WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

It is all about survivability

By Geary Sikich.

If you want senior management to pay attention give them something that challenges their focus - and understand that their focus is not on how many computers you have or RTO, RPO stats. It is on business survivability: will we be in business tomorrow given the issues that we face today.

What is more important to your organization’s continuity of operations – how many working computers you have - or where your competition will be coming from in the next five years?

Can you identify the risks, threats and vulnerabilities that affect your organization’s continuity? Or, are you just deluding yourself into a series of ill-fated false assumptions that leave your organization with meaningless plans, misguided efforts and lack of buy-in for the value of continuity planning?

Paradigm shift

It is time for a paradigm shift in business continuity thinking, in the manner that business continuity planning is taught and in the value we think that we bring to the table. The reality is, that in spite your best efforts; based on today’s planning paradigms, you will always be a step behind and viewed as an adjunct to the business rather that an asset to the business. Sounds harsh? Take a look at reality. Organizations have survived hurricanes, tornadoes, manmade catastrophes, technology threats and a whole host of ‘hot button’ issues over the course of time. The reality is that businesses do not necessarily survive competitive forces in the markets that they serve. They do not necessarily survive changes in consumption, trends in the marketplace or resource constraints. These are the bigger survivability issues.

Retrenchment

Let’s start with the business impact analysis (BIA). First, one has to recognize that the BIA is merely a slice in time; a snapshot of what is considered a business impact. And, let’s face it; it is an out of focus, blurry and off target snapshot. Second, if the BIA takes months to complete; in some cases years, what value does it have? It tells you what was, not what is or what can be. And, ‘worst case’ scenario? This is always interesting, worst case scenarios are almost always based on assumptions that range from the sublime to borderline incredulous. It is almost like watching one of the History Channel Armageddon programs. Yes, an asteroid could hit the earth (history proves that) and destroy all life; the ice caps could melt (it would have to get quite warm to get them to completely melt) causing flooding and a plague could devastate humanity, etc. But, if you rethink worst case in a sensible way you can see that there are far less and fewer farfetched scenarios that will cause significant damage sufficient to put the survivability of the organization into question.

Now let us turn to planning.

I wrote an article entitled ‘Is your organization’s planning brittle’. In the article I posited five questions that indicate brittleness in planning:

  • Do the organization’s plans stand in silos of excellence?
  • Are activation and implementation of plans independent and uncoordinated?
  • Does the organization face critical junctures of survival every time an event or certain shocks affect it?
  • Does analysis of worst case scenarios underlay the basis for planning?
  • Do the plans reflect the strategy, goals and objectives of the organization?

Below I summarize the points made in the article:

  • “Do the organization’s plans stand in siloes of excellence?” begets the aspects of accountability, threat identification, business impact analysis and much more. Isolated plans that are not linked to a single accountable entity will result in fragmented response, confusion and missed opportunities.
  • “Are activation and implementation of plans independent and uncoordinated?” the effects of nonlinearity come into play as the unintended consequences resulting from fragmented implementation can further exacerbate the impact of an event.
  • “Does the organization face critical junctures of survival every time an event or certain shocks affect it?” This is in part due to transparent vulnerabilities, unseen and unforeseen risks. The enterprise may not have the capacity to withstand the extra stresses of an event.
  • “Does analysis of “worst case” scenarios underlay the basis for planning?” Business impact analysis, SWOT analysis, risk matrices, risk heat maps, etc. all fall into the trap of historical analysis. The occurrence of extreme events cannot be predicted from a review of past history. Selection bias comes into play when we develop worst case scenario based plans.
  • “Do the plans reflect the strategy, goals and objectives of the organization?” Most planners most often fail to consider the goals and objectives of the organization. Errors and the subsequent consequences are almost always fatal for the planners, plans and in many instances, the organization.

Planning does not go far enough either: we rarely make a credible attempt to plan the post-incident period in any significant detail. So, re-entry, recovery, restoration and resumption of operations are often just skimmed over in the business continuity planning process.

Exercising plans is the next area we should be concerned over. Most plans are exercised in the void of the internal world. That is, we rarely take into consideration what the reaction to an event will be by other organizations that respond to, or are impacted by the event. And, we come up with some exercise protocols that are, at best entertaining, at worst, gloss over significant failure points and irregularities that may surface.

If you are going to exercise - know and understand the organization's goals and objectives. Then develop scenarios that evaluate the ability to meet those goals and objectives under situations of duress and disruption. Take a lesson from business war gaming and develop scenarios that incorporate business/operational issues - new product offerings, where will our competition come from in the next five years and how will this shape our business continuity needs. Move away from problem - solution linear thinking and begin to seek to understand complexity, opacity and non-readily linked issues. Also, you want to look for failure points, issues and assumptions regarding availability of infrastructure that you have no control over – e.g electrical grid, telecoms, etc.

