Adaptive BC: the business continuity industry’s version of The Emperor’s New Clothes?
- Last Updated: Tuesday, 28 May 2019 07:26
- Published: Thursday, 09 May 2019 15:39
Adaptive Business Continuity (Adaptive BC) is an alternative approach to business continuity planning, ‘based on the belief that the practices of traditional BC planning have become increasingly ineffectual’. In this article, Jean Rowe challenges the Adaptive BC approach.
We all can appreciate the intent to innovate, but innovation, in the end, must meet the needs of the consumer. With this in mind, the Adaptive BC approach (The Adaptive BC Manifesto 2016), uses ‘innovation’ as a key message.
However, I believe that, upon reflection, the Adaptive BC approach can be viewed as the business continuity industry’s version of The Emperor’s New Clothes.
The Emperor’s New Clothes is “a short tale by Hans Christian Andersen, about two weavers who promise an emperor a new suit of clothes that they say is invisible to those who are unfit for their positions, stupid, or incompetent.” As professional practitioners, we need to dispel the myth that using the Adaptive BC approach is, metaphorically speaking, draping the Emperor (i.e. top management) in some finely stitched ‘innovative’ business continuity designer clothes that only those competent enough can see the beauty of the design.
Upon closer inspection, the shortcuts the Adaptive BC approach endorses should not be labeled as innovative. They are simply shortcuts. Shortcuts for shortcut’s sake, are far from innovative. For example, around the late 1990s, business continuity practitioners started conducting conversational or group business impact analysis (BIA) interviews vs ‘traditional’ one on one interviews. This action was taken to ensure that both upstream and downstream dependencies were captured and confirmed with all stakeholders present; it saved time (a kind of a shortcut), but, also, this approach changed the way risk assessments and BIAs were done. This innovation still required the BC practitioner to identify and assess risk, interdependencies, timeframes, etc. and DID NOT bypass the BIA process via 30,000-foot hypothetical discussions with top management.
Adopting the Adaptive BC approach may speed the implementation of a business continuity program, but at what cost? In my opinion, the costs include poor or missing requirements and issues with selecting the most appropriate response and recovery strategies (more on these in a moment).
Sources of proven leading practices - ISO 22301 and the BCI Good Practices Guidelines (GPG) for example - do in fact work when performed and led by competent practitioners. And this is where the BC practitioner becomes the catalyst for innovation. Failing to align and take advantage of these proven bodies of knowledge may increase the likelihood of disruption and the impact associated with a disruption, including unacceptable impacts on lives and livelihoods.
No risk assessment
Firstly, the Adaptive BC approach throws the risk assessment out of the window. As a business continuity practitioner, even if you are not held to a Code of Conduct or not certified in this industry, it is unethical to turn a blind eye to a known risk(s) to the continuity of an organization, especially risks to human lives. I’m not advocating that we catalog an endless and unpredictable number of threats (that’s not a risk assessment). But what I am asking is can any business continuity professional truly ignore risks when lives and livelihoods are at stake? We simply cannot pretend that there are no ethical, moral and/or integrity issues involved in this ill-fated plot twist to this story.
- Does pretending a risk doesn’t exist mean the risk will go away?
- With no risk assessment process, does the business continuity program truly support the organization’s business strategy?
This is akin to the story line in The Emperor’s New Clothes when people pretend to see a new suit of clothes while, in reality, the Emperor is parading around with nothing on because the Emperor was convinced that only competent people can see his clothes (not to mention, the Emperor approved the design and wore it).
No business impact analysis
The second Adaptive BC ‘innovation’ is NOT to conduct a business impact analysis (BIA) because it is considered old school and not innovative. The Adaptive BC approach incorrectly labels the BIA initiative as some laborious several-months-to-a-year-long process wielding little or no value. Having conducted hundreds of BIA interviews, trained the teams to do it right, and managed dozens of BIA processes, I completely disagree with this ‘innovation’. I question the source of the authors’ research. Were they only researching poorly performing business continuity programs?
