Mel Gosling explains why he believes that business continuity needs a new way forward, and why the traditional business continuity plan no longer works for today’s organizations.
There is a growing body of business continuity practitioners that believe that a new approach to the discipline is both required and overdue. An example of this is the recent debate opened up by the publication of ‘The Continuity 2.0 Manifesto’ by David Lindstedt and Mark Armour.
I have recently added to that debate with a presentation to the November 2015 Business Continuity Institute’s BCI World conference entitled ‘The BC Plan is Dead!’, and in researching examples of companies that have stopped using traditional document based business continuity plans I have identified a set of key practices that I believe will drive the new approach. One of those companies, Marks and Spencer, gave an excellent practical demonstration at the end of my presentation of what they have managed to achieve with a new approach, ensuring that the audience understood that this is already happening and is not just a nice theory.
Business continuity today
Before outlining my ideas on the way forward, it is worthwhile explaining why I believe that a new approach is required.
I agree with David Lindstedt and Mark Armour that despite recent revolutions in technology and the way in which organizations operate, business continuity has made only small, incremental adjustments, focusing increasingly on processes, standards, and regulations, rather than on delivering real improvements to incident response and resilience. This has led to widespread executive disinterest in the subject, and an inability to demonstrate the value of business continuity beyond compliance.
Current business continuity practice leads to the development and the accumulation of large numbers of documents, central to which is the business continuity plan. This document is supposed to be clear, concise, accurate, and easy to use in a crisis. Unfortunately, most business continuity plans that I see are usually complex, packed with unnecessary information, out of date, and difficult to use when responding to an incident. They are more often than not developed to demonstrate compliance to an auditor or regulator rather than being developed for their supposed purpose.
If business continuity continues down the cul-de-sac of processes, standards, and regulations, producing plans that are unusable, and without addressing the need to engage executives and deliver measurable benefits, then it will, at best, become an unwanted millstone around the neck of every organization required to implement the discipline.
My vision for the way forward is an approach that delivers measurable continuous improvement in reducing the impact of actual and potential incidents by focusing on the effects of incidents and providing a rapid, appropriate, and effective response and recovery capability. Its scope encompasses all disruptive incidents, and is driven by the need to reduce impact rather than to follow a process.
I believe that the key to achieving this vision can be found in five areas:
- Extending the scope of business continuity to encompass all disruptive incidents;
- Measuring improvements in reducing the impact of actual and potential incidents;
- Changing the way information is held and used from documents to apps using cloud based data sets;
- Putting exercising at the heart of business continuity;
- Concentrating on the outcome rather than the process.
Extending the scope of business continuity
One of the most common issues that seem to come up when I assist organizations with their implementation of business continuity is that of when an incident is deemed to be a business continuity incident and when it can be handled by normal day to day management.
This issue is artificial, and to my mind is one of the causes of the executive disinterest in the subject. If we are serious about business continuity then we should be concerned about any incident that causes disruption, and not just those that trigger the activation of a response or recovery team or the invocation of a business continuity plan. The majority of incidents that affect organizations fall into the category of those that are handled by normal day to day management, and extending the scope of business continuity to incorporate these gives us an opportunity to provide real benefits to the organization by recording, analysing, and taking action to reduce the number of incidents, their effects, and duration.
This requires the establishment of a central repository of information about all incidents, and a way of ensuring that this information is recorded and analysed. One of the main barriers to achieving this is the reluctance of people to spend time and effort reporting each incident, and this barrier will need to be overcome. This can be done if the benefits can be clearly demonstrated, and the act of reporting each incident is made as quick and simple as possible.
The only real measurement of success for business continuity is in a reduction in the impact of events that cause disruption to the organization. Unless business continuity is extended to cover all incidents recorded in a central repository, this can only be done by estimating the impact of theoretical business continuity incidents (unless your organization is unlucky enough to have lots of real business continuity incidents). This can, and should, be done, but this type of success is only theoretical and won’t gain too much executive interest.
By extending the scope of business continuity to cover all disruptive incidents and recording information about all such incidents in a central repository, the impact of events that cause disruption to the organization can be measured. The recording of information about all disruptive incidents opens up the possibility of taking action and putting in place management processes to prevent or to reduce the likelihood of such incidents occurring in the future, and to minimise their impact. This is at the heart of what business continuity is trying to achieve, and is something that can be measured and reported on to the executive. I have actually seen this in action in Marks and Spencer, and the result is that business continuity and its measurable benefits are put in front of the executive on a weekly basis.
Apps not documents
Using documents to obtain information is rapidly becoming a thing of the past as more and more people use smartphones, tablets, and computers to access the Internet. Where once people would need to identify a paper publication that might contain the information that they were looking for, and then search through pages and pages to find what they wanted (and then it would probably be out of date), the Internet offers immediate and up to date access to the information required.