Most exercises reflect a ‘happy face smile’. We start with something bad happening, activate the organization and are deluged with exercise messages that require response, consisting of everything from demonstrating proficiency (rolling out the fire hose) to mock press briefings with amateur reporters who have no experience in asking the kinds of questions posited by the actual press (although the actual media can be pretty lame in their questions too). We get stuck in linearity – problem/solution episodic exercises that fail to raise the significant issues, questions and analysis required to determine the survivability of the organization. When was the last time you posited an exercise question like this:

“Who will be our competition within the next five years as the result of (this event, this new market we have created, etc.)”.

Exercises are a form of entertainment: the result is that our exercises fail to touch on the real issues that have significant impact to the organization, its products/services. Exercises also create false positives with regard to capabilities and capacities.

Lastly the area of maintenance needs to be revamped and rethought. Annual maintenance and review is simply ludicrous as a concept and practice. Change occurs throughout the cycle and therefore maintenance programs should be in constant motion tweaking information, instead of collecting information for the annual review. Intelligence services are constantly collecting and analyzing information in order to turn it into a viable ‘decisionable’ product. In order for business continuity to provide value it must stay abreast of the organization’s scope of operations.

Conclusion

I am sure that many will think my remarks blasphemous, scathing and unjust. However, just do some research into the popular literature of the past decade and you will see that certain constant questions and statements arise over and over. “How can we get senior management buy-in?” “XX% of companies that failed did not have a business continuity plan.” “We have a comprehensive planning process.” “I can’t get management to listen to me.” I am sure that you can think of many more. The reality is that we need to embrace a new paradigm. A paradigm that is broader in its focus, deeper and more constant in its analysis and more vibrant in the resultant plans, etc.; what Nassim Taleb refers to as ‘Antifragile’.

The author

Geary Sikich is an entrepreneur, consultant, author and business lecturer. He is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary's focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.

Geary is well-versed in contingency planning, risk management, human resource development, ‘war gaming,’ as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. Geary began his career as an officer in the US Army after completing his BS in Criminology.
Geary has a passion for helping executives, risk managers, and contingency planning professionals leverage their brand and leadership skills by enhancing decision making skills, changing behaviors, communication styles and risk management efforts.

A well-known author, Geary’s books and articles are readily available on Amazon, Barnes & Noble and the Internet.

Contact: G.Sikich@att.net or gsikich@logicalmanagement.com.

This article is Copyright© Geary W. Sikich 2013. World rights reserved. Published with permission of the author.

Click here to make a comment

Reader comments:

Thank you for your article, Geary.

I have deep concerns about your paradigm shift suggestion, however, and not because of an intractable commitment to current planning methodologies.

My concern boils down to this: If we shift to the paradigm you suggest, in what way are we still doing preparedness planning at all?

What you are talking about is not continuity or preparedness planning: It is strategic planning.

What happens if the price of gasoline quadruples? What happens if our competitors release technology X before us? How will we react if our market share drops 25%? What if our supply chain in country Y suddenly stops? How do we position ourselves to be in Gartner's magic quadrant?

This is an entirely different scope and skill set than we are talking about within a discipline of preparedness planning. Your call for a paradigm shift is a call to switch one profession for another, one discipline for another, and one career path for another.

I would posit that:

  • There is room and a need for both disciplines. We need to prepare to recover from significant physical and staffing losses AND we need to prepare to position the organization for success in the coming years.
  • We do need a paradigm shift in preparedness planning. But the shift should not drive us OUT of the discipline all-together. The shift should be to find more effective and efficient ways to prepare organizations to recover from disaster.

David Lindstedt, Readiness Analytics.


The author's response to the above comment is published below:

The above comment echoes discussions that I have had with colleagues regarding the practice of business continuity and it seems to me that the author of the comment misses the point precisely.

If business continuity planning fails to address the three drivers - competition, consumers/customers and investors (the most overlooked continuity issues), how can we say that we are actually doing ‘business’ continuity planning? While Dr. Lindstedt expresses his concern thus: “What you are talking about is not continuity or preparedness planning: It is strategic planning”.  My response is that to overlook the drivers of the business (competition, consumers/customers and investors) is to fail to adequately provide for continuity of the business; that is, its survivability in the markets within which it operates.  Do you think that executives at Microsoft, Apple, ExxonMobil, Boeing, Google, Ford, GM, Toyota, etc., really care about RTO, RPO estimates?  No, rather they concern themselves with the potential impact of competition, retention of the customer base and quality of the products and/or services that are being offered/provided.

If you read the comment from Dr. Lindstedt and visit his website (Readiness Analytics) you see that he comes from the IT-centric mindset and does not seem to differentiate preparedness from ‘business’ continuity.  Dr. Lindstedt comments: “This is an entirely different scope and skill set than we are talking about within a discipline of preparedness planning.  Your call for a paradigm shift is a call to switch one profession for another, one discipline for another, and one career path for another”.  In fact I am not calling for a shift from one discipline to another.  Rather I am saying that business continuity planners need to blend the skillsets within the discipline to offer more robust services.  And, this blending would include risk management skills too.  There is value in understanding the challenges of recovering data systems (immense) and understanding the threats (cyber threats, etc.).  However, the business continuity planner is of little value when the question is posited by senior executives as to how they will meet their goals and objectives when operating in a state of discontinuity.

