Is business continuity management a dead-end?
What's the future career path for today's business continuity professional? I've plodded along a BCM career path for 14 years, and I don't see a light at the end of the tunnel. All I see is more tunnel. Here's a simplified job description for a business continuity managers in a multinational company in Asia, and maybe where you live, too: 1. Get lukewarm to tepid management support. Did I miss anything? I'm not making a judgment about the value of business continuity management or BCM professionals. I am one. I'm making a judgment about the long-term prospects in our profession for the vast majority of practitioners today. I know several regional, national or international business continuity directors who get to travel, manage the work of others, make presentations at industry conferences, and give interviews to reporters. But I hope they'll be happy doing the same thing in 2020 because I just can't see many of them moving up the corporate organizational chart. There may be exceptions, but I think they only prove the rule. The future of a business continuity management career is cloudy from day one. When I'm recruiting a BCM person, for example, I usually ask that old HR interview chestnut: "Where do you see yourself in five years?" The candidate never waxes rhapsodic about her vision of an upwardly-mobile future in the profession. She nearly always reacts like a deer caught in the headlights. Your average business continuity professional isn't asked to contribute to strategic business decisions at the executive level or in the board room, at least not here in Asia. She is not involved in product development. She doesn't generate any revenue. She doesn't manage lots of people. She doesn't sell anything to customers, or deliver after-sale support. She doesn't produce financial statements or brief stock market analysts. She spends her time and the company's money planning for possibilities that everyone agrees probably won't happen. She's a cost center, not a profit center. She's part of the income statement, not part of the corporate vision statement. Her closest friends are...internal auditors. That simply cannot be a strategy for career longevity. If the choices are "up or out"...well, you know where the door is. It's just difficult to chart an upward career path for a person whose job is to plan for The Apocalypse if asteroids never smash into the planet. He'll never get to put on his cape and dash to the rescue. At least other departments get to crank up the lights-and-sirens now and again. A burglar breaks into the office: Security gets to hunt him down. An employee steals a purse, smokes dope, assaults a colleague or has a mental breakdown: the human resources department has procedures for all that. Caustic liquid spills on the warehouse floor? EH&S (environment, health and safety) mops it up. The electricity fails, the lights go out, the HVAC shuts down, the toilet backs up: quick, get Facilities down here. Your computer crashes: ring up the Help Desk. The world economy melts down? Hey, that's why CEOs get those big bucks. But a business continuity manager? He's inconspicuously hoping the world ends so he can justify his existence. A soldier, a fireman, a cop and an ambulance driver have jobs that are often described as hours of boredom punctuated by moments of sheer terror. A business continuity manager's job can be characterized as months - no, years - of pushing wet spaghetti uphill, punctuated by infrequent moments of testing. In my experience, a lot of business continuity professionals simply get bored after a while. Business impact analysis (BIA) may be the foundation of all BCM programs, and doing it properly can take weeks or months. But it eventually boils down to filling in colored squares on a table to illustrate the impact of an interruption on business processes. Filling in colored squares on tables is unrewarding at best, mind-numbing at worst. The only thing more frustrating is trying to get management to pay attention to the chart with the colored squares. Last year, H1N1 influenza seemed sure to be the stimulus package we needed for the disaster planning profession, particularly for those in North America who hadn't had the excitement with SARS and bird ‘flu we had in Asia in 2003 and 2005. Lots of masks, gloves and anhydrous liquid disinfectant were acquired and stockpiled. Tamiflu was in plentiful supply. (Companies weren't allowed to buy it during bird flu because it was in short supply.) My mailbox overflowed like a runny nose with announcements for disease-related conferences and training sessions. But in the end, this particular pandemic threat turned out to be no worse than the sniffles. The kind of people who like business continuity enjoy thinking about the unthinkable. We dig that momentary frisson when the alarm goes off. We get an adrenaline rush running to the EOC. We bathe in the testosterone high of after-action satisfaction. And we feel just a teeny bit smug to have been proven right after all. Oh, go ahead. Admit it. But has this happened to you, too? I go to a party. I spot an attractive prospect. Unexpectedly, my pickup line works. The conversation burbles along. Then I tell her that I'm ‘in business continuity’. Her brow knits, her eyes lose just a bit of their sparkle. "Oh, you mean like computer crashes and stuff?" "No, no," I say, "all kinds of disasters, like 9/11". "Oh," she says, hesitant. The corners of her mouth droop. She glances over my shoulder, smiles vaguely at someone. The moment goes limp. It's over. And this is when? Maybe 25 years after the first business continuity plan was written?! And we haven't come up with a better story line in all that time. I hear the DRJ conference in