A different perspective on the BIA / risk assessment question
- Published: Thursday, 06 July 2017 09:18
Peter Barnes, FBCI, responds to the recent Continuity Central survey into attitudes to the business impact analysis and the risk assessment; suggesting that the profession needs a new approach to standards and guidance.
As a ‘lifer’ in business continuity management with some 27 years’ experience watching and participating in the evolution of the profession I find the current debate around the need for risk assessment and the BIA quite fascinating.
For me the questions on the table now are not new – I and a number of others were questioning both these practices back in the 1990’s. At the time, one of the leading global consultancies introduced a process of ‘Fast-Track BIA’ based on a premise that, if you put the right group of business heads and subject matter experts in a room together, you could arrive at a consensus of corporate and process priorities and continuity resource requirements within an hour or two and that it would be more than adequate to provide a meaningful foundation for development of a BCP. In the largest enterprises, one might need a number of such meetings to capture the needs across a more complex business but the theory was that the ‘BIA requirement’ could be met with a very small number of days of effort. (This was at a time a when the standard sales script for a business continuity consultant focused on bagging a six-month contract to undertake a BIA before he / she would commit to where the exercise would lead next.) Needless to say, the instigator of this approach was treated with immense scepticism and suspicion at the time but I continue to use much of his methodology to this day.
On the subject of the risk assessment, in those days (and this is a view I still hold currently), if the risk management function was doing a decent job in what is a somewhat speculative area in any case, then what could possibly be gained by the business continuity function seeking to implement additional processes aimed at exploring our own somewhat narrow scope?
Fundamentally, in my view the profession has become locked in by the one-sided, process-driven approach advocated by the standards and good practice guidelines that now dominate our profession. These collectively ‘corner’ all professionals into subscribing to the manifestos of the standards and professional bodies with no opportunity to challenge for fear of failing an audit or regulatory review. On this point, I am very much with Messrs Armour and Lindstedt that the world might be a different place if we had a new standard – not necessarily branded as an ‘Adaptive BC standard’ but certainly one that focuses on ‘recoverability’ rather than the process of plan building and management.
As a further illustration of my point above I challenge the reader to identify a single successful publicly accessible training programme for business continuity in the major European or US markets that is unencumbered by allegiance to ISO standards or to the guidelines and endorsement of one of the professional bodies. The result of this absence of ‘common-sense / pragmatic’ training to industry new-comers simply stifles still further the opportunity to challenge the status-quo and develop a 21st century approach to business continuity. (Note: This is not a criticism of the standards or bodies themselves but a reflection of how the commercial realities of the worlds they populate have actually been counter-productive to the development of more flexible – perhaps better (?) – ways of doing things).
Reading the comments of those who responded to Continuity Central’s survey illustrates that there are many differing opinions – I would suggest this is because those responding come from businesses spanning many different types, sizes and operating models. The fact is that there is no ‘one size fits all’ approach to business continuity and that fact applies whether one is addressing the BIA question or the ‘organizational resilience’ context or any of the other questions of the moment pertaining to the context and future direction of the profession.
One of the consequences of the context in which we currently work is that I find my role, as a practitioner / consultant is now split in two. The main part of my time is spent focusing my clients on the recoverability of their business and channelling energy into the important practical aspects of their business continuity management activities. Then a significant secondary role is the creation of a parallel world of documentation and audit trails that deliver nothing whatsoever at a practical level but tick the boxes of auditors and regulators who need ‘evidence’ based on our out-dated standards.
Mark Armour describes those who choose to defy the standards as ‘mavericks’. Let’s give more space to the mavericks – I am proud to be numbered among them!