The second part of my response offers an example from Dr. Lindstedt’s website (Figure one: ‘A Simple Overview’) which to me clearly points to the IT-Centric mindset and the metric-centric ‘measure everything, collect information for information sake’ approach.  The problem is that the practice of business continuity continues to play with the wrong puzzle, thereby solving the wrong problem precisely.  In essence putting together answers to unasked questions.  And, not being able to answer the questions that arise as a result of a ‘crisis of confidence’.

Figure 1: A Simple Overview (http://www.readinessanalytics.com/simple-overview) :


What is The Readiness Test™?

A straightforward way to measure the preparedness of an organization, department, or service to recover from disaster.

How does it work?

You (and others) answer questions in a worksheet about how prepared you are within different categories of recoverability.  

Why does it work?

It is based on research, collaboration, and experience in creating hundreds of IT DR and BCP plans.

Are there different types?

Yes, there are different "flavors" of The Readiness Test™ ranging from "EZ" to ISO22301 and NIST SP 800-34.  Just choose the one that's right for you.  

What if I need help?

The worksheet is very straightforward, but we have developed the accompanying video series to walk you through each question, step-by-step.  We're also here to answer any questions.

Do I have to be an expert to use it?

Nope.  It's designed for anyone to use.  (But if you are a planning professional, you'll be very pleased with the results and powerful analytics tools at your disposal.) 

Does it work for any kind of business?

Yes.  We have performed preparedness assessments for many different types of organizations in different countries. 

Isn't there already something like this available? 

No.  It's the only tool in existence to measure preparedness to recover from disaster.  Other methodologies are complex and look only at preparedness activities, not results.  And, we provide the only Recoverability Confidence Index™ to help with executive stakeholders.

Preparedness is a valuable component of business continuity, but it is not continuity of the business: that is accomplished every day that the business survives and strives to meet its goals and objectives.  Testing is required for plans that are not being used.  If you are using the business continuity plan, that is addressing issues that affect the business, you are validating and modifying the plan on a regular, if not daily basis.

Note that Dr. Lindstedt’s website refers to IT DR ( in the ‘Why does it work?’ question in figure one) and regulations and guidance (ISO22301 and NIST SP 800-34) that are primarily IT driven: well intentioned, yet reflective of symptomatic reactivity; that is, regulations/guidance that address symptoms, after the fact issues and reactive response to incidents rather than focusing on problems before the fact.

Dr. Lindstedt posits two points:

1. There is room and a need for both disciplines.  We need to prepare to recover from significant physical and staffing losses AND we need to prepare to position the organization for success in the coming years.  I would suggest that what is needed is a collective of skills that focus on the continuity of the business rather than disciplines in ‘siloes of excellence’ – that is competitive intelligence, risk management, ‘business’ continuity planning, preparedness planning (emergency planning, disaster recovery, crisis management, etc.) that support and enhance strategic planning and the accomplishment of goal and objectives when operating in discontinuity or normal conditions.  I totally agree that we need to be prepared to recover from significant physical and staffing losses; however, we need to understand that these can occur when there has not been a major physical disaster (i.e., financial crisis caused staffing losses, yet no physical disaster per se).  Competitive forces change the direction of industries (i.e. typewriters replaced by personal computers), creating collateral changes that change the competitive landscape (i.e. carbon paper manufacturers suddenly lost market share, changed their business models and/or ceased to exist). 

2. We do need a paradigm shift in preparedness planning.  But the shift should not drive us OUT of the discipline all-together.  The shift should be to find more effective and efficient ways to prepare organizations to recover from disaster.   I am not advocating a drive out of the discipline all-together; I am advocating that the discipline take a hard look at its product, services, etc. and assess the value in context to the overall survivability of the ‘business’.  We need to quit being enamored with data, statistics and software tools that provide unrealistic numbers, statistics that are meaningless and logistics compendiums rather than plans.  We need to quit addressing symptomatic response after the fact and start to address the critical needs of the business operation.

Dr. Lindstedt’s comments confirm my perspective and that of several colleagues, that ‘business continuity’ as it is currently practiced is merely ‘disaster recovery’ renamed.  Dr. Lindstedt does not appear to understand that keeping the business running rather than responding to the infrequent and seldom fatal disaster for companies is ‘business continuity’.  It appears that he is oriented to establishing a management dynamic within a company that can be activated whenever it might be needed.  It is an admirable goal, but I'm not sure it is possible in reality given the number of variables that influence a company on a daily basis.  Dr. Lindstedt appears to be locked into theoretical thought rather than the reality of actual business survival today.

Dr. Lindstedt does get one point correct in his comments; that is I am talking about ‘strategic planning’.  Here is the problem: people talk about business continuity and mean disaster recovery planning.  They are not talking ‘senior executive’ language.  We do not have the liberty to use nomenclature with a meaning we like, rather than the meaning inherent in the term's history.

