Today’s New Approach to Best Practices for Business Continuity
After years of working with the traditional practices of Business Continuity (BC) – in project management, higher education, contingency planning, and disaster recovery – David Lindstedt and Mark Armour identified unworkable areas in many core practices of traditional Business Continuity. To address these issues, they created nine Adaptive Business Continuity principles, the foundation of this book:
- Deliver continuous value.
- Document only for mnemonics.
- Engage at many levels within the organization.
- Exercise for improvement, not for testing.
- Learn the business.
- Measure and benchmark.
- Obtain incremental direction from leadership.
- Omit the risk assessment and business impact analysis.
- Prepare for effects, not causes.
Adaptive Business Continuity can improve your organization’s recovery capabilities by ensuring continued delivery of services following an unexpected unavailability of people and/or resources.
- Transforms or eliminates many of the traditional best practices of the continuity planning industry.
- Moves the emphasis to proven practices and away from outdated and ineffectual conventional methods.
- Enhances your abilities to limit potential damage to your organization’s brand, capital, functions, and revenue following an incident or disaster.
The Structure of the Adaptive Business Continuity Book
The chapters of this book proceed as an analogy, following the steps of rebuilding a house.
- Chapter 1: Demolition – The first step is to identify and remove of all the things that no longer properly belong in the kind of house you need – certain BC activities and products must be removed to provide the space we need to install something new.
- Chapter 2: Foundation – Provides a proper foundation for Business Continuity planning, an integrated theory of preparedness planning.
- Chapter 3: Framework – Outlines the individual steps, activities, and deliverables the practitioner creates in partnership with all levels of the organization.
- Chapter 4: Finishing – This narrative helps you envision what the Adaptive Business Continuity approach might look like in practice. In these fictional case studies, you will meet five practitioners as they implement Adaptive Business Continuity in their organizations.
- Chapter 5: Dwelling – Wraps up the book and offers a few thoughts on what the future of the Business Continuity industry might hold – including the promise of fun and innovation in your daily business continuity activities.
Through a wealth of examples, diagrams, and real-world case studies, Lindstedt and Armour show you how you can execute the Adaptive Business Continuity framework in your own organization. You will:
- Recognize specific practices in traditional Business Continuity that may be problematic, outdated, or ineffective.
- Identify specific activities that you may wish to eliminate from your practice.
- Learn the capability and constraint model of recoverability.
- Understand how Adaptive BC can be effective in organizations with vastly different cultures and program maturity levels.
- See how to take the steps to implement Adaptive BC in your own organization.
- Think through some typical challenges and opportunities that may arise as you implement an Adaptive Business Continuity approach.
As the authors take you through the steps of “building the house,” you will see how Adaptive Business Continuity differs from traditional continuity planning and share the vision to create your own Adaptive Business Continuity programs and make needed changes within the profession.
NOW AVAILABLE – PRINT AND EBOOK!
June, 2017. 172 pages.
Excerpt from the Preface
Business Continuity Today
We believe we are at a turning point in the preparedness planning industry, specifically within the field of business continuity (BC).
Four primary drivers have led us to this conclusion:
- Thought leaders have identified significant issues with many core practices of traditional continuity planning.
- Many practitioners have found new and innovative ways to implement BC, successful practices beyond existing guidelines that have not yet coalesced into a single approach.
- Organizations and executives are demanding more business value for their money, and return on investment (ROI) for BC and its practitioners is not always obvious.
- Large-scale changes within related disciplines, such as project management and process improvement, along with the rapid growth of new global business methods, demand a more flexible and responsive approach to BC than many current practices provide.
Taking proper action in response to these drivers and capitalizing on the current situation will require those of us in the profession to look at BC and its practice in new ways. In this book, we present our alternative approach to traditional BC planning that aims to address these challenges and carefully shepherd a change in the discipline. We call this approach:
Adaptive Business Continuity
A large part of this book explains this new framework in detail. Before we can begin to outline this new approach, however, we must look at some practices that are likely to get in the way if not addressed. Therefore, Chapter 1 rightly starts with a critical examination of BC today before later chapters explain the Adaptive BC approach.
