Business Continuity: “Are We There Yet, Dad?”
Those of you with children will remember this frequent question from the back seat of the car- the first time usually about 10% or so into the journey. Can we I wonder ask the same question about business continuity and its development?
It is of course a daft question. No, we are certainly not ‘there;’ nor are we ever likely to be. Continuity or resilience management will continue to evolve for its own sake, and especially because the businesses we are there to protect will continue themselves to evolve and change – and ever more rapidly. There is a value in the question however, as a prompt for us to take stock of where we are coming from, and take a few guesses as to where we are heading.
Thankfully most places I visit around the world now have moved beyond IT and facilities duplication as the totality of continuity work. Indeed if the customers, and the business props such as stakeholder support in all its forms, the supply chain, the brand value, legality and all the intellectual assets don’t exist any more, the IT continuity expenditure was a total waste of money. Certainly a highly sophisticated ‘recovery plan’ is also no more than a pair of boots to kick a dead horse, if indeed that horse has already lost its life through negligence in risk managing its potentially destructive dependencies.
There are the beginnings now of structures to encourage professionalism within our industry, but I guess few would argue that there is no more to be done. It’s good too to see the evolution in the contingency service suppliers, and the competition now that is honing the service delivery and product design. It is good too that the “side-show” of Y2K is now such a long way behind us, accepting though that some of the lessons – positive and negative – are useful.
As to the future; it is less clear. This is not least because the question brings to the fore the lack still of clarity about where we are now and the fit of BCP within the wider context of the business persona. Just read the key task objectives of Business Continuity Managers to see the quite different expectations of the jobholder. How can you therefore generalise about the skill base when so many employers still don’t yet know what they want?
One of the reasons for this is the rapid and relatively recent development of business continuity planning, often in isolation within a company. Is this separatism in part because of the- “confuse-’em-with-jargon-and-they’ll-leave-me-alone” brigade and or partly because no one else in the organisation will offer their hearts as well as their minds to the need?
Isolation is I believe sad and mistaken. It will do BCP managers harm in the long run. There are many others who carry responsibilities so similar and so interfacing that we should be, and be seen to be, working alongside them. Business continuity for example is one aspect of Risk Management. An important part, mind you, (what is more important, other than life and health, than the very survival of an organisation?). It is, nonetheless, a part. The sooner that Risk Managers and BCP Managers recognise each other and work as a team, the sooner we shall see greater ownership and acceptance. The underlying challenges are exactly the same: What is the risk? What is the resultant exposure? Is any exposure unacceptable? Then let’s do something about it!
Another colleague is the person who buys the insurance/risk transfer programme. You will need to get that person to understand clearly that, however well placed the programme, it can still be useless in keeping the company alive. It deals only in financial risk – and most destructive risks are clearly not financial ones. Insurance is most useful only after the company has survived, whether by luck or good management!
Together, the Continuity Managers (technical and business), Risk Managers and the Insurance Managers can make a great team! Why therefore do I see them avoiding each other so often? Is it misguided career protection or perhaps facing the unpalatable fact that they each are not the sole protector of the company’s survival? I can go on about the Security Manager, the IT Security Manager, Health and Safety, Compliance and others.
I believe Audit should stay out of the battlefield. If not, who is there to shoot the survivors afterwards? But indeed, when they do enter, are they not just stating that a process has taken place, without being able to take a view on the quality of those processes and their decisions? To expect more of an auditor is unreasonable.
If these people are brought together organisationally, they can feed each other and feed from each other. The roles will become clearer if only for the fact that they bring their skills together, and each is not trying to design words that imply they themselves are leading the fight against closure. Furthermore decisions around risk tolerance can be more consistent throughout the Group.
For example, a due diligence enquiry or auditor may cheerfully tick a box that a potential supplier is compliant with BS25999, NFPA 1600 etc. What this means is they the supplier will itself, given a bit of luck too, have a reasonable chance of surviving. What it does not mean is that they have identified your contract as critical to the point that they will ensure delivery continues to you that meets YOUR OWN criticalities, sensitivities and urgencies!
The opportunities for us all have never been greater. This is not just because of an increase in regulations in some countries and stock markets. Businesses construct their “factories” now in such a way that they are concentrating risk more and more into common points of failure across an entire organisation. This applies to their people, their suppliers, the methods of distribution, and the manufacturing infrastructure itself. E-commerce not only changes the delivery of a product; it raises customer expectations about accessibility, and immediacy.
In a nutshell the modern business model is much leaner, with much less margin for error. Its ability to absorb surprises has gone for ever; and thus understanding its risks and managing them has never been more critical
Will anything remain constant I wonder? I believe there will always be the need to push the issue of risk and continuity onto Director’s agendas and ensuring real – not pretend – commitment.
Maybe one day, someone will invent a method of measuring risk management work sufficiently to be a basis for all Directors’ bonus schemes, salary levels, career development and the grant of their share options. Maybe directors will begin to see that disasters can really happen within the – ever shorter – tenancy of their current job. Maybe BCM can become a “lifestyle” task seen as sexy before the disaster as it is seen during. Even harder to perceive, maybe Directors will one day cheerfully admit to their board that their wonderful career-building project could just go wrong!
We, then as career risk and continuity managers, will no longer be needed. I wouldn’t though yet to hold your breath!
David Kaye
www.riskreality.co.uk
David Kaye is the lead examiner on business continuity for the Institute of Risk Management.
===============================================
David Kaye is the co-author with Julia Graham of A Risk Management Approach to Business Continuity: Aligning Business Continuity with Corporate Governance.
