Choosing a business continuity consultant (and avoiding being sold snake oil)
An updated version of an article first published in 2010.
By Charlie Maclean-Bristol.
Snake oil is applied metaphorically to any product with exaggerated marketing but questionable and/or unverifiable quality or benefit (1).
For the consultant, selling business continuity can be the ultimate snake oil. Often, the potential client has been told to implement business continuity and doesn’t know where to start. Along comes the consultant, offering to take all the potential client’s pain away. They make all the right noises about BIAs, BCPs and RTOs but the client is never sure whether they are being sold the snake oil or a genuine cure. With other types of consultancy there is often a ‘cost benefit’, where the consultant will be able to show demonstrable changes or cost savings to the client.
In purchasing business continuity consultancy you buy from a consultant who plans for something which may never happen. If the plans have to be used, the consultant has been paid and is off to their next job. If the plan does not work, the consultant can blame the updating of the plan and not the original plan which they delivered. Therefore, providing business continuity consultancy is the snake oil peddler’s dream: it can command a premium price; you are often selling to a client who does not really understand what they are being sold; and it is very unlikely that your plan will actually be used and, if it is used, you most likely have been paid for the work and are long gone.
The purpose of this article is to give potential purchasers some ideas on what to look for in choosing a business continuity consultant, which will hopefully ensure that you get the services at the quality you require. By using the ideas within this article you should hopefully avoid the purveyors of snake oil and employ someone who will give you a genuine cure for your business continuity problem.
1. No different from purchasing any other type of consultancy
First of all, choosing your business continuity consultant is no different from choosing any other consultant. Chemistry and personality are key. Do you like the person who is offering you consultancy and would you be happy to spend six months (or longer) working alongside them? Are you happy for them to go in front of the CEO, explain his/her job in a crisis and critique his/her performance in an exercise? Can they speak the language of business as well as business continuity, will they fit into the organization’s culture and do you feel comfortable that they will deliver what you have asked them to. If you want lots of workshops or presentations then ask them as part of the selection process to give you presentation or interview them on how they would carry out a business continuity workshop.
As with choosing all consultants, ‘beware of the bait and switch (2)’, you have to ensure that the business continuity expert who comes along to your initial meeting is the person who will be carrying out the work and that this will not be delegated to a junior person who does not have the same level of skills and is simply learning how to implement business continuity at your expense.
2. Be an informed buyer
I have replied to a number of tenders where it is obvious that the organization putting out the tender has little or no understanding of business continuity. This makes it very difficult for those replying to the tender to cost the job correctly. If you are going to put out a tender or employ a business continuity consultant, I would recommend you go on a business continuity course yourself so that you understand what you are buying. There are a number of courses available which will give you a reasonable understanding of business continuity.
I was asked to do some work for a client who had employed a consultant from their insurance company to implement their business continuity programme. They never felt happy with his work, but didn’t have the knowledge to challenge him. They then went on the Business Continuity Institute’s five-day Good Practice Guidelines training course (with myself as the tutor) and at the end of the course they had the knowledge to ask him all sorts of in-depth business continuity questions which he couldn’t answer. I was then employed as his replacement. The better you understand the subject, the better and more cost-effective your purchase of business continuity will be.
3. Choosing a business continuity consultancy company
In finding firms to carry out your work you have a number of options. First step should be to Google business continuity consultants and see which companies provide the service. Don’t ignore the small local companies, as I will discuss later. Look in business continuity magazines for companies advertising in the magazines. Look also at portals, as companies often advertise on the portals. Look at www.ContinuityCentral.com, www.ContinuityForum.org and www.DRJ.com. Also look at exhibitions and conferences such as the Business Continuity Institute’s World Conference and Exhibition (www.bcm2013.com/) or the DRJs conferences as there is an exhibition of business continuity companies and service providers and is a good opportunity to see, informally, companies that you might want to deliver your business continuity.
There are a number of different types of companies to purchase business continuity from, all of which have different advantages and disadvantages. Three possible options for companies to choose from are listed below.
a. Large multi-discipline consultancies
If you are going to employ one of the large multi-discipline consultancies, check that they employ business continuity specialists (see sections 4. and 5. below) and that they are not just employing generalists who turn their hand to anything and will learn business continuity ‘on the job’. Large consultancies will normally charge towards the top end of the consultancy rates but they usually have depth (i.e. a number of business continuity consultants) and experience at delivering consultancy. You may want to check who the consultant is they will use on your job. This is because, as they get busy, (or they may do this for all business continuity work), they contract the work to a small independent consultancy firm. If they are doing this, you may be able to go directly to the independent consultancy, saving yourself the premium price of employing a large consultancy.