Consider the incredible value of a BIA done right. There is high value in the dialogue between and across groups before, during and after the BIA initiative. It has been my experience in BIA interviews, that:
- Previously unknown risks are identified,
- Business process improvement opportunities arise,
- Information shared has provided a bridge to new opportunities for The Emperor to consider,
- Budgets are better supported,
- Business enablers (IT, telecom, etc.) are improved,
- Audit and risk managers become allies, and
- Knowledgeable personnel who could help during the future-state response and recovery effort (on teams) are identified.
Imagine being able to provide to new managers the BIA results for their area of responsibility when they join the organization along with the known risks they are responsible for. Now that’s worth weaving into the fabric of the organization!
Bottom line, the organization’s resilience is strengthened on many levels when the BIA is done right. Experienced professionals understand and have benefited from the BIA over and above its intent to fulfill the business continuity management system (BCMS) needs. One more point: if an organization abandons the BIA, where do they get their business continuity requirements (recovery time objectives, capacity and resource dependencies)?
The reality is that if your organization’s BIA initiative resulted in a laborious process and little/no value, then you should question several elements of the design: start with assessing the methodology used, if enough resources were applied (especially if it took several months to a year!), the competency of the business continuity professional responsible, how well the initiative was sold to ‘the Emperor’”, and whether or not knowledgeable staff were involved in the process.
The risk assessment and the BIA - no divorce granted in the business continuity kingdom!
Many issues cited by the authors as reasons for not conducting a risk assessment or BIA have been overcome by countless professionals in the business continuity industry. There are many practitioners and/or BC organizations ready to share how to overcome the issues given as reasons to not bother to do the necessary work.
When I was interviewed by a consortium of public and private sector representatives from the government of Japan after the Kobe earthquake, I was asked what the relationship was between the risk assessment and the BIA. I responded that they were married and could never, ever, get a divorce. The audience of more than 50 attendees laughed even before the translator could translate my analogy, but they understood.
The risk and opportunities identified in the risk assessment, coupled with the BIA results, ultimately are the foundation of the business continuity marriage in order to survive and thrive. These critical first planning phases help frame the plan development process so it focuses objectively on the most critical and essential business activities. In a marriage, setting priorities, managing risks/opportunities are important to the relationship, and building on this union is an ongoing process of continual improvement. By cutting out the very process of weaving this fabric that secures and keeps healthy the business continuity planning foundation, it negatively impacts the strategies and solutions that further assure a solid harmonious future.
According to the Adaptive BC approach, business continuity practitioners are to rely solely on the Emperor and the Royal Court (top management team) to provide what they think or feel are the priorities for recovery of services and/or products and when these should be recovered. Their opinions and views are definitely important, but the Emperor and/or the Royal Court may not be aware of the special nuances of the organization that could be critical in an emergency – this should also be identified in the BIA.
This so-called innovative idea has been around since the beginning, when we called business continuity by another name, ‘disaster recovery’. Back to ISO 22301 and the BCI GPGs, this is the product/service component of the BIA process!
Recovery strategies and plans
If you are selling the Adaptive BC approach to the Emperor, to be clear:
You are asking the Emperor and the Royal Court to determine the priorities for recovery and timing based on their opinions, feelings, and beliefs, rather than using the systemic and mostly objective approach that the BIA would provide (e.g., following ISO 22301 and ISO 22317 BIA requirements).
- Are you willing to risk the lives and mission of your colleagues, other people, and the organization?
- Are you willing to risk your own reputation?
- When the time comes, are you personally and professionally ready to advise on the poorly sewn stitching of your strategy garments to The Emperor?
Based on my experience, the Adaptive BC approach creates additional work for the business continuity professional in the long run - unless that person and their organization isn’t going to bother to document strategies and/or plans. The BIA’s systemic approach takes most subjectivity out of the equation; the business continuity practitioner should keep the BIA as objective as possible. And remember, the Emperor is relying on you not to encounter any nasty design snags later.
Determining strategies and writing plans based on top management’s understanding (in lieu of a systemic approach), which may be subjective or political or possibly even shortsighted, can be risky. Top management’s understanding coupled with the possibility that they are also under-informed, is simply not acceptable to stakeholders. Worse yet, the Emperor, not knowing leading practices and industry standards that have stood the test of time, may be even at more of a disadvantage if he/she thinks planning for a disruption for just a week is good enough to support the organization’s mission.
