Business continuity is broken: three reasons, three paths
- Published: Thursday, 03 September 2015 07:51
By David Lindstedt, PhD, PMP, CBCP.
Business continuity is failing us all. Here's why:
1. It isn't evolving
Project management launched agile. Quality control embraced Six Sigma. Authors like Daniel Pink, Malcolm Gladwell, Daniel Kahneman, and the Heath brothers have made great contributions to leadership and decision-making theory. Yet in the last two decades, business continuity:
- Has made only small, incremental changes;
- Has focused increasingly on compliance and regulations;
- Does not engage in systematic critique for improvement;
- Does not invest in or fund significant empirical or theoretical research;
- Does not value or reward innovation.
Ten years after Hurricane Katrina, and we have made few improvements in our business continuity best practices, methodologies, and standards. The best practices from my 2003 DRI guide remain mostly unchanged.
2. We can't engage executives
Year after year, journal articles and conference presentations offer up the same lamentations. Executives don't get it. We don't have a voice in leadership. We don't have a seat in the C-suite. We don't have the money and resources we need. These problems are due largely to the fact that current industry best practices put practitioners into a position where they:
- Do not take the time to learn the business and develop business acumen;
- Do not deliver value until the very end of a long life-cycle (if at all);
- Do not have techniques or incentives to properly engage participants;
- Continue to focus almost exclusively on worst case scenarios;
- Spend the vast majority of their creative efforts meeting uniform regulatory and compliance requirements;
- Lack flexibility;
- Focus on documentation over recoverability.
In addition, we:
- Cannot prove the effectiveness of formal continuity planning;
- Do not have a coherent ROI proposition;
- Do not have a straightforward value proposition;
- Do not know how to properly frame conversations and maximize time with executives;
- Lack clarity of purpose in our role and ambitions.
3. We have no meaningful metrics
As Peter Drucker said, "What gets measured gets managed."
We have spent years counting but not measuring. We have counted numbers of plans, numbers of documents, numbers of exercises, dates last updated, and other things that are easy to count. These do not tell us to what degree our organizations are more (or less) recoverable. These do not tell us (or executives) how prepared we are to recover from disaster.
Sometimes we don't even count; we just tick the yes/no boxes pursuant to compliance: Did you do an RA? Did you do a BIA? Do you have a governance structure? Do you have documented goals? None of this provides a measure of quality, effectiveness, or recoverability of our preparedness efforts. We must develop and use metrics that allow us to:
- Empower executives to make decisions based on evidence not instinct;
- Measure improvement over time;
- Set triggers for specific action based on quantitative data;
- Demonstrate value;
- Manage competing constraints for limited resources;
- Provide forecasting and trending to manage future conditions.
To try and deal with these problems, we have seen two paths in the last few years.
One path has been to further standardize and enshrine traditional approaches. This has not and will not fix the problems noted above.
The second path has been to abandon the continuity discipline altogether. This is generally accomplished by demeaning and diminishing the value of continuity planning in favor of a separate but related activity. Roughly five years ago, many sought to cannibalize continuity and transfer into enterprise risk management. More recently, the move to resilience, with its near-immeasurable scope and indistinct goals, has been the more popular path for abdication.
The third path is a difficult one. It involves defending the need for business continuity while significantly reforming it. It involves reworking continuity planning but not abandoning it.
Continuity planning must continue as a discipline. Organizations must continue to demonstrate a standard of due care, provide an affirmative defense, and manage their fiduciary risk. They must be able to know what their people will do in times of loss, and to trust that the resources, procedures, and competencies exist to continue to provide services following disaster.
But this discipline must provide more value to more leaders within shorter timeframes. It must find ways to demonstrate progress against measurable benchmarks and provide meaningful metrics for action. It must encourage practitioners to develop business acumen and engage at many more levels of the organization.
This third path is a very challenging, and probably very unpopular one, but I believe it's the right one nonetheless. I'll term it Continuity 2.0.
The authorDavid Lindstedt, PhD, PMP, CBCP is the founder of Readiness Analytics, an organization focused on providing meaningful metrics for preparedness practitioners. Readiness Analytics is home to The Readiness Test, a simple on-line tool to measure an organization's readiness to recover from disaster. Dr. Lindstedt is the creator of the RPC Model of Organizational Recoverability, author of ‘Measuring Preparedness and Predicting Recoverability,’ and co-writer of the Continuity 2.0 Manifesto. He has published in international journals and presented at international conferences. He taught for Norwich University's Master of Science in Business Continuity Management. He serves on the Editorial Board for the Journal of Business Continuity & Emergency Planning. Dr. Lindstedt also serves as Director of Program Management with the Office of Distance Education and eLearning at The Ohio State University, inspiring innovative instruction through emerging technologies.
- Read a separate article 'Business continuity is broken: a rebuttal' by Mark Mahoney, MBCI.
- I believe Mr. Lindstedt points to a critical need for improvements which are required due to the lack of professional diversity amongst many in BC. The language of IT is not crossing the chasm, and without recruitment of those in the business areas into BC to ‘translate’ it will continue to flounder. I do not, however, see resilience as a different animal from BC, and all of the bullet points mentioned are required to make organizational resilience function. When a small functional area gets moved into a larger one, it must maintain its identity, and independence. Also, it is forced to take on a larger more detailed role, but now for more people. BC has always thought small scale, while ERM was the big brother. BC can now be on the same level, but must not hand over the keys and walk away out of ignorance. We can’t give up because we are redefining ourselves. We don’t have time. Radhika Murali
- I refer to the recent article by David Lindstedt that suggests resilience is the wrong direction for business continuity. Lindstedt’s view is the other side of the popular resilience trend but his opinion adds little other than academic negatives, perhaps just to confuse rather than help.My experience is that resilience is working as the motivator for business continuity action. John Worthington MBCI
- I totally agree with David Lindstedt, we need a new way forward that defends the need for business continuity while significantly reforming it. By pure coincidence, I think that I've come across this new way forward whilst undertaking research for a paper that I'll be presenting at this year's BCI World Conference and Exhibition in London in November. The title of my paper is ‘The BC Plan is Dead!’, and whilst looking for a practical example of the ideas that I'll be presenting, I came across a novel and exciting approach to BC that has been implemented by a major UK company. I don't want to spoil the presentation, so I can't reveal yet who it is and what I'll be saying, but a representative from that company will, as part of my presentation, show a new approach that is measurable, adds value to the business, has the active support of the top executive, extends the traditional boundaries of BC to include all disruptive incidents, and puts BC in front of the top executive on a regular basis. Mel Gosling, FBCI