the US draws as many attendees as ever, so there must be new people coming into the business. The Continuity Insights conference in New Orleans reliably draws about 350 people every year, mostly senior BCM practitioners. The BCI says it got ‘almost 350’ to its conference in the UK last November. BCP Asia's conference and the BCM Institute's 'World Continuity Conference' were both postponed last year for lack of enthusiasm; those events have each drawn about 100 people in the last couple of years. The number of people at business continuity conferences is definitely not growing, and I think it's declining. I think we're mostly talking to ourselves at those conferences. In Asia, the number of people wanting to get into BCM is growing much faster than the number of available jobs. I must get three inquiries a week just from India, where they're turning out future business continuity professionals, but where companies have not yet gotten that ol' time BCM religion. The future of business continuity management So where is the business continuity profession going? More importantly, where is your career going? Let me try to shine a light toward the end of the tunnel. The notion of BCM as an organizational silo simply will not survive another decade at most Western multinational companies, in my opinion. The urge to merge responsibilities will become irresistible. A CEO, a board of directors, a regulator all want just one person - one phone number to call when the business runs off the rails. Business continuity management intersects with so many other corporate disciplines that also contribute to corporate resilience - security, emergency response, environmental health and safety, risk management, disaster recovery and crisis management, to say nothing of human resources, facilities and corporate communications - that it just doesn't make sense to build another, separate department. I expect that several organizational models that combine two or more resilience disciplines will be tried, and a few will become accepted management wisdom. Whether those will result from friendly functional mergers or from hostile departmental takeovers is not yet clear to me. Probably both. Some companies - Deutsche Bank in Germany, for example, and OCBC Bank in Singapore - have mooshed their BCM and security functions together. It doesn't always go smoothly; maybe BCM people are from Mercury and security people are from Mars. And a head of security is as unlikely to move up a corporate ladder as is a head of BCM. The most likely combination in banks and service businesses is BCM with operational risk management, one of the many dialects of enterprise risk management. My view of that approach is informed by a fateful chicken-and-the-egg question that I apparently answered incorrectly several years ago. SPRING Singapore had recently endorsed British Publicly Available Standard (PAS) 56 and was promoting it to Singapore business continuity professionals, as a precursor to a future BCM standard. A guy from SPRING asked me over coffee whether I thought BCM was part of risk management, or risk management a part of BCM. It was a pop quiz, and I flunked it. I said BCM was part of risk management. He said the correct answer was that risk management is a part of BCM. That's still The Business Continuity Institute's official view, too. I've never heard from SPRING since that day. But BCM is considered subordinate to risk management in every board room I've ever been in. I think your answer to the question is quite relevant to any discussion about the future of BCM, and your future in it. Your business continuity future So, what about you? What color is your BCM parachute? A select few will climb the organizational chart by managing business continuity for more territory or more headcount or both. Over a period of years, a local BCM coordinator could become a national business continuity manager, then regional BCM manager, and eventually perhaps the global BCM manager. The number of positions available at the top of that staircase is miniscule, so that path won't be accessible to most business continuity professionals. The rest of us are going to have to make some choices. They won't be simple or easy. To advance professionally, we will either become responsible for more kinds of causes, or for more kinds of consequences. By "causes", I mean "risks", and particularly those risks that executives, directors and shareholders think of as crises, emergencies or disasters: product liability (milk and lead poisoning in China), product recall (Sony laptop batteries), fraud (Bernie Madoff in the US, Satyam in India), hostage-taking (Caterpillar, 3M and Hewlett-Packard - in France!), kidnap & ransom (Somalia), identity theft, emerging infectious diseases (Africa and Asia), civil unrest (pretty well anywhere except Singapore), climate change (in Australia, to pick just one place), food security or bankruptcy (General Motors). My own favorite is water shortage (Australia, Asia, Africa). None of those is considered a business continuity responsibility in any company I know of. All are a lot more likely than the end of civilization (despite last year's movie 2012). All require sustained coordination among multiple departments, and across time zones. All require skills that most business continuity professionals don't have; no one else does, either, and that's the big career opportunity, in my view. By "consequences", I mean those that result from destructive events (2004 Indian Ocean tsunami, 2008 Sichuan earthquake, Jakarta Marriott hotel bombings) that require First Aid, emergency response, incident command, environmental health & safety, shelter & feeding operations, volunteer management, EOC operations, crisis communications, psychological