Business continuity is in fact a strategic planning methodology not a disaster response methodology.  Business continuity is inherently oriented to support a company's strategic goals and objectives and not to recover from natural disasters, manmade disasters, technology disasters, etc.

As my colleague John Stagl has said before, let's keep this simple: “Disaster recovery planning requires a disaster before the plan can be effective.  Business continuity requires an active company in ‘business’ to be effective.  If you confuse the definitions and terms you end up with the image the industry has today.  If we don't understand what we are doing, why do we think senior officers would be more inclined to view us as an asset?”

Geary W. Sikich


Response to the above from David Lindstedt

Wonderful! It is refreshing to have an author respond so quickly and with such well thought-out detail. It is also great to have a publication willing to dedicate space to debate and an exchange of ideas.

(It’s funny that you mention John Stagl, an important thought-leader in the industry, as he and I have had this same discussion on a few occasions. I haven’t managed to convince him, and I don’t anticipate convincing you either, but perhaps I can sway a few readers!)

MAIN ARGUMENT

To try and summarize a potentially complicated dialogue, my position is this:

1. It is important for an organization to prepare to continue or recover its services following a significant physical and/or staffing loss;

2. This effort is traditionally known as ‘business continuity’;

3. By way of comparison, it is also important for an organization to prepare to continue or recover its information technology systems and services following a significant physical and/or staffing loss; this effort is traditionally known as IT disaster recovery (IT DR);

4. These are just two of many disciplines within a larger scope of preparing an organization for adversity and change; each has an important role to play.

In essence I hear Sikich saying that we need to move ‘business continuity’ out of the scope of work that we call ‘business continuity.’ He writes: “Business continuity is inherently oriented to support a company's strategic goals and objectives and not to recover from natural disasters, manmade disasters, technology disasters, etc.”

I find this a surprising statement. I believe the discipline and profession of business continuity is exactly to prepare an organization to recover from natural disasters, manmade disasters, technology disasters, etc.

Suppose we move business continuity to a new focus. What happens to the work we used to call business continuity? Is it not important? Do we just call it something else but still do the work? What fills the void if business continuity moves up and gets subsumed under strategic planning?

And what of related disciplines? Does IT disaster recovery get abandoned and replaced as well? And emergency management? And workplace safety compliance? Why are these disciplines any different than business continuity when it comes to safeguarding the organization?

Strategic planning on the scope Sikich envisions is an extremely complicated discipline. It is not unimaginable that it would require deep knowledge of financials, the marketplace, organizational theory, law, and the like. If deeply seated within the organization, this is the role of the owner, president, c-suite, and other executives. It is their job to identify and synthesize the information and efforts of all preparedness planning work and then to steer the organization in the right direction to secure its continued existence in the marketplace.

Each area serves an important function in ensuring the continued existence of an organization. Each has a discipline with proper methodologies, training, experience, bodies of knowledge, and best practices. There is no need to arbitrarily cannibalize business continuity out of its proper place.

The choice is not just between strategic management and “just deluding yourself into a series of ill-fated false assumptions that leave your organization with meaningless plans, misguided efforts and lack of buy-in for the value of continuity planning.” There is a proper place and value for continuity planning.

In conclusion, we must answer Sikich’s question of, “If business continuity planning fails to address the three drivers - competition, consumers/customers and investors (the most overlooked continuity issues), how can we say that we are actually doing ‘business’ continuity planning?” The answer is that business continuity planning is actually doing what it was always meant to do: ensuring that the organization can efficiently recover from a significant physical and/or staffing loss. And we’ll leave consideration of competition, consumers, and investors to strategic planning and management.

HIDDEN DRIVERS

What is driving this call for a ‘paradigm shift’? I believe it comes from the desire of:

  • Preparedness professionals to get more recognition from leadership;
  • Preparedness programs to be better recognized as providing value to the organization.

There is nothing wrong with either of these sentiments. The question is how best to achieve these goals.

I would suggest that:

  • Professionals and programs should take advantage of any opportunity to provide additional information, data, analysis, or general benefit to leadership and the c-suite.
  • Professionals and programs should also take advantage of any opportunity to explore and provide secondary benefits to the organization.
  • The preparedness planning profession as a whole should dedicate more effort to raising awareness of the value of business continuity and preparedness planning through efforts in marketing and research.

But we ought not to encourage the business continuity program to abandon its post entirely. It has an important role to play; and is a discipline of its own.

David Lindstedt, Readiness Analytics.


Reply from Geary W. Sikich:

I welcome the continuing dialogue regarding my article, “It IS All About Survivability,” as I feel that this may spur the practice to embrace some needed forms of change.  However, that being said, it appears from his comments that Dr. Lindstedt is still missing the point and is being naïve regarding what I have posited.  His comments seem to evoke seeing things in an either/or fashion – black or white with no middle ground.  This is a shame.  I do not advocate that we relinquish the roles that are traditionally practiced; rather I encourage us to build and expand the roles of the current practice and in doing so bring more value to the enterprise.