Today’s technology provides the opportunity to move away from documents as a source of information to something that is simple to use, delivers exactly what is required, and provides the latest information. This is an app.
The main function of a continuity app is to minimise the impact of an incident on the organization by dealing with the incident quickly, efficiently, appropriately, and effectively. In delivering this functionality, the continuity app will need to use data from different sources:
- People: names, jobs, contact details, skills, etc.
- Suppliers: names, goods and services supplied, contact details, etc.
- Stakeholders: names, roles, contact details, etc.
- Business continuity: urgent activities, recovery requirements, recovery options, etc.
- Incident response: procedures, checklists, actions, etc.
- Incident management: teams, roles, responsibilities, escalation procedures, etc.
The secondary function of the continuity app is to record information on incidents and how they are dealt with to enable the value of business continuity to be measured. In delivering this functionality, the continuity app will need to create the following data held centrally to enable measurement and reporting:
- Incidents: date and time, duration, impact, type, etc.
- Log: actions taken, decisions made, issues identified, date and time, etc.
One of the critical factors in successful incident response is communications, and many organizations already use well established and effective messaging systems. The continuity app will therefore need to be able to create messages to be passed to an existing messaging system for appropriate distribution.
Each organization that will use a continuity app will be storing these data sets in a unique combination of databases and files, and each organization will want to use its own branded user interface. This provides challenges to the developers of continuity apps, but I’m sure that solutions will be found to provide cheap customisable packages that enable even small organizations to implement an effective continuity app.
Responding to a real incident is the best way to demonstrate business continuity capability, and by extending business continuity to cover all disruptive incidents this will be demonstrated on a daily basis. However, most of these incidents will be minor in nature and not require the mobilisation of teams and activation of recovery plans that are the staple of today’s business continuity response capability.
Most organizations rarely have the need to mobilise teams and activate of recovery plans in response to real incidents, and the only other way that preparedness and capability can be demonstrated is through exercising.
Exercising has other important benefits including:
- Raising awareness of the importance of business continuity;
- Training teams in response and recovery;
- Identifying ways that response and recovery processes and plan can be improved;
- Validating information used in response and recovery;
- Involving the executive and senior management in business continuity.
These benefits are so great that it makes sense to put exercising at the heart of every organization’s business continuity efforts.
To give a simple example, consider the current business continuity practice of business impact analysis. Time and time again I hear of how difficult it is for business continuity practitioners to get time and commitment from the executive and senior management to identify the timescales within which products and services need to delivered and processes made operational, and the service levels required in those timescales. Much of this can be achieved through an exercise (properly designed and planned) at considerably less time and expense.
Outcome not process
Executives that run organizations and the stakeholders that they serve are mainly interested in the outcomes achieved by the organization, and not the way in which those outcomes are achieved (although the processes need to be legal, ethical, etc.).
In terms of business continuity, the outcome is minimising the effect of incidents that cause disruption to the operation, and as long as the processes that achieve this are efficient, cost effective, legal, ethical, and in tune with the way in which the organization works, the executive aren’t particularly bothered or interested.
To gain executive interest therefore, business continuity needs to concentrate on the outcome and not the process. Each organization needs to decide on how to implement its own business continuity process, but the important thing is the outcome, the process is only the means by which the organization will achieve the outcome.
This raises the question of the importance of standards, so beloved by many of today’s business continuity practitioners. Standards, per se, are a good idea, and I am not advocating that they have no place in the implementation of business continuity. However, I believe that standards should be about the outcome, not the process.
This, of course, is flying in the face of conventional wisdom about management systems standards, and I will be widely criticised for my views. However, take a moment to think about standards, and how they have been applied and successfully used in many industries over the years. And in doing this take a simple example, such as the JPEG standard. This standard identifies a common format for storing and transmitting photographic images – in other words it defines the outcome, not the process that you need to go through to produce the outcome.
The way forward
There is no easy answer as to how to move the practice of business continuity from where it is today towards a new approach, but a good start would be for practitioners to agree that something needs to be done and to create a shared vision.
This will require a lot of debate, and the point of this article is to add to the growing chorus of voices and to contribute to the debate. If and when we can create a shared vision, then the logical next step is to translate that vision into a set of practices that will deliver the vision. The most appropriate body to do this should be the Business Continuity Institute, but for it to be able to achieve this would require a significant shift in its direction.
We need to start with a vision, and my vision is of a discipline that delivers measurable continuous improvement in reducing the impact of actual and potential incidents by focusing on the effects of incidents and providing a rapid, appropriate, and effective response and recovery capability.