How to Use this Book
We have organized the chapters of this book, by way of analogy, with the steps of rebuilding a house. After deciding how you want your new house to look, the first step is to identify and remove of all the things that no longer properly belong in the kind of house you need. We have called Chapter 1 “Demolition,” not because we are getting rid of the entire BC enterprise, but because there are certain BC activities and products that must be removed to provide the space we need to install something new. We then proceed through the rebuilding stages, namely foundation, framework, and finishing. Finally, we end with a chapter on “Dwelling,” in which we consider what it might be like to live in this new home we have built.
While we believe that you will get the most value by reading the chapters in order, we have structured this book so that you can jump right in to whatever topic is most important to you. After the Introduction, which explores the original Manifesto, which helped drive the development of the Adaptive BC approach, the book is organized into five chapters:
- Chapter 1: Demolition – This chapter outlines the problems and shortcomings within traditional continuity planning. It explains why current practices in the business continuity discipline do not produce the results that practitioners, participants, and leaders want. These chapters clear out (“demolish”) a number of traditional practices that stand in the way of making needed improvements to the industry. Fixtures such as the business impact assessment (BIA), risk assessment (RA), and recovery time objectives (RTO) get us off on the wrong foot from the very beginning and need to be removed.
- Chapter 2: Foundation – This chapter provides a proper foundation for BC planning. To date, our profession has various collections of best and good practices; it does not have a reasoned theory upon which to build a discipline. This chapter provides, for the first time, an integrated theory of preparedness planning. This topic requires a more theoretical approach than other chapters in order to provide context for the planning activities that make up Adaptive BC.
- Chapter 3: Framework – This chapter introduces the specific approach for Adaptive BC. If you are looking for the practical nuts-and-bolts “how to” of the framework, this is the section for you. It outlines the individual steps, activities, and deliverables the practitioner creates in partnership with all levels of the organization.
- Chapter 4: Finishing – This chapter provides a narrative to help you envision what the Adaptive BC approach might look like in practice. It fleshes out the overall approach using specific examples in time and place. In these case studies, you will meet five fictitious practitioners as they implement the Adaptive BC approach in their organizations. Hopefully, these stories will inform and inspire you to take your next steps and get started right away within your own organization.
- Chapter 5: Dwelling – This chapter wraps up the book and offers a few thoughts on what the future of the BC industry might hold, including the promise of fun and innovation in your daily activities.
We are very pleased to offer this book to practitioners, leaders, and academics alike. We fully expect the BC profession to evolve and we look forward to playing a role in its continued development. It is our sincere hope that the ideas contained within this book will empower you and your efforts to further protect our organizations and communities.
Introduction: The Need for a New Approach: Adaptive Business Continuity
0.1 Why We Wrote This Book
0.2 The Adaptive BC Manifesto in Summary
0.3 From a Manifesto to a Book
Chapter 1: Demolition
1.1 Demolition: Traditional Practices to Eliminate
1.1.1 Eliminate the Business Impact Analysis
1.1.2 Eliminate Recovery Time Targets
1.1.3 Eliminate the Risk Assessment
1.1.4 Eliminate Explicit Executive Support
1.1.5 Eliminate Requirements to Document the Plan
1.1.6 Eliminate Requirements to Test the Process
1.1.7 Eliminate Standalone Training and Awareness
1.2 Conclusion: Eliminate These Practices for a New Approach
Chapter 2: Foundation
2.1 Context: Setting the Stage
2.1.1 First Principle: Preparing for Recoverability Is Not Prevention
2.1.2 Second Principle: Recoverability Is Not Survivability or Resilience
2.1.3 Third Principle: Recoverability Concerns Recovery from a Physical and/or Staffing Loss
2.1.4 Fourth Principle: Recoverability Concerns the Reestablishment of Services, Either Individually or as an Organic Whole
