fail to get the most from business continuity programmes; and suggests changes that could be made which would allow the full benefits of business continuity to be unlocked.

Are you the right person?

Allow me to begin by considering the types of people best suited to implementing business continuity programmes.

Firstly the topic is company-wide. Global is an oft used phrase so in order to implement an effective, cohesive and consistent approach the programme or project manager has to understand the organization well and in particular the criticality of a wide range of different business processes and the interdependencies between them.

Secondly the very references to programme or project management indicate the need for someone with certain skills, attributes and experience. These are specific credentials on which individuals form long term careers and secure accreditations in, resulting in demands for appropriate levels of remuneration either through salaries or fees.

Next a good level of business acumen is necessary. Which solutions and strategies are appropriate for the organization given the risks and threats identified? Which solutions or strategies are cost effective given the potential impact?

Specialist knowledge of the topic is also a must. All aspects of business continuity involve the use of tried and tested techniques, processes and tools that the organization’s own role holders may not have previously been aware of. Unless one has worked regularly in amongst such capabilities, awareness and understanding will be reduced or non-existent.

Individuals also need to demonstrate the correct attributes and qualities for the roles they undertake. We are all good at different things and often there is an assumption that senior executives, because they run their organizations successfully every day, must also be good at managing a crisis situation. Not so. By way of example, I worked with one CEO who was brilliant at running the organization. They knew exactly where the organization needed to be in five years’ time and how to get there. They were really good at their job. It was realised, however, that in a crisis situation they were quickly running into problems so the organization actually took the step of removing them from the crisis/incident management team and appointed someone with better credentials for that particular role. It didn’t make the person a bad CEO, far from it, they were just not the best person for crisis management roles.

I’ve been in the industry long enough to learn that business continuity is not the sexiest topic in the organization. Many organizations and indeed many executives still seek to push it down the corporate agenda both in terms of priority and resources applied. For a corporate wide discipline aimed at protecting critical business processes, people and the corporate reputation it becomes increasingly difficult to get the work done to maximum effect the further down the line the work is delegated.

So, this is the first tragedy. Organizations don’t always assign the right people, the right skillsets and the right knowledge to business continuity. If you have a burst pipe in your house you surely call for a plumber rather than an electrician?

What are you doing here?

I want to move on now to what a business continuity programme actually delivers.

Let’s assume you’ve hired a consultant or subject matter expert. They have finished their work, you’ve signed the cheque, you have a nice set of plans and other documents on your desk. Great. Good job!

So what have you got? A set of material that you can place on a shelf or file away in a cabinet until a crisis event occurs or an auditor turns up? As an aside I know this happens because it often forms the starting point of a new engagement for me. But if the work has been done thoroughly and professionally there will be other benefits.

Consider the following question for a moment. Where does business continuity start and finish?

Prevention is better than cure, a much used term and definitely relevant in the field of business continuity. OK it’s great to see our plans in operation and to see organizations survive crisis events but through our business impact analysis and risk assessment work organizations should be able to take actions or implement solutions that minimise or even eliminate the likelihood or impact of incidents or crisis events. Proactive rather than reactive.

So a further question arises. If an organization mitigates the risk of a potential impact on the critical business activities is that classified as risk management or business continuity? Is there an overlap?

One of the biggest challenges facing organizations when incidents occur is communication. Here we are in 2013 with a vast array of communication capabilities quite literally in the palm of our hand and yet it remains the single biggest criticism after almost every incident. The demand for information is higher than ever – we want quicker, we want more, we want numerous methods, we want, we want…

On the flipside there are lots of really effective tools, technologies and recognised good processes at our disposal. Provided organizations are disciplined, well-practised and well drilled they should be able to crack this. Again, from experience I often arrive at an organization to find they have invested in good tools, they have documented and practiced good processes but they frequently fall down in the areas of ownership (of the process) and maintenance of contact lists or databases. Inevitably this leads to stakeholders being disappointed when communications are issued. Frequently it falls to the business continuity practitioner to direct the resolution of these issues.