Dr. Lindstedt makes an initial comment in parenthesis:

(It’s funny that you mention John Stagl, an important thought-leader in the industry, as he and I have had this same discussion on a few occasions.  I haven’t managed to convince him, and I don’t anticipate convincing you either, but perhaps I can sway a few readers!)

G. Sikich comment:  Having written several articles and shared podiums on many occasions with John Stagl over the years, I agree, he is an important thought-leader in the industry.  John has also worked with senior management as part of the senior management team; he has also taught courses for Masters Level students.  His breadth of experience lends an air of validity to the argument for a paradigm change.

Dr. Lindstedt posits his main argument thus:

MAIN ARGUMENT

To try and summarize a potentially complicated dialogue, my position is this:

  • It is important for an organization to prepare to continue or recover its services following a significant physical and/or staffing loss
  • This effort is traditionally known as “business continuity”
  • By way of comparison, it is also important for an organization to prepare to continue or recover its information technology systems and services following a significant physical and/or staffing loss; this effort is traditionally known as IT disaster recovery (IT DR)
  • These are just two of many disciplines within a larger scope of preparing an organization for adversity and change; each has an important role to play

G. Sikich comment:

Item #1: It is essential that organizations prepare to continue or recover their product/service offerings following a significant physical and/or staffing loss.  I would add that it goes beyond this too.  Being prepared at a tactical level is essential; but we should not overlook the operational and strategic level of preparedness and the need for forward looking (horizon scanning) focus that begins to identify the future issues that could create failure points, triggers and shocks that can undermine the enterprise.

Item #2:  I would disagree that the effort is traditionally known as “business continuity”.  Since the predecessors of what today is called “business continuity” are “disaster recovery”, “emergency preparedness”, “crisis management”, etc.; the term “business continuity” is relatively new, its origins from the late 1990s when IT disaster recovery opted for a new term/name (business continuity) – with an expectation of an expanded role that unfortunately continues to be rooted in systems recovery and not business recovery.  Hence we still have The Disaster Recovery Journal (DRJ), The Disaster Recovery Institute (DRI) and other outgrowths, spinoffs and organizations that proclaim to address business continuity when in fact, it is enhanced disaster/systems recovery.

Item #3:  I totally agree with this statement. However, that is not the thrust of my article and therefore seems a moot point.  If we have not recognized that much of the world is technology dependent we must be hibernating in a cave.  However, IT is not the business necessarily.  Rather it is supportive of the business in the attainment of its goals and objectives.

Item #4:  Again I agree in principal.  I do not posit the abandonment of these critical practices; I advocate for them.  Adversity and change can take many forms that are currently not covered under the current practices.  I believe that this is what needs to be address with a paradigm change.  Therefore I do not advocate abandonment, rather, expansion; and recognition of complexity, opacity and the need to identify triggers of change early and develop adequate strategies/responses as appropriate.  

Dr. Lindstedt further comments:

In essence I hear Sikich saying that we need to move “business continuity” out of the scope of work that we call “business continuity.” He writes: “Business continuity is inherently oriented to support a company's strategic goals and objectives and not to recover from natural disasters, manmade disasters, technology disasters, etc.”

I find this a surprising statement.  I believe the discipline and profession of business continuity is exactly to prepare an organization to recover from natural disasters, manmade disasters, technology disasters, etc.

Suppose we move business continuity to a new focus.  What happens to the work we used to call business continuity?  Is it not important?  Do we just call it something else but still do the work?  What fills the void if business continuity moves up and gets subsumed under strategic planning?

And what of related disciplines?  Does IT Disaster Recovery get abandoned and replaced as well?  And emergency management?  And workplace safety compliance?  Why are these disciplines any different than business continuity when it comes to safeguarding the organization?

G. Sikich comment: I would offer a clarification of the statement: business continuity is senior management’s prime objective – that is keeping the business running and meeting its strategic goal, objectives and mission.  Here again, I find the ‘black or white’, ‘either - or’ thinking coming to the forefront.  Business continuity is not as clear cut and easily differentiated as Dr. Lindstedt would apparently like it to be.  Business is messy and therefore little boxes of defined roles/plans, etc. should no longer apply in “business continuity” thinking.  I do not advocate, as it seems that Dr. Lindstedt interprets the abandonment of any of the disciplines, rather I advocate for their becoming a way of doing business instead of an adjunct to the business being done as is the case in most enterprises.  These disciplines are critical to business success, yet we do them almost as an afterthought cradled in ‘cylinders of excellence’ (siloes) with turf boundaries that make it potentially detrimental and counterproductive to the enterprise.

Dr. Lindstedt further comments:

Strategic planning on the scope Sikich envisions is an extremely complicated discipline.  It is not unimaginable that it would require deep knowledge of financials, the marketplace, organizational theory, law, and the like.  If deeply seated within the organization, this is the role of the owner, president, c-suite, and other executives.  It is their job to identify and synthesize the information and efforts of all preparedness planning work and then to steer the organization in the right direction to secure its continued existence in the marketplace.