2.1.5 Building a Foundation with the Four Principle
2.2 The Capability and Constraint Model of Recoverability
2.2.1 Types of Loss
2.2.4 Loss and Restrictions are Constraints
126.96.36.199 Hard and Soft Constraints
2.2.5 From Constraints to Capabilities
2.2.6 Diving Deeper into Capabilities
2.3 Time: Reframing Our Use of Time
2.3.1 The Restriction Triangle (Revisited)
2.3.2 Time as a Constraint (Not a Target)
2.3.3 Time as a Constraint in IT Disaster Recovery
2.3.4 Our New Conception of Time in Adaptive BC
2.3.5 A First Example with Time
2.3.6 Prioritization: Where Did It Go?
2.3.7 A Second Example with Time
2.3.8 The Elephant in the Room
2.3.9 Advantages to Eliminating Time Targets
2.4 Putting It All Together: The Aperture of Adaptive BC
2.4.1 What is an Aperture (and What Has It Got to Do with BC)?
2.4.2 High Level Summary of the Capability and Constraint Model
2.5 One Detailed Example
2.5.1 Our Detailed Example: The G. S. Hotel
2.5.2 Traditional BC Activities You Eliminated (In Our Example)
Chapter 3: Framework
3.1 What Is Adaptive Business Continuity?
3.1.1 Resources, Procedures, and Competencies
3.2 The Adaptive BC Manifesto
3.2.2 Principles Are Not Deliverables
3.3 How Do I Execute Adaptive Business Continuity?
3.3.1 The Role of the BC Professional
3.3.2 Activities Within the Adaptive BC Framework
3.3.3 Set Direction
3.3.4 Improve Capabilities
3.4 The Nonlinear and Parallel Nature of Adaptive BC
3.4.1 Dealing with Order of Execution
3.4.2 Can I Do This My Own Way?
Chapter 4: Finishing
4.1 Examples and Approaches
4.2 Case Study #1: Taking a Neo-Traditional Approach
4.2.1 Widgets, Inc.
4.2.2 Meet George: Widgets, Inc.’s Business Continuity Manager
4.2.3 Starting with Incident Response
4.2.4 A Brief Detour
4.2.5 Service Recovery
4.2.6 Tackling Challenges
4.2.8 Lessons Learned
4.2.9 Case Study #1: Conclusion
4.3 Case Study #2: Taking a Neo-Compliance Approach
4.3.1 Big Money Bank
4.3.2 Meet Elizabeth: Big Money Bank’s Director of Enterprise BC
4.3.3 Obtaining Incremental Direction from Leadership
4.3.4 Engaging at All Levels and Establishing Baselines
4.3.5 Maximizing Quick Wins and Delivering Continuous Value
4.3.6 Addressing Audit Concerns
4.3.8 Lessons Learned
4.3.9 Case Study #2: Conclusion
4.4 Case Study #3: Taking a Service Centric Approach
4.4.2 Meet Gil: GlitzCorp’s Director of BC Management
4.4.3 Learning the Business
4.4.4 Delivering Continuous Value While Obtaining Incremental Direction from Leadership
4.4.5 The Next Phase
4.4.7 Lessons Learned
4.4.8 Case Study #3: Conclusion
4.5 Case Study #4: Taking a Capabilities-Focused Approach
4.5.1 PeopleMovers Corp
4.5.2 Meet Leandro: Senior Director of Enterprise Resilience
4.5.3 Measure and Benchmark
4.5.4 Continuously Improve Recovery Capabilities
4.5.6 Lessons Learned
4.5.7 Case Study #4: Conclusion
4.6 Case Study #5: Taking an Exercise First Approach
4.6.2 Meet Shauna: Vice President of Business Continuity
4.6.3 Setting the Stage
4.6.4 Starting with Capabilities
4.6.5 Achieving Rapid Results in Iteration
4.6.6 Tackling Challenges
4.6.7 Lessons Learned
4.6.8 Case Study #5: Conclusion
Chapter 5: Dwelling
5.1 Dwelling in the Adaptive BC House
5.2 Learning Lessons from Lean, Agile, and Project Management 2.0
5.2.1 Traditional Project Management
5.2.2 Agile Project Management
5.2.3 Project Management 2.0
5.2.4 Lean Process Improvement
5.3 The Great Gestalt Switch
5.3.1 The Traditional BC Perspective
5.3.2 A Change in Objectives
5.3.3 The Whole Is Greater Than Its Parts
5.4 The Paradox of the Paradigm’s Practitioners
5.4.1 Structuring an Academic Program
5.5 Advice and Appeals to Auditors
5.5.1 Focus on Measuring Program Effectiveness
5.6 Forecasting the Future
5.7 Closing: Creative Continuity Planning
Appendix A: Measuring What Matters
A.1 Measuring Preparedness
A.2 Preparedness Is Not the Same as Recoverability
A.3 Calculating Recoverability
Appendix B: The Adaptive BC Manifesto
B.5.1 Deliver Continuous Value
B.5.2 Document Only for Mnemonics
B.5.3 Engage at Many Levels Within the Organization
B.5.4 Exercise for Improvement, Not for Testing
B.5.5 Learn the Business
B.5.6 Measure and Benchmark
B.5.7 Obtain Incremental Direction from Leadership
B.5.8 Omit the Risk Assessment and Business Impact Analysis
B.5.9 Prepare for Effects, Not Causes
B.7 Corollary: Adaptive BC Is Not Resilience
About the Authors
Excerpt from the Foreword by Dan Dorman, Service Continuity Program Manager, Alaska Airlines