Good business continuity work should also identify single points of failure within the organization. They may be apparent within the IT infrastructure but equally, and again from experience, may also be within the organization’s people in the form of unique skillsets or knowledge. By identifying them, organizations can address these single points of failure. Without the business continuity activity some of these single points of failure may remain undetected and unaddressed.

So, this is the second tragedy. The work of business continuity practitioners to reduce or prevent incidents or to improve good practices is sometimes not recognised as business continuity work and is rather subsumed into or considered to be other disciplines.

You don’t appreciate me

I recently renewed the breakdown cover for my car. I hesitated just before I made the payment. ‘Is it worth it?’ In my head I considered some potential scenarios. ‘What if I renew and never need it – a waste of money’ followed by ‘what if I don’t renew and need it – saves a lot of stress and a lot of bucks.’ An unquantifiable but nagging probability whirred around in my head relating to the chance of my car breaking down next week if I didn’t renew. I sent the payment.

Isn’t this the point with business continuity? Most organizations will operate week after week, month after month, possibly year after year without a major disruption. The person with his or her business continuity plans sitting on the shelf gathering dust is thinking ‘what a waste of money that was.’ But just like the car breakdown cover if you need it, just once, it is worth its weight in gold and quickly pays back the investment several times over.

I love the phrase ‘better to have it and not need it than need it and not have it.’ It sounds like the sort of thing my grandmother used to say but how true, how relevant.

Now don’t get me wrong, I don’t wish organizations to suffer disruptive incidents or crisis events just to prove the value of their business continuity plans. Often my experience has been that an organization will use elements of their plans to good effect in different situations – the communication capabilities and protocols are a common one and may not always necessitate full invocation of the plan to demonstrate value.

Actually this reminds me of another point worthy of inclusion. It’s great to see business continuity featuring more and more in due diligence work between organizations when new contractual arrangements are being established. The question that makes me chuckle every time I see it is the request for a copy of the plan. I have some strong views about how plans need to be written but that’s for another day, another article perhaps.

My point is that business continuity consists of many different aspects, components if you will, that make up an overall approach, strategy, procedures and capabilities. Different teams, different functions, different roles all require specific, relevant and appropriate plans that contribute to the overall solution. Organizations are often big and complex. Think of business continuity as a framework in which the various parts of an organization work together towards a common goal. The organization’s crisis management team will have a plan, the various operational teams will have plans, the IT team will have plans, suppliers will have plans and so on. All of these will sit underneath a corporate business continuity policy. So how do you respond to the due diligence question? Send everything you’ve got? Send the policy? Send examples?

Oh, and whilst on the subject of due diligence, debates over phrases such as ‘reasonable endeavours’ are also a whole separate topic, best conducted with input from a lawyer!

So, the third tragedy is that business continuity plans may never be appreciated, because they don’t get used in full so the perception could be that they are a waste of money and resources.

You’re just not sexy

I’ve mentioned already that business continuity is not the sexiest topic in an organization. I certainly have no recollection of my careers adviser at school highlighting business continuity as something interesting or exciting to pursue. I got into the subject more by accident than design. The organization I was working for at the time had allowed its business continuity plans to fall into a state of disrepair. I happened to be available, having recently completed another project, and was asked to get things back in shape. Within a couple of months I found I was really enjoying the topic – the rest is history.

Having worked in this area for several years I am still enjoying my work. Whenever I meet anyone new and they ask what I do the typical assumption is that I am an IT expert but that is very wide of the mark and actually illustrates a good point, a common misconception about business continuity. Quite simply, it’s not about IT.

Sure, IT is a big part of the overall framework, a key enabler, a key dependency but on closer analysis the clue is in the title – BUSINESS continuity. I spend more time learning about and working with organizations’ business operations and people than I ever do with IT. The people aspects really fascinate me – everything from how people react to situations, to what they are capable of, to how to manage them, to how to support them. Get the people aspect right, manage your people well and your business continuity plans will be much more effective.