G. Sikich comment:  Business today is extremely complicated and so is the public sector.  We no longer have the straight forward linear models that were embraced after World War II.  We have moved from agrarian to industrial to information societies.  Yet, we still advocate practices from the past – such as ‘best practices’.  John Stagl has entire presentations and has written on the debunking of ‘best practices’ so I will not elaborate here.

I think that the statement made by Dr. Lindstedt sums up my argument well – we need to expand our knowledge base, learn more and recognize how these factors impact the ability of an organization to recognize, respond to and recover from events.  Was J.P. Morgan Chase’s recent ‘whale trade’ a business continuity issue?  I would argue that it was, just a significant as BP’s Deepwater Horizon event, the Exxon Valdez, Hurricane Sandy, etc.

Dr. Lindstedt comments:

Each area serves an important function in ensuring the continued existence of an organization.  Each has a discipline with proper methodologies, training, experience, bodies of knowledge, and best practices.  There is no need to arbitrarily cannibalize business continuity out of its proper place.  

The choice is not just between strategic management and “just deluding yourself into a series of ill-fated false assumptions that leave your organization with meaningless plans, misguided efforts and lack of buy-in for the value of continuity planning.”  There is a proper place and value for continuity planning.

G. Sikich comment:  I am not advocating abandonment or a simple black/white, either/or decision.  We need to continue to build on the practices.  But we also need to expand the purview of the practices so that they can increase the value proposition and not be mired in place.

Dr. Lindstedt concludes:

In conclusion, we must answer Sikich’s question of, “If business continuity planning fails to address the three drivers - competition, consumers/customers and investors (the most overlooked continuity issues), how can we say that we are actually doing ‘business’ continuity planning?”  The answer is that business continuity planning is actually doing what it was always meant to do: ensuring that the organization can efficiently recover from a significant physical and/or staffing loss.  And we’ll leave consideration of competition, consumers, and investors to strategic planning and management. 

G. Sikich comment: Failing to address the issues of competition (the number one cause of business failure), consumers/customers and investors is failing to adequately prepare the enterprise in much the same manner as not building plans for natural disasters, technology disasters, etc.  We see that missing the point precisely (again) is the price we may pay for failure to provide as much value as could be provided.

Dr. Lindstedt further concludes:

HIDDEN DRIVERS
What is driving this call for a “paradigm shift”?  I believe it comes from the desire of:

  • Preparedness professionals to get more recognition from leadership
  • Preparedness programs to be better recognized as providing value to the organization

There is nothing wrong with either of these sentiments.  The question is how best to achieve these goals.

I would suggest that:

  • Professionals and programs should take advantage of any opportunity to provide additional information, data, analysis, or general benefit to leadership and the c-suite. 
  • Professionals and programs should also take advantage of any opportunity to explore and provide secondary benefits to the organization
  • The preparedness planning profession as a whole should dedicate more effort to raising awareness of the value of business continuity and preparedness planning through efforts in marketing and research. 

But we ought not encourage the business continuity program to abandon its post entirely.  It has an important role to plan and a discipline of its own.

G. Sikich comment: Dr. Lindstedt’s first two bullet points are reflective of where the industry is.  Preparedness professionals do want to be recognized as significant contributors to organizational success and providers of value.  In order to achieve this we need to get out of the current mindset and into a different value proposition mindset.  Yes, it is important to know how many critical processes there are, and it is important to have a list of computers, applications, etc.  But that is not the value proposition that will create the appreciation of the planning effort in the various areas (emergency plans, disaster recovery plans, crisis management plans, business continuity plans, workplace violence plans, etc., etc.).

I agree with Dr. Lindstedt’s next points:

  • Professionals and programs should take advantage of any opportunity to provide additional information, data, analysis, or general benefit to leadership and the c-suite. 
  • Professionals and programs should also take advantage of any opportunity to explore and provide secondary benefits to the organization
  • The preparedness planning profession as a whole should dedicate more effort to raising awareness of the value of business continuity and preparedness planning through efforts in marketing and research. 

 
I am not advocating abandonment of the current practices.  I am advocating a change to make the current practices more valuable to the decision makers and therefore more meaningful to the planners.  We need to provide more quality in the information, data, analysis that is currently being done.  We need to be viewed as a ‘value added’ component, not a necessary adjunct/afterthought.  One goes about raising awareness by bringing forth the issues that are going to be future crises in order to become preemptive and consistently reactive.

Here is a figure that I use in some of my presentations.  I title it ‘Heightened Awareness or Reactive and Backward Looking”.  It presents three columns.  The right column reflects where the majority of organizations are in today’s world.  The middle column is focused on where the organization should begin moving (paradigm change).  The third column is representative of an ideal.  It is where we would like to be, but, may never be able to attain due to various forces (competitive forces, etc.).