I was initially introduced to the work of David Lindstedt and Mark Armour through their Continuity 2.0 Manifesto. Fortunately, it was published at an opportune moment for me and for the profession. Like many practitioners, I was conscious of a growing feeling of disappointment and frustration with the largely monolithic approach of business continuity (BC) best practices. Put simply, traditional best practices no longer appeared to be a comfortable fit to the evolving needs of business today. For example, I saw how software packages that had once been the hallmark of a solid BC program were falling by the wayside, appearing to engender much activity but produce little value.
I was concerned that many organizations were moving away from the best practices that most of us had been taught, instead treating BC as “one and done” – doing just enough to remain compliant, checking and exercising the plan perhaps once a year, and considering that good enough.
In today’s evolving business environment, the traditional approach is no longer anywhere near good enough! For, as complex risk specialist Warren Black notes, “…we are living in what is becoming known as the ‘Agile Age,’ an era that is driven by rapid, momentous and continuous change. The Agile World is one that is significantly more complex and unpredictable and it is a world whereby the ability to react and adapt quickly is critical to survival.”
Clearly, the best practices of the BC profession have failed to adapt to this agile age in all its manifestations – from agile and lean methodologies to virtual or hierarchical organizational structures.
When I read the manifesto – the concepts of which are explained and expanded upon in this new book – I knew I had found my touchstone. I realized I had, for some time, been acting from these principles and beliefs. But I had also been feeling uneasy about deviating from many of the professional standards, opting instead to radically customize my practices to the culture and requirements of my organization. Now I could shed any residual guilt and step forward boldly to take further steps within my organization. In an atmosphere of experimentation, and as part of an effort to evolve the practice of my profession, I sought practical approaches to meeting the needs of an evolving business environment.
I regard this book and the practical concept of Adaptive BC as the next significant step in the evolution of our profession. It offers a firm theoretical base, meaningful and (finally!) useful metrics to track improvements, and it is brimming with immediately practical techniques for implementing this approach in any environment.
The Adaptive BC approach should feel familiar to anyone with exposure to the new agile practices, that is, repeating patterns of rapid, practical improvements. Agile practices feature simple but well defined value-driven objectives, easily aligned with organizational goals; frequent review and adaptation; and iterative development and improvement, where requirements and solutions evolve through collaboration between cross-functional teams.
In introducing you to this book, I would be remiss if I did not mention one of the most important elements of the Adaptive BC Approach – it’s you, the practitioner! BC is a profession. The art of BC is expressed through using your experience, organizational knowledge, business acumen, and professional judgment to customize your approach in a way that complements the organizational values and culture, and addresses the stated organizational goals. Adaptive BC works best when you give yourself permission to exercise it… adaptively!
As David and Mark demonstrate in this book, the genius of Adaptive BC is that the measurement, communication, and demonstration of achieved objectives is not a separate annual or quarterly activity but is intrinsic to the ongoing process, highly integrated into regular business operations. The many practical suggestions and examples in this book will rapidly increase your professional abilities, confidence, and effectiveness while shining a spotlight on demonstrable continuous improvements in recovery capability throughout your organization.
I am confident that, through this book, you can master adaptation to the agile world we now live in, provide high value to your organization, and contribute to advancing the profession through actively implementing Adaptive BC.
My deep gratitude to David and Mark for this book, and to all the courageous voices who dare to speak up with new ideas, new approaches, and practical strategies for achieving success in this dynamic, agile environment.