counseling, group or individual crisis intervention, and even disaster relief. That will mean building bridges between professions, and making an effort to develop new skills. Visiting new websites, reading new blogs, taking training courses on professional tangents, seeking new certifications and going to other organizations' annual conferences. We must offer something to hiring managers, recruiters and executive committees that merits promotion, that provides value, that addresses everyday risks, impact and consequences, that earns and deserves respect. To do that, the scope of our responsibilities and our skills at fulfilling them must grow. We must develop executive gravitas. May I make just one suggestion? Do something completely different this year: go to a conference outside - but related to - the business continuity profession. Exchange business cards. Visit the booths, pick up the literature. Take a few notes. Shake a few hands. Have a few drinks at the bar; go nuts and buy a round. Most of all, pay attention. We're in a bull market for disasters, but a bear market for resources to respond to them. Those trends look to be very, very long-term. The need for contingency planning for companies and communities - and for ourselves and our loved ones - is greater than ever. The value of a Department of Extraordinarily Unlikely Events, however, is lower than ever, and is still headed south. Author: Nathaniel Forbes, MBCI, Forbes Calamity Prevention Pte Ltd. This article was first published on Mr. Forbes’s blog: see http://www.calamityprevention.com/blog/?p=112 ©Copyright 2010 Forbes Calamity Prevention Pte Ltd, Singapore. Reader comments Nathaniel Forbes’ article “Is business continuity management a dead-end?” encapsulates the frustrations and sense of lack of appreciation that most BCM managers in large organisations seem to suffer from, and he quite rightly questions what sort of future these individuals have in rising up the corporate ladder. However, it’s not so much a comment on BCM, but on anyone working in a support function in a large organisation. If you want to progress in any business, then you must eat, live, and breathe the business. Become part of it, learn it, practice it, and live it. Working in a support function and being an expert in that function, be it Finance, HR, Risk Management, IT, etc. will only take you to the top of that particular support function tree. These people are “hangers on”, not really part of the business. All successful business people are experts in the business that they operate in, and are not support function people. BCM is not, and probably never will be, as important to an organisation as Finance, so the head of BCM won’t get as far as the head of Finance. Unless you can get out of the specialised support function and get into the business, you’ll never make it to the higher levels of the business. To put it another way, if you want to work in BCM and get to the top of a company, then go and work for a BCM company. Mel Gosling
Thought this article was brilliant, it encompassed all the frustrations that those responsible for business face. I like the author had problems with conversations when the term business continuity was mentioned. I now tell people that I’m in the Grudge Purchase Industry: that gets people’s attention... Peter Wood
At the end of the day the Chief Operating Officer is responsible for keeping his operation going regardless ‘hell’ or ‘high water’. The current philosophical approach of tirelessly trying justifying a separate BCM function is actually increasing the risk for the COO to not do the job properly due to this tug-of-war with the BCM department. The COO must make sure that there is resilience and recoverability for the most probable partial and total disruption scenarios that can develop in his/her context. Leave the COOs to their own devices but make sure there is a well resourced and experienced Business Continuity Risk Management function in place to: 1. Do operations risk assessments Business Continuity Management must become a non-event in any operation; everybody is responsible for it. For any type of operation it is simply about ‘risk and return/minimising running costs’. If you want to make good profit or run an effective non-profit operation then you must also own and manage your risks well. Hans Maritz
Provocative as always. Thanks for a fine article well argued, but now allow me to agree and disagree on at least a few points. Yes, the internal and some external auditors are indeed my best friends. I keep following their adverse audit findings around many organizations to help alarmed senior staff "make them go away" - their adverse audit findings, of course. It was quite novel for me recently to commence a new BC assignment where there were no adverse audit findings, yet. Possibly because I came to BCM from a non-traditional background - HR, business and corporate planning as well as too many years in emergency management - response, recovery and lots of planning and exercising as well as incident management - after nearly 5 years, I still see BCM as an opportunity. I market it as an investment in business improvement, while we plan and prepare for a crisis, that may never come. Business improvement is always popular and can be delivered as part of workshopping BIAs and then carefully working through recovery procedures. Often the way a business can do things in a crisis can also be applied to normal operations; saving a few steps and sometimes many dollars. Now you've got the Executive's attention - savings - and you and BCM, as you practice it, are on the road to being seen as an investment rather than a cost. I rarely talk about scenarios until exercises (I test technology - pass or fail, it