I would suggest that many organizations are still in the reactive and backward looking column of the figure.  We focus on ‘Mission Critical Processes’ (Systems thinking derived from IT disaster recovery) when we should be asking: “Is the process still relevant?”  Our research tends to be limited and focused on readily available problem –solution linear thought processes (hence we end up with pandemic plans that look at securing masks, etc. instead of asking if our product/service will be in demand or not).  Addressing the symptoms of risk and seeking to define the cause often causes us to mistake efficiency for effectiveness resulting in mistaking execution for strategy.

Some organizations exhibit various characteristics of the middle column.  While they attempt to recognize change it is still difficult for them to break the old ways of doing things and the old thought processes (call it business continuity when in fact, it is enhanced systems recovery).  Focus is still on cause and effect – linear thought, rather than recognizing complexity, opacity and interconnectivity as influencers.  Quit looking for a single cause and focus on the ability to overcome the effects of the event.

The left column is reflective of an ideal; where should strive to be.  This actually is somewhat unattainable or limited in terms of how long one can be invested therein due to change – which is consistent.  However, it does offer a more robust form of resilience than is currently being practiced, taught and researched.  When I cite that it is not process dependent, that does not mean that process does not play a significant role.  It is just that process is not the primary driver, role, etc.

We overlook and underplay the role of risk in our planning.  Unseen or unanticipated risk is the game changer for plan implementation.  I agree that events do not materialize as we think that they will - so why have plans that are ‘brittle’, prescriptive and lack flexibility - and, are rarely used in actual response to an event.  Business continuity planning is a multi-disciplinary practice that should combine a lot more than just planning.  Business continuity planning is not a logistics exercise; it has to provide a plan that incorporates value for decision makers at tactical, operational and strategic levels.

We need to expand research and knowledge.  We need to stop asking the wrong questions precisely and getting ‘false positive’ answers that delude us into a sense of security that often time blows up when we have to activate the ‘plan’.  My colleague David Wilson of Ontonix writes in his blog:

Journalist William Langewiesche, who specializes in deconstructing accidents, says that there are three kinds of accidents.

“Procedural” accidents, in which someone makes a mistake — as when pilot error causes plane crash.

“Engineered” accidents, in which materials or structures fail in ways that should have been foreseen by designers and engineers.

“Systems accidents,” such as the Gulf oil spill, which occur because “the control and operation of some of the riskiest technologies require organizations so complex that serious failures are virtually guaranteed to occur.”

Among those “riskiest technologies” are the air transportation system, nuclear power plants, aircraft carriers and, as we now know, deep-water oil drilling. We accept the risks they entail because we like the rewards they provide.

Systems accidents don’t occur because the system failed, they occur because the system exists — and because it is so complicated that inevitably something will go wrong.

One of the implications of “systems accidents” is that when we try to address what went wrong we add even more complexity to an overburdened system. And that increases the risk of accidents.

This is not to say that we should abandon regulatory oversight, mandatory safety reviews or environmental assessments, as some people have claimed. Those are all important safety checks that can help prevent disaster. 
http://wp.me/p16h8c-7

We need to realign not abandon; reenergize not relegate and we need to rethink how we implement and practice business continuity.  Instead of actually doing something, we have taken refuge in deciding what to do.  I do not know the solution; so I seek people out and posit the problem. Quit waiting for Deus ex Machina: An unexpected or improbable person or event that saves a seemingly hopeless situation.  The essence of strategy is making wise choices about where and how to compete.


To read an article by John Stagl which adds to the above debate go to: Whose job is business continuity?


Response to the above from David Lindstedt

While a person's value may increase by continually expanding his or her scope, a discipline must focus.  

If business continuity is going to carve out its own niche, ground itself as a discipline, and have its practitioners recognized as professionals, it must found itself on unique best practices within a well-researched body of knowledge.  

Articles in defense: 

 - Lindstedt, David: “Grounding the Discipline of Business Continuity Planning” –  Journal of  Emergency Management and Business Continuity, Vol. 3, December 2007

 - Copenhaver, John, and Lindstedt, David: “From Cacophony to Symphony: How to Focus the Discipline of Business Continuity,”  –  Journal of  Emergency Management and Business Continuity, Vol. 4, No.2, March 2010

This has been an interesting conversation, and I hope others will join in.



A response from Dominic Cockram, managing director, Steelhenge Consulting

Geary:

An excellent and thought provoking article and very timely in raising and addressing some key areas that now need consideration. I have to agree with many of the tenets you set out about business continuity and its future in the world. There have been too many complaints of "not gaining the board's attention" as you say and for very good reason. A successful BC manager and his programme should not be on the Board agenda unless there is something going badly wrong. BC is a management job which reports in to an executive - probably not board level in many cases - and which is there to deliver the ongoing operational continuity of the business which is a vital and important job. However, BC is not designed to cover a wide range of other strategic concerns for the business - as noted by Lyndon Bird in his recent article in Continuity titled "Where to now for BCM?” in which he, as Technical Director of the BCI, discusses the options and openings in the worlds of resilience and crisis management.