Service Continuity Program Manager
Excerpt from Chapter 3
You may find value in marking the beginning of your work with some sort of kickoff activity. This might be a meeting where you, as the BC executive or planner, formally present BC and the value you hope to deliver. It might be a five-minute phone call to bring a new participant up to speed. It might even be a fancy catered lunch for a whole department (but we doubt it). Regardless of how you mark the occasion, this is your opportunity to set the stage for your relationship with the folks who will be participating in your effort.
A kickoff usually occurs the first time you are meeting with participants. At a minimum, you want to give participants an idea of who you are, why the work you all are doing is important, and what they can expect in the immediate future. Depending on how much time you have and what makes sense for the individuals in this specific department, consider addressing some of the following topics:
- How business continuity differs from emergency management, IT disaster recovery, crisis management, and other related disciplines.
- How long this might take based on your past experience.
- How much time might be needed from each of them.
- How they will be involved in setting next steps and contributing to the work.
- What BC is, in general.
- What Adaptive BC is, specifically.
- What losses you should prepare for (the loss settings of your aperture).
- What participants can expect as you work together.
- What you hope to achieve with them.
In turn, you are encouraged to learn some things from them. Depending on how much time you have and what makes sense in the context of this specific department, here are some questions you might consider:
- Are there any specific disaster scenarios about which you are worried?
- Are there any specific disaster-related worries or concerns you have?
- Do you have any questions about BC?
- Do you have any questions about disasters?
- Has anyone been through a disaster situation and what was their experience?
- Is there anything specifically you would like me to know about your department?
- Would this group like to talk at some point about how to prepare families and households for disaster?
A Word About Life Safety: Be sure to help participants understand the critical difference between business continuity and emergency management. Unless you are responsible for both disciplines, you must inform participants that while it is critically important that they plan for employee health and safety after an event, your job is to plan for continuity of their services.
Practitioners have many ways to run a kickoff session, and we will not try to cover them all here. But keep in mind the nine principles of the manifesto as well as the other tools in your arsenal as you run these sessions. You could try running a tabletop exercise as part of your initial discussion. You could take a quick preparedness baseline to help them understand right away where improvements can be made. Bottom line: Think about the value you can provide as part of a kickoff.
Remember, this does not have to be a formal or even a one-time event. This could be the first step in obtaining incremental direction from leadership. As you meet with different participants throughout each department, they may not have any idea of who you are or what you are doing. You may wish to develop several different “flavors” of kickoff presentations, ranging from a two-minute summary to a 15-minute overview. Each time, be sure to build rapport with your participants and learn as much as you can about them and their business. A key insight from a frontline worker might just be the information that proves most valuable in the days to come!
Make It Memorable: While our profession does not often talk much about the critical importance of soft skills, here is one of many cases where they show their value. In your work for the kickoff or re-group outcome, make sure to put yourself in the best light possible. Avoid the temptation to present yourself as a “master of disaster” who speaks in industry jargon, pushes an inflexible agenda, and emphasizes the worst-case scenario. Instead, position yourself as a business professional who is working to further protect each department while learning about its mission, services, culture, and people.
Excerpt from Chapter 2
2.3.9 Advantages to Eliminating Time Targets
This clearer understanding of the nature of time in preparedness planning solves several traditional problems and offers several new advantages:
- “It depends” is fully acceptable. To begin with, the approach solves the problems previously noted with regard to trying to set time targets. “It depends” is now a perfectly acceptable answer from the planning participant. Accepting this answer allows the planning practitioner to be more receptive, adaptive, and effective. The approach enables participants to self-assess restrictions rather than relying on the practitioner to facilitate the assessment of time requirements.
- It avoids potential conflicts with participants. In practical terms, the professional avoids potential confrontations with regard to discussions about time. In theoretical terms, the professional does not fall into any traps, as time is discussed only as a constraint to recovery activities, not a target that has to be set without the proper ability to do so. Participants will not feel forced to provide a single, arbitrary answer to meet the needs of a business impact analysis spreadsheet, and the practitioner can maintain a good relationship.