worked or didn't when I expected to - and exercise people for continuous improvement). I keep on talking about loss of access to key resources - infrastructure - the hardware of the business, big, generally immovable things like buildings; technology - can be hardware too, but is generally smaller and capable of being moved more readily; and people. In all my years of managing and planning all manner of disaster/emergencies, it’s always the people who find a way around or through it. A good DRP is invaluable, but you still need the people to make it work, even the best hot site degrades in time without support. By the way, Mel, nobody knows the business like a BCM. Except for the CEO, who else but a BCM visits or engages with every part of the business? This is why I am often recruited by the CEO, Deputy CEO responsible for BCM or the CFO. The smart ones do see BCM as an investment and a good survival strategy for them, which I remain happy to support. I am also engaged for skills transfer to the internal BCM, who usually has another title. Without a C-Level champion at the get go you and BCM are on course for a dead-end. Of course, I have recently taken the "easy road". I am now a consultant BCM, being an internal BCM is a HARD road to hoe - keep on keeping on for those working internally for BCM. One word of advice: ensure you have good governance in place that keeps batting BCM and its findings, if not to the board, then to influential committees usually chaired by one of the inner circle of executives e.g. risk and audit committee/s. Adverse audit findings give BCM an immediate entree to the audit committee, so keep on reporting to them at least. By the way, I don't think you failed the pop quiz, Nathan, for my money, BCM is a part of risk management and a BCP is an expensive and usually elaborate risk mitigation strategy. Chris, Consultant, B4Crisis
I write this comment in my capacity as BCM coordinator. Please allow me to introduce and qualify myself: I am not a member or fellow associated with any institution. I happened to be the Y2K coordinator in a financial institution. Not to allow the efforts to be futile, I tried to sell the benefits of an investment already made, (at considerable cost I may add) to colleagues in internal audit. Nothing happened until 9/11. The rest is history. I subsequently enrolled for a masters degree in information sciences at one of the recognised universities in my country which gave me the opportunity to write a dissertation for which the topic selected happened to be on business continuity management. This useless background was necessary for what is to follow.
I suggest that Mr Forbes has re-opened a fairly hackneyed debate about silo mentality and so whilst many researchers, working in a plethora of management areas, are trying to bring together knowledge and research across those disparate fields, he quite successfully takes us back several years, whilst ignoring the considerable collection of published research material that he could have drawn upon on the subject and instead relies upon some entertaining anecdotal evidence to support his position. I suggest that perhaps an alternative view of the issues he raises should be considered and if we reflect upon the fields of risk management, disaster management, BC management, information security management, facilities management, project management, HR management, wealth management, resilience management, incident management, security management, then a theme appears. In case you haven’t already spotted it, it is “management”. There are numerous other management fields that I could have added to the list, but I’m sure that people have seen the point that I’m making here and I do not wish to be accused of labouring it! So having identified a common link across the fields, then we could think about the similarities and crossovers in those fields or disciplines. Mr Forbes identifies a number of systemic failings in BC management that I would suggest could equally be found in any one or more of the other management fields that I have referenced, yet I’ve not noticed any recent articles suggesting that information security management, as one random example, is a discipline that is headed for the scrap heap. Quite the contrary, I cannot open my e-mail application without a tsunami of somewhat ironic messages, from an assortment of vendors, offering to rid me of the burden of spam in my e-mail inbox and other such threats to my organization’s systems and networks. Mr Forbes also raises the issue of the tensions between risk management and BC management, but I suggest that the matter is more fundamental than deciding which field has primacy. I would invite you to look at any of the management fields that I listed and I’m quite certain that we can see that risk runs as a thread through all those management disciplines, rather like the word “risk” running through a stick of rock from the seaside (for the uninitiated, one could purchase sticks of garishly coloured confectionary with the name of the relevant seaside town embedded in the stick for its entire length, it was probably responsible for causing years of juvenile dental decay!). There’s project risk, security risk, etc, etc and so I would suggest that rather than trying to separate the inseparable, we should perhaps try to identify efficiencies and synergies in all our organizational management activities and strive to improve the effectiveness of those assorted management programmes. I would suggest that it is certainly worth considering, what’s the risk in that management approach? In time, hopefully sooner rather than later, we shall see what emerges from the ongoing research into that latter approach, but in the interim, I would ask you to reflect upon this one last point from the field of disaster management. Many disaster management scholars can wax lyrically about the Flixborough disaster of 1974 (it was claimed to be the previous holder of the ‘biggest peacetime explosion’ title in the UK before being usurped by the 1993 Bishopsgate bomb, which in turn was overtaken by the 2005 Buncefield explosion) and they will undoubtedly talk about the systemic management failings in that event, which directly led to the explosion. However, for the record, it was an event created by a business continuity management solution to an operational disruption that failed to appropriately consider (manage) the relevant risks in the BC solution implemented and so in turn necessitated emergency, crisis and disaster management responses by a plethora of organizations. Kev Brear