b. Smaller multi-discipline firms
Beware what I call the business continuity ‘dabblers’. These are consultancies who claim to be multi-discipline and claim to be able to carry out disaster recovery, information security risks management etc. Often, their staff are generalists not business continuity professionals; they will make all the right noises, but don’t really understand business continuity. If they know more about business continuity than you, you can never be sure whether they really know what they are talking about. Employing generalists can also apply to firms which principally sell IT software, IT services or disaster recovery. They sell business continuity as a bit of an aside but it is not really their core business. They may also sell consultancy as a way of introducing their software or services into the company. Employing generalists in business continuity roles also applies to some companies that seem to have every different sort of risk service on their website in the vain hope that a potential client sees it and asks for that service. Again, as with large multi-discipline companies check the qualifications and experience of their consultants.
c. Large or small independents
Business continuity consultancy is still a cottage industry. There are very few large consultancies that specialise in business continuity and the majority of consultancies (even the large multi-discipline ones) have ten or less business continuity consultants. Most are 2-3 person bands and consist of loose alliances who bring in associates to deliver larger jobs or to help out when they are busy. If you want lower cost business continuity consultancy these are the firms to approach. They will often be flexible on price (especially in the present climate) and, as they are small, they are able to offer a bespoke and flexible service to the customer. If you are choosing one of these, make sure you choose a business continuity specialist and not a generalist. Consider using a company local to you, as they will know the local environment and local risks and you can save money by not having to pay expenses. The downside of using a small local company is that if something happens to your consultant the company may not be able provide an alternative and so you may have to contact another company to cover the work.
4. Consultant’s qualifications
Once you have identified the consultancy you may want to use, you should check the consultant’s qualifications. In the United Kingdom, the Business Continuity Institute’s qualifications are the most widely used. I personally think the lead consultant should at least hold the MBCI or an FBCI qualification. Supporting consultants should be AMBCI qualified or at least be working to achieve it. In the United States, the most common awarding body is the DRI, which offers a similar set of qualifications to the BCI. The CBCI qualification offered by the BCI is less of an experience qualification but is awarded if you pass the BCI certificate exam (120 multiple choice questions in two hours).
You may also want to ask the consultant what training or courses they have been on, as there are a number of under and postgraduate courses in business continuity and other related disciplines. If your consultant does not have a qualification, I would question why (“never got round to it”; “don’t need a qualification to show my expertise…”). For me, if a consultant has not bothered to get one or more business continuity qualifications they are not serious about their profession, or they may be a dabbler who would not have sufficient experience to achieve a formal qualification.
5. Consultant’s experience
If you are employing someone to carry out business impact analysis interviews, check they have experience at carrying them out. If you want someone to implement business continuity throughout the whole of your organization from scratch, check they have the experience of doing it in the past. This may seem obvious, but many consultants have experience of implementing part of the business continuity life cycle and not all of it. So, get yourself some knowledge of business continuity and then check in some detail your consultant’s experience and that they have the knowledge of the parts of the life cycle you want carried out. This is especially important if you have little or no business continuity in place within the organization and the whole of the business continuity life cycle needs to be implemented. Interview them to check how they have implemented their business continuity theory into practical solutions. Ask for references and check them. It is very easy for individual consultants to talk up their experience when they could have actually been part of a larger team and weren't in a lead role.
I personally think that experience of the industry is less important than the consultant’s knowledge of implementing business continuity; although certain sectors, like financial services, seem to only want to employ consultants or contractors with financial services experience. The industry experience, I feel, can be learned on the job; the consultant is coming at the organization with a fresh set of eyes and is not trying to implement a solution using the same templates and documents they developed for the previous organization they worked for.
6. Implementing ISO 22301
Every consultant I know (myself included) talks about ISO 22301 to their potential clients and claims that all their work is compliant with ISO 22301. Most business continuity consultants will claim that they will be able to implement ISO 22301 in your organization. If you can implement business continuity it is obviously only a very small step towards implementing ISO 22301. I was under this misconception until, about three years ago, I started to implement BS 25999 (predecessor to ISO 22301) in my own organization. ISO 22301 is a long step from your more ‘typical’ business continuity implementation. A while ago I had a chat with a friend who works in a bank and who had got in a consultancy firm that advised them that they were 95 percent on the way to BS 25999. They invited in an accreditation body to do a gap analysis on ISO 22301, only to find they were a very long way from achieving the standard and that a lot more work was required.
If you need to certify your organization to ISO 22301 you should try and choose a consultancy that is accredited to ISO 22301. If they are not accredited to ISO 22301, find out why. More important is to ask them how many companies they have taken through to certification and the award of ISO 22301 and BS 25999. Many consultants will have worked on part of the certification or aligned the organization to ISO 22301 but have not actually taken the organization through to full certification. If you want ISO 22301 certification, the consultant who has taken an organization through to ISO 22301 will understand the requirements, how it is audited and will probably give you the best chance helping your organization achieve the standard.
Finally, I would warn against choosing an organization that will do the consultancy work to get you to ISO 22301 and then will certify you to the standard. I would always choose a UKAS certification body such as BSI, NQA, SGS or LRQA to carry out the certification. UKAS checks the quality of their certification and their code of practice means they cannot certify their own work. With organizations that certify to a standard but are not UKAS certified that you have no control over their quality.