Testing and exercises
The Adaptive BC approach doesn’t completely throw the bolt of finely made business continuity industry cloth out with the rubbish. Testing and exercising were left in this ‘innovative’ approach. That said, testing and exercising already existed in leading practices and industry standards for decades.
BC practitioners should be keenly aware that “Innovation can occur at any time during the execution of a (BC) program or project; innovation does not explicitly require an ‘innovation’ initiative”!!!
Industry experts need to come forward on a global basis to expose the poorly devised construction of the Adaptive BC approach which has the potential to be adopted by newcomers to the industry or worse yet, by practitioners looking for a magic wand to wave away the hard work, forethought and analysis required to do it right the first time.
Because of the inherent flaws in the design of the Adaptive BC approach, supporters may find themselves having discussions with the Emperor along the lines of:
- “Oops, we missed this single point of failure because it was upstream (or downstream) to the narrow list of critical activities that you approved”
- “We didn’t think about Department A’s role changing at time of disaster because it wasn’t on the critical list we used.”
- “We have to retrofit a technology solution that costs ten times more than our annual budget because the Emperor’s brother felt strongly that it was not critical. We focused on just the list based on what the Emperor said to focus on”.
Risk vs opportunity or risk and …then even more risk
So, what happens when the Emperor learns of the serious design flaws in both the Adaptive BC approach and that known risks were ignored or withheld?
For most organizations, it may be far better to consider “What if we don't pursue this innovation initiative?” (Hillson, in Effective Opportunity Management for Projects: Exploiting Positive Risk (2004).
I would not want to be the business continuity practitioner trying to explain these hazardous shortcuts that underpin the Adaptive BC approach. I would not want my legacy to be that I dressed the entire management team in what equates to a business continuity spin on the story of The Emperor’s New Clothes.
I fully support innovation and change, and appreciate the attempt to try something new. That said, in the business continuity industry we have benefitted from new innovations and continually transform – everything from innovative technology systems, business continuity planning software, mobile applications, and many other strategies, solutions, and options too numerous to list.
That said, I really cannot admire the innovation of these Emperor’s New Clothes – not ever. Period.
I want to sincerely thank those professional practitioners who have played the role of ‘the innocent child’ in the business continuity industry’s version of The Emperor’s New Clothes, those who boldly spoke up and said they did not see any new clothes on the Emperor. Now, we can begin to learn the lesson of this children’s story for the business continuity industry. And it is this…
By keeping silent, it does not mean we all agree with the Adaptive BC approach (personally for me, it means I do not like to be thought of as a non-team player or not open to innovation in this case).
However, if we are silent, it does mean that we are being complicit in setting back the business continuity industry by decades. Indeed, we must protect the Emperor from believing he has on the finest ‘innovative’ clothes when the reality is, he is confidently walking around with all the stakeholders … naked and exposed.
Jean Rowe MBCI is Managing Partner, Allied Consulting Enterprises Worldwide
Jean Rowe has worked in the business continuity industry for more than 25 years and has served on several technical committees to form the leading practices and industry standards used today. She has developed and implemented global business continuity, organizational resilience, and enterprise risk management programs for organizations including the World Bank Group, the IMF, Verisign, national critical infrastructure organizations in power and utility, oil and gas, telecommunications, and financial services (including blockchain/fintech). She has managed crisis response and crisis communications in response to real world disasters covering everything from pandemics, terrorist attacks, cyber-attacks, natural disasters, and social media disasters. Currently, she is located in the Middle East to help further mature the industry. She is a training partner with the International Consortium of Organizational Resilience, an ANSI accredited not for profit organization. Contact firstname.lastname@example.org
Thank you, Jean.
It's absolutely good to innovate but let's be realistic, it's even better to not just accept every innovation since not all innovations are improvements as we all know and have experienced several times many ways, I expect.
Standing still is the same as going backwards, we all know that as well, so it’s good to have this discussion.