I love my work because it touches all parts of an organization and the solutions require several areas working together in a coordinated manner. Putting the jigsaw together is always interesting and when it goes well the feeling of achievement is great. Not many roles in an organization have such scope, involvement and impact.

For some reason organizations often struggle to decide which function should ‘own’ business continuity. I’ve worked in IT departments, risk management departments, compliance departments, facilities departments and finance departments. What does this tell us? No one wants business continuity on their patch? There’s no right answer? Either way it confirms the next tragedy – business continuity still has an image problem.

For the sake of the kids

Most organizations know they need to do something about business continuity. They may be being pushed by a regulator, a customer, an auditor or even an internal desire but still it may all be done under duress, begrudgingly, or on a ‘needs must’ basis. None of these suggest a positive or enthusiastic attitude towards the subject and implementation will, as a consequence, suffer. At best this is heading for the shelf, at worst it will result in failure when the organization really needs it to work.

Unless an organization’s people are interested in the subject they will divert their attention to something else. Over the years I have had to learn how to adapt my approaches for different elements of my work, for different organizations and certainly for different groups or teams of people. I know that if I don’t make the topic interesting and valuable or if I don’t demonstrate enthusiasm and energy towards it myself then those around me won’t either.

Business continuity is a great and fascinating topic and offers, for those organizations who learn and develop the various facets, several spin off benefits. It’s not a standalone subject, it’s not a First Aid kit, it will teach you a lot about your organization and may even influence some of your strategic decisions. I often think that organizations would be structured very differently if business continuity experts were involved in the creation and structure.

So, if your organization is only ‘doing business continuity because we have to’ you need to take a look at what is being developed, improved or created. What have you learned? What are the cross selling opportunities? Squeeze every possible benefit from the work. Merely going through the motions, doing the bare minimum is counter-productive.

Another tragedy – we are not in love with the subject so we are not going to be happy spending time with it.

Sad or happy ending?

Relationships are seldom perfect. Not all marriages are made in heaven. With any discipline in an organization I am sure there is someone somewhere every week saying they’ve had enough, they want to jack it all in, they want to do something else. That’s normal.

So what do you want to do about business continuity? Go your separate ways or book a second honeymoon?

I guess you need to sit down and think about how all this started, what you wanted from it, revisit the hopes you had and whether with everything that’s happened you still have the desire, the love and commitment to carry on. There’s so much to achieve and so much still to enjoy so no, you’re not finished yet.

Business continuity is important to your organization and there’s always more to be done. Despite all the tragedies it is an on-going love story for many of us and with the help of those around us we will get through any challenges. We have to stay focused on the positives and stick to the values important to us for the benefit of our organizations.

Author: Alan Walker, MBCI, is director of AW Continuity Ltd

Make a comment

Reader comment

I'd like to take one of the author's points and propose yet another tragedy. Let's call it ‘You Don't Own Me.’ We’ve been told over and over that business continuity needs to start at the top. Rarely do programs work if they start at the bottom and try to flow upward. The author's point about program ownership is probably another major tragedy that befalls the profession. Having experienced this dilemma (conundrum?) over my career, I can state, with some level of certainty, that a BCM program is often DOA (dead on arrival) without senior management support and the requisite budgetary approval. How do we achieve this? Many comments have been made over the years about how to secure senior management support, and we must be making some progress. After all, many of us who entered the profession years ago are still here: and our numbers are steadily growing! But we still haven't defined a ‘silver bullet’ that absolutely and unfailingly engages senior management in our efforts. We do, however, have a number of ‘bronze bullets’, such as return on investment, supply chain failures, and loss of reputation, but it's still an uphill climb before senior management is convinced. Perhaps the one major challenge - and tragedy - is that senior management (or any other senior leader) hesitates to take ownership of BCM initiatives.

Paul Kirvan, CISA, FBCI

•Date: 26th April 2013 • UK/World •Type: Article • Topic: BC general
UPDATED 1ST MAY

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.
   

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here