The issues you raise about ‘survivability’ and the creation of an ‘anti-fragile’ organisation chime, I think, with the growing development of the world of resilience and much of what you describe would fall comfortably under that banner.

Survivability is quite a narrow title for the ongoing development of an organisation and it, in many ways, refers more to the creation of longevity in reality - the ability of an organisation to ride the economic cycles and changes in product desirability etc etc. RIM and Apple would both be examples of both good and bad practice in this as well as many others. Much work has been done on the ability of certain iconic companies to continue for long periods and this has helped to establish some of the requirements of such resilience:

Redundancy: spare capacity
Reliability: continuing to function under stress
Anticipation: horizon scanning to anticipate
Preparedness: plans in place
Flexibility: distributed skills and expertise
Adaptive capacity: use change to fuel new developments
Learning: capacity: learn from errors, lapses and mistakes

These can lead us to capabilities required to achieve resilience in the following areas:

  • The capability to assess risks and threats, to anticipate a disruption and mitigate, avoid it or prevent it from occurring
  • The capability to plan and prepare for disruption, thereby protecting the organisation
  • The capability to adapt or respond to and manage a disruption successfully, thereby preventing a disruption from spreading its impacts
  • The capability to recover to a new “normal” state after a disruption and assure continued operations (longevity).

The question here is really "so what?" Does this help the average BC manager or organisation and if so how? The key is for organisations to recognise that these are desirable traits if they aspire to remaining in the game for a long time and being successful. If so, then they need to look at how they set out to achieve them. The BC manager is not, in most cases, going to be the person to lead this particular charge but the COO or CFO may well be, with a team under his command who own the critical areas that need to be made resilient.

This is the best way I have seen of stepping out to achieve what you describe and to bring together the real business functions of strategy, sales, risk, ops and BC, people and many others which are all key to the long term future of any organisation. They all own risks to the future success and also potential strategies to resolving those risks or at least seeing them coming. It just needs some joined up thinking to bring the strands together. In the UK, the work is well underway for new standards in organisational resilience and also in crisis management to follow that of BC, risk and others and these recognise that there are many different elements to building the thinking and responses of an organisation to any disruption, be it market led, economy led or a simple IT failure!


References

Apgar, David, Risk Intelligence – Learning to Manage What We Don’t Know, Harvard Business School Press, 2006.

Kami, Michael J., “Trigger Points: how to make decisions three times faster,” 1988, McGraw-Hill, ISBN 0-07-033219-3

Klein, Gary, “Sources of Power: How People Make Decisions,” 1998, MIT Press, ISBN 13 978-0-262-11227-7

Orlov, Dimitry, “Reinventing Collapse” New Society Publishers; First Printing edition (June 1, 2008), ISBN-10: 0865716064, ISBN-13: 978-0865716063

Sikich, Geary W., Managing Crisis at the Speed of Light, Disaster Recovery Journal Conference, 1999

Sikich, Geary W., Business Continuity & Crisis Management in the Internet/E-Business Era, Teltech, 2000

Sikich, Geary W., What is there to know about a crisis, John Liner Review, Volume 14, No. 4, 2001

Sikich, Geary W., The World We Live in: Are You Prepared for Disaster, Crisis Communication Series, Placeware and ConferZone web-based conference series Part I, January 24, 2002

Sikich, Geary W., Graceful Degradation and Agile Restoration Synopsis, Disaster Resource Guide, 2002

Sikich, Geary W., "Integrated Business Continuity: Maintaining Resilience in Times of Uncertainty," PennWell Publishing, 2003

Sikich, Geary W., “It Can’t Happen Here: All Hazards Crisis Management Planning”, PennWell Publishing 1993.

Sikich Geary W., "The Emergency Management Planning Handbook", McGraw Hill, 1995.

Tainter, Joseph, “The Collapse of Complex Societies,” Cambridge University Press (March 30, 1990), ISBN-10: 052138673X, ISBN-13: 978-0521386739

Taleb, Nicholas Nassim, The Black Swan: The Impact of the Highly Improbable, 2007, Random House – ISBN 978-1-4000-6351-2

Taleb, Nicholas Nassim, The Black Swan: The Impact of the Highly Improbable, Second Edition 2010, Random House – ISBN 978-0-8129-7381-5

Taleb, Nicholas Nassim, Fooled by Randomness: The Hidden Role of Chance in Life and in the Markets, 2005, Updated edition (October 14, 2008) Random House – ISBN-13: 978-1400067930

Taleb, N.N., Common Errors in Interpreting the Ideas of The Black Swan and Associated Papers; NYU Poly Institute October 18, 2009

Taleb, Nicholas Nassim, Antifragile: Things that gain from disorder, 2012, Random House – ISBN 978-1-4000-6782-4

•Date: 10th September 2013 • US/World •Type: Article • Topic: BC general
UPDATED 29th OCTOBER 2013

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.
   

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here