I just wanted to add the following:
When I coach organizations during the BIA process, since I am of the opinion THEY need to do it, not me, I 'use' the BIA for more than just the BIA output data that is required as a 'selection criteria' for critical and non-critical activities (or processes if you like) and then call the critical ones 'prioritized activities' plus gathering additional data regarding those activities. Many of these are stated in the article and comments from other people made so far. No, I have in total four reasons to do a BIA this way:
1. Gather BIA information as is stated in ISO 22301 8.2.2 (for example).
2. Ask about past experiences and in that way gather information for the required risk assessment and strategy phase.
3. Use it to 'explain' BCM to all involved and for that matter create competence.
4. Raising awareness with all involved by discussing the subject, especially the WHY.
So, skipping this, since 'it's not required anymore', in my humble opinion is throwing away three valuable additional reasons to perform a BIA. It's the heart of a BCMS. Don't tear out the heart, never a good idea … it kills it.
Gert Kogenhop (Hon.) MBCI
Business continuity consultant
If a car breaks down, do we change the Thermodynamics 2nd Law instead of fixing what's wrong with the car? Adaptive BC plans to take on the fundamentals of the BCM.
Going through the nuances of Adaptive BC, which doesn't consider BIA or RA, and considers BCM tests as not a reliable measure of recoverability, etc., is an idea that clearly lacks on-the-ground experience with real-time disasters. Reading through the Adaptive BC Manifesto, one can clearly say that it is more of a theoretical approach than a practical one. E.g. Hardly anyone I know, picked up a plan at the time of disaster for an efficient and effective response (apart from referring to some static information).
The concept of Adaptive BC reduces BCM to a coffee table discussion with Sr Management with a severely curtailed approach. It appears to me as an innovative shortcut based on a flexible approach (read 'non-systematic approach'). I am sure none of my clients will go for Adaptive BC if given a choice between these two approaches.
I think this article is excellent, and puts into words what many of us might have been feeling about the concept of 'Adaptive BC'.
As an employee of an organisation that once used an Adaptive-like approach to BCM for some years, I can wholeheartedly say that the methodology is lazy and flawed.
The absence of structure encourages laziness through informality. It creates or fails to spot risk through its apathy. It leads to blind spots in organisational awareness and understanding. It lulls executives into a false sense of security about the resilience of their organisation.
When the incident occurs (the avoidable one you missed because you didn’t do risk assessments), and the c-suite, the senior managers and the mid-level managers are running around screaming for an invocation of “the plan”, their sense of security will be demolished in the blink of an eye. All of a sudden, the Adaptive BC question of “who do we need to protect the most” seems inadequate in the face of having no clue whatsoever about how to manage the impact of 300+ employees not delivering whatever it is that they were delivering to the 50 important people in your BCP (remember, you’ve no idea what those 300 people did, because you lost organisational understanding when you threw out the BIA).
Roll on a few hours or days, to those awkward questions in front of the board… why didn’t you see this coming? Why was our recovery so poor? What happened to our Business Continuity Plan?
Adaptive BC isn’t the next big thing in our industry. Being adaptive isn’t even a new thing for Business Continuity.
One of our responsibilities, as BC practitioners, is to improve the ability of our organisations to be adaptable to change, whether it’s sudden or gradual. We are already adaptive by our very nature, and so, therefore, are our BC programmes.
Adaptive BC is a contradiction. By its very nature, it makes our organisations less tolerant to change, and less able to adapt.
IT Service Continuity Manager / IT Risk Manager
Bravo Jean Rowe, and thanks for articulating views that many others have raised. I’ve pointed this out to Mark Armour and David Lindstedt repeatedly: that many of the things they claim are ‘innovative’ have been performed in good organizations for 20 years or more. I admire them both for their passion and their belief in the BC industry, and I applaud the fact that they promote good business continuity – and that’s what they are doing. Good BC, not innovative BC. In a recent article, David argued that the answer to the question “How long before you need to recover?” is often “it depends”. Of course it does: it depends on process cycles, calendar cycles and so on. We’ve been doing this for two decades – “How long before you need to recover at the worst time possible?”. You can then drive strategy through this: Payroll and Accounts can share the same recovery seats, because Payroll will only need them in week 3, and Accounts only need them in week 4. I just saved half the potential cost of a recovery solution. Similarly, the contradiction in risk assessment. Adaptive says don’t perform a risk assessment, but then immediately asks the CEO “What keeps her awake at night”. But isn’t that a form of risk assessment? The CEO is worried about key supplier Collins and Co., which is in financial trouble. Great, now we know we have a supply chain risk, and we can perform some value-add work around that.