Why is it that we are called practitioners? What is it that we practice, anyway? It all sounds a little like a particularly scary snake oil. Those who practice law are called lawyers; those who practice accounting are called accountants or CPAs, those who practice medicine are called doctors. I have been working in the field of Business Continuity, DR, InfoSec... you choose the name ... since before any of these professions had a name. We are pioneers still, in a profession that is still not licensed and whose role is not even remotely understood by those who generate value in an enterprise – sales and production. We cut across all of the support silos and are present within all of them, but our primary purpose SHOULD BE to protect value generation within the enterprise – whether private or public sector. Might I suggest that BCM is, through a process analysis approach, an essential part of value generation? By their very natures, neither sales nor production is well-adapted to ‘see’ risk within their functions, whether in their supply chains, production lines, or sales forecasts. This is especially true when that risk permeates the enterprise culture. Executive management wants to believe that the proposed merger is its next nirvana. They do not want to think about its defects seriously, or how these may be countered. It is our role to do that. It takes an outsider perspective to see the black swans lurking in every deal, whether for the latest greatest sales prospect or corporate merger/acquisition or soon-to-be contracted offshore production facility. The ‘dead bodies’ of such bad deals litter boardrooms everywhere. Until we become a regularly consulted partner and trusted advisor in each of these strategic deals, we shall remain relegated to the corridors and data centers and cubicles of support functions. Some people used to call me Cassandra, prophet of doom. But now I call myself a Black Swan Hunter. Our skill comes both of hard experience and the ability to perceive what others do not. We must now move to the next stage, talking not only of risks but of risk mitigation, and building that perspective into all aspects of the organization. It is a far more difficult task than our earlier charge…preparation and testing of plans to mitigate damages when the ‘unforeseeable’ unfortunately occurs. We are still such seers or ‘see-ers’. Our role is now to require analysis and the application of mitigating protections from the inherent risks we see – and that others do not, before the contract is inked, before the design is sealed. And to ensure that the necessary protections endure many years later. Our vendors need to stop trying to sell silver bullets and ‘fix-everything’ patent medicines. Very few black swans really die, they just shrink to a size that can be temporarily ignored. That failure to see those 3-inch dragons climbing the walls of the boardroom allows them to penetrate all aspects of the organization, to hitch a ride on the plane that takes the new manager to the newest acquisition or partner, where they grow large and strong. Our vigilance and vision allows us to see them and slay them, or at least to keep them small and weak. The recent catastrophe facing Toyota is a perfect illustration of this, but such events are everywhere if you know how to see them. We do. That should make us a critical part of any strategic decision in the value-generation chain. But are we there? Rarely. Should we be there? Always. Kathleen Lucey, FBCI
I totally agree with the author's articulation of dilemma faced by business continuity professionals. But is that not the case with people in all the support areas? At the beginning of a BC professional's career, all appears to be rosy, as we are learning new concepts or about different business areas. As you progress, given cost constraints there is a limit to growth in organisation's hierarchy. I believe that the most important thing is to keep our jobs interesting, else we will not deliver to the best of our ability. Here are a few things which can make our work more interesting/challenging: * Do not limit it just to complete BIA analysis. We need to organise operational incident management exercises and not limit incident management exercise to the top management only. This helps them to be better prepared to manage an incident as well as see how information captured in business continuity documents will be useful in a real event. * Try and learn new areas with natural synergy (e.g. physical security, information risk & privacy, operational risk, disaster recovery, etc.). This helps not only in self development but also in adding more value to the organisation. * Keep a track of what's happening in other industries (either through interactions with peers OR working in different organisations), so some of the learning's can be applied. Ashish Malani
•Date: 2nd Feb 2010 • Region: SE Asia/World •Type: Article •Topic: BC general |