7. In conclusion
As business continuity is a relatively new profession there is not a large number of people with the skills to carry out consultancy and so consultants can charge a premium over other related disciplines. Secondly, as the plans may never be used they don’t necessarily need to be able to work, as long as they look the part! Thirdly, as many purchasers don’t often understand what they are buying, it is then difficult to check if they are actually getting what they need. Within this situation there are lots of professional, well-experienced consultants and others learning the trade and gaining in experience but there are also the dabblers and the purveyors of snake oil. I believe that if you make an effort to understand what you are buying and check the qualifications and experience of your consultant before you purchase their skills, you will give yourself the best chance of achieving your business continuity goals.
A checklist for choosing a business continuity consultant
1. Define what you want them to do.
2. If you don’t understand what business continuity is, then go on a training course or find someone in the organization to help you design the brief.
3. Research which companies you might like to provide the service not excluding small local companies.
4. Meet and interview the possible consultants. Checking that they: -
5. Check their references
6. Perhaps get them to carry out a small bit of work to check the quality of their work
If there is a requirement to go out to tender for the work these checks can be built into the tender process.
Notes and references
(1) Wikipedia: http://en.wikipedia.org/wiki/snake_oil
The author would like to thank all those members of BCMIX - Business Continuity Management Information eXchange who responded to his request for help with this article
Copyright for this article has been retained by PlanB Consulting
I want to start off by noting that, overall, this is a very good article and provides those seeking business continuity expertise with some great pointers on avoiding key pitfalls specific to the following topics:
* Large multi-discipline consultancies
However, there is one statement with which I do not agree and find to be completely misleading to someone looking to bring in a consulting company:
“Look at business continuity publications for companies advertising. Those who can afford to advertise are likely to be the successful ones.”
Advertising – and the medium(s) an organization chooses to utilize – depends completely on the maturity of that organization in a given market. For example, when an organization begins delivering consulting services, naturally, they need to build brand awareness with their new target market focusing on specific product/service offerings. In this case, print advertising (to which the statement above is referring) would be an acceptable option. But once an organization has built awareness in the market, their goal should be to position themselves as industry experts (a.k.a. thought leaders) based on their myriad experiences – across different industries, project types, client types, etc.
As such, my advice for an organization looking to bring in a successful, value-adding consulting firm would be to look for one that is asked to regularly write and/or contribute to industry and non-industry articles/publications, appear as guest speakers (in both live and online arenas), has references that will speak to the fact that the organization demonstrated creativity and innovation in past projects, and one that has experience and a culture that most closely aligns to your organization’s unique needs.
So, back to my point, a large budget and blitz marketing campaign does not necessarily equal a ‘successful’ consulting firm. In fact, I would argue that the opposite is true because these tactics are usually deployed when an organization is attempting to compensate for where they’re lacking, which in this case could be minimal knowledge, experience, and/or references. All in all, organizations should do their research and ask others for recommendations; positive word-of-mouth is the best advertising.
Courtney Bowers, Avalution Consulting.
I would tend to agree with Courtney Bowers’s, Avalution Consulting, comment re: advertising.
Those who shout the loudest are not always the best or the most experienced.
Generally, in the working environment I have noticed that the ‘tick the box’ culture does not always provide real hands on solutions or experience. Many advisors, consultants and middle management box tickers pass on advice/procedures without working through the reality of the function of implemented procedures themselves. Subsequently blaming failures on clients or consultants or those below and, occasionally, above in the corporate structure.
Although adhering to a BCI standard is important and the check list is of some use, I feel that the article could be narrowed down to item six : (perhaps get them to carry out a small bit of work to check the quality of their work) and just two other points:
1. Is the consultant going to oversee and be available and responsible for at least a desk walk through, to assess any immediate glitches?
This would ensure any 'snake oil' sellers are also a little more circumspect in their pronouncements.
I would also suggest that those who are prepared to be held to account, whether they have postgraduate qualifications, membership of various professional bodies or not, should give a client confidence that they are giving open and direct advice that the consultant will stand by.
This is a good article with useful information, especially in regard to BS 25999 implementation. Been there, done that! However I disagree with Charlie Maclean-Bristol's sentiments on advertising. My organisation gets most of our work from word of mouth recommendations and has not needed to advertise. The fact that we don't need to advertise (but can easily afford to) reflects positively on us.
I also disagree with Courtney Bowers’s comments on speaking engagements etc. I have spoken at seminars and contributed to publications, but rarely get the time to do so due to client engagements. I think the proof is in the delivery of service and in demonstrating the value of the BCM process, whether or not incidents occur. Ask your consultant how much repeat business they get, and whether their past clients would provide a recommendation.
Chris Hurst MBCI, Chameleon Continuity.
•Date: 27th August 2013 • UK/World •Type: Article • Topic: BC general