Where Adaptive seems to have potential is in techniques such as Agile and scrum – and yet I see almost no real examples of how these might be used. Perhaps this would be a useful blog to read from Mark/David?
Head of HSE Risk Management
Need a better mousetrap....
Had mice in our first house so bought the classic wooden, spring mouse traps. Set them up around the house, baited with cheese, but not so much as a nibble. Remembered that, growing up, Mom used peanut butter on traps, so tried that option. Got that nibble, and in fact the traps were wiped clean, still set and intact, but no mice. Thanks, Mom (for nothin’)!
Clearly there needed to be a better mousetrap. Not just me but the rest of society would benefit from just plain throwing this trap out and adopting, or adapting, to something else. The need was for a new approach of having a trap that actually worked, not this archaic tool that ‘proved’ to be useless.
So, had a chat with Mom who gave me the Paul Harvey ‘rest of the story’.
The peanut butter had to be chunky, with a solid piece of peanut driven directly into the hole on the trap catch. That way the mouse would gnaw on the hard nut and set the trap off. Worked perfectly and have never had a mouse beat me since.
The need was not for a better mousetrap but rather for me to gain more proficiency in the proper use of the existing tool, with the right content being used the right way.
The early failures had nothing to do with the tool, it was ‘Operator Error’ as we say.
In the world if IT, the phrase PICNIC (Problem in Chair Not in Computer) is often used when the issue is not technical or tool-based but simply a lack of understanding by the end-user.
Regarding the mousetrap, if anything, I proved that the old, standard trap really did work (which I guess most folks already knew).
Thanks, Mom (for everything).
Mark Carroll, MBCP, FBCI
SVP – Business Risk Officer
I particularly enjoyed Jean Rowe’s article on Continuity Central regarding the myths of Adaptive BC. In addition to Jean’s insightful points about the importance of doing the job right, her writing style makes for an enjoyable read.
- An in-depth risk assessment and business impact assessment with all the stakeholders must be the first steps. Senior management does not have all the answers - success is a team sport.
- Recovery Strategy and Plans must be built on a solid foundation. You can't build a skyscraper on an outhouse foundation.
- All organizations are challenged to do more with less. We must do the right things right!
- Shortcuts on fundamentals are not a success strategy.
Paul B. Boulden
Jean Rowe's discussion paper around the Adaptative BC process is indeed thought provoking.
‘The Emperor’s New Clothes’ is an interesting and provocative take on the afore mentioned process.
In my world the BIA is a theoretical concept which has little use in practical application of a BC implementation strategy. Two reasons:
One: very limited resources with, in some cases, delegated individuals making a call based on service needs for the community (as in 'the emergency room must remain accessible for the public') from a relatively simple spreadsheet task driven process.
Two: the additional amount of input at strategic and operational meetings executives are required to be involved with.
Social media (and the media in general) want to make a story out of any anomaly and a lot of time is spent managing this space by time poor individuals.
That is the nature of the world we are working in and my 10 cents worth is that any opportunity to streamline a process and allow it to be more appetising by being more manageable is a welcome one.
Amen to Jean Rowe's article
Senior Business Continuity Manager
Spot on Jean! As a business continuity practitioner with over 25 year’s global experience I agree 100 percent with your assessment. This Adaptive BC approach is not something I can support, or embrace, for the very reasons you have laid out in your excellent article.
Dave Johnson, MBCI
Manager, Business Resiliency Services | Information Services
One of the best articles I have read in 30 years as a consultant in this industry!
Michael R. Moniz