- It saves money. Consider a Hotel A that uses a traditional approach and a Hotel B that uses an adaptive approach. Think about the savings when conducting exercises! Hotel A will spend time and effort using exercises to try and validate its ability to hit established recovery time objectives, a dubious venture to begin with. The overriding purpose of such efforts will be to meet predetermined time requirements, and both planners and participants are incentivized to take shortcuts while overlooking or hiding potential problems. Hotel B will use its exercises to try out response strategies, examine its existing capabilities, work on team building and leadership skills, and focus on improving its ability to recover from disaster. The objective, in this case, is to arrive at a realistic understanding of the organization’s ability to effectively recover. The incentive is to build capability while looking for opportunities to improve. These improvements alone may warrant the adoption of the Adaptive BC approach we’ve proposed.
- It allows for sophistication. Note that the 24-hour and 30-day time constraints in the prior examples were made intentionally simple for the purpose of this explanation. But this need not be the case. In a personal note to the authors in April 2016, Michael Carpenter points out that there could be several increasingly mature ways to sub-categorize time constraints. The hotel’s accounts payable service identified an external 30-day payment restriction, but other drivers could come into play: “There is also the interdepartmental optimization of maximizing interest income from liquid funds available (tactical) and having the proper balance of funds versus investment for liquidity (strategic).” As discussions become more strategic in nature, this approach may help the preparedness professional to engage at higher levels of the organization.
It saves time. Most importantly – and perhaps most shockingly, given current practices – considerations of time virtually disappear along with the time and resource-intensive activities performed in order to establish time-based targets. The result is that practitioners can focus limited resources on increasing the organization’s preparedness…
Excerpted from Security Management Magazine, a Publication of ASIS International:
Occasionally, someone comes along with a new way to analyze security—challenging conventional wisdom and accepted best practices. This is the case with Adaptive Business Continuity: A New Approach by David Lindsted and Mark Armour.
This book places less emphasis on the documentation that traditional business continuity planning prescribes and focuses on understanding the needs and cultures of organizations—concentrating on internal dynamics of an organization as opposed to external threats. The authors argue that business impact analysis, risk assessment, testing, and training quickly become outdated and are not useful for business continuity planning. In fact, they question the usefulness of a traditional business continuity plan, stating that such plans are “too much effort for too little value.”
The authors say that “…explicit executive support is not required.” Senior management, they write, will allow the planning process to unfold without their blessing, downplaying the importance of senior-level support in obtaining the resources to effectively prepare an organization to deal with crises.
Other novel ideas include “exercise instead of test” and “eliminate standalone training.” The authors focus on being able to resume pre-event operations and neglect the impact of an event on organizational reputation, intellectual property, and other considerations.
Reviewer: Mayer Nudell, CSC
After years of working with the traditional practices of business continuity (BC) I was searching for a better, more adaptable way of doing Business Continuity. There had to be a more efficient way of doing this. Then I attended one of Mark Armour’s presentation at a conference. There was finally light at the end of the tunnel. The book by David Lindstedt and Mark Armour sums up the new approach, and provides the framework required to all levels of practitioners to move to a new, more agile and fun way of doing business continuity.
Elaine Comeau Senior Director, Business Continuity and Crisis Management National Bank of Canada
Finally, some amazing and disruptive ideas to do effective Business Continuity. After decades of traditional BCM, we needed a change and honestly this book just opened my professional eyes, mind and soul! Thank you David and mark for reminding me my worst enemy is my confort zone! The next generation of BC practioner is officially born. Let’s kill the old school and no more BIA!
Timothé Graziani, Business Continuity Manager, Banco Popular Dominicano
Whether you are new to business continuity, or a seasoned profession, this book is an interesting read. It offers a common sense perspective to the profession and questions “why” we continue to practice old school methods in today’s agile environment. Why do we let the regulators dictate our plans instead of developing something that is meaningful to our business? Even if you don’t subscribe to every method in the book, I think you’ll find tricks that will be useful to you. A must read for anyone who is even remotely involved with business continuity.
Robin Martin, CBCP, FLMI | Ameritas
Fantastic stuff from what I’ve seen so far! I’d be happy to promote and share all of the great tools and resources provided on your website – thank you for all that you are doing in this area! Thank you to Mark Armour, David Lindstedt and everyone involved for being innovators in the industry.
Suzanne Bernier CEM