Resiliency, it’s that word again. I hadn’t heard of it before July, but now I think that it’s going to become very important over the coming years. Why? Because more and more people are going to come to understand that Resiliency is the way that organisations use the following established management disciplines to protect their assets and value, reduce the chances of being seriously damaged or disrupted by incidents, and improve their ability to survive in an ever threatening and changing world.
- Business Continuity
- Emergency Planning
- Health and Safety
- Risk Management
At the moment there is a heated debate being conducted about how Business Continuity and Risk Management should fit together – Resiliency makes this debate rather futile.
How many Business Continuity professionals take Business Continuity Management (BCM) seriously? I mean, how many of them really believe BCM to be important enough to apply the discipline to their own personal lives? Think about it. As a BCM professional, do you have your own personal Business Continuity plan? If not, why not? Don’t you think that it’s important enough?
Have you got a plan that will cope with your house being destroyed? Would your relatives know what to do if you suddenly died? Have you backed up all those paper records detailing your investments? What about your personal computer records, could you recover them if your house was destroyed by a catastrophic event?
One day, I’m going to get the opportunity to ask a group of Business Continuity professionals these questions. My guess is that very few of them will have implemented any kind of Business Continuity capability for their own lives.
Ask ten people to give you their views on the likelihood of a threat occurring, and you’ll get ten different answers. However, they probably won’t diverge as much as that of two people who I met last week.
We were talking about the chances of severe weather affecting the UK and causing serious disruption to businesses. The first person, who was relatively young, and had lived all their life in the centre of Birmingham, thought that such an event was extremely unlikely. The second person, who was somewhat older and had lived in various parts of the UK, thought exactly the opposite – that such an event was extremely likely to happen. I have to say that I agreed with the second individual, given the fact that such events happen nearly every year (for example, in 2009 Cumbria was disrupted by severe flooding), and it was amazing that the first individual rated the chances as very low.
OK, the first individual was young, and maybe severe weather doesn’t happen in Birmingham, but given that they were employed in the areas of Risk Management and Business Continuity their understanding of the likelihood of such an event should raise concerns. Severe weather is something that is well documented, and there is no excuse for not being aware of the chances it happening in any given geographic area. If someone working in Risk Management and Business Continuity does not know about the threat of severe weather, how much can you rely on their estimate of threat occurrence for all those other threats for which reliable statistics are not available?
What is the optimum size for a Business Continuity Plan (BCP)? At what point should you decide that it has become too big and break it up into a number of smaller plans?
The BCI’s Good Practice Guidelines states that a BCP should be concise and easy to read, implying that it should not be too long. But how long is too long? Certainly less than 1,000 pages, probably less than 100, but less than 50? A straw poll that I’ve just taken from of a group of Business Continuity coordinators for a large bank has resulted in opinions thatv vary from 5 to 50 pages for the optimum size, with the favourite number being about 25.
Most large organisations have central Business Continuity Management (BCM) departments that provide a template BCP for each division, department, or site to use when producing their local BCP. Many of those templates are at least 25 pages long, and that’s before the actual plans and contact details have been put into the template! In other words, these central BCM departments seem to be ensuring that local BCPs are far larger than what is being regarded as the optimum size. Is this sensible? Maybe not, but it’s probably inevitable.
Many years ago, when I was still at school, I read a book on economics that started with the statement “If the theory does not work in practice, then the theory is wrong.” This made a great impression on me, particularly as it flatly contradicted the widely accepted view that “It’s all very well in theory, but it won’t work in practice.”
I am always reminded of this when I present the BCI’s 5 day GPG course. This course presents the theory of Business Continuity, how it is supposed to be done, rather than the practice, and it never ceases to amaze me how much most organisations’ implementation of Business Continuity Management (BCM) differ from the theory as presented in the GPG.
Is there something wrong with the theory, or are all those organisations implementing BCM incorrectly?
Many organisations, including my own, now hold and distribute their Business Continuity Plans (BCPs) as electronic documents. Typically, a PDF format is used so that the recipient of the BCP can’t make unauthorised changes. However, the use of electronic documents raises the issue of security, particularly as these are often held on memory sticks and distributed by email.
There are a number of software products available that are designed to secure PDF documents, both in terms of who can gain access and what someone is allowed to do with the document once they have gained access. Such software products are often used to protect copyright by disabling the Copy facility. However, these products are not very secure, and there are quite a number of freely downloadable utilities that can be used to break the security and provide complete access to any secured PDF document.
The answer is to use robust and up to date encryption software, but this can often get in the way of using the BCPs in the event of an incident, particularly if the people needing to respond do not have access to the encryption key or the software needed for decryption. My company, Merrycon, has decided that its own BCP needs to be better protected, and is in the process of evaluating potential solutions. How many other organisations are encrypting their BCPs?
This morning I decided to take a look at the BSI’s website to see what they were currently saying about Business Continuity and BS 25999. It’s been some time since I’ve looked at this, and was quite amazed at all the resources, advice, products, news, and services on Business Continuity that can now be obtained from the BSI through their TalkingBusinessContinuity website, which is presented as “the comprehensive resource on business continuity management”.
Rather than being the UK’s national standards body, the BSI appears to be positioning itself into the organisation that you would turn to for advice, help, and resources on Business Continuity. In other words, it appears to be setting itself up as a direct competitor to all those other organisations that provide similar services. Is this what the BSI is for?
According to the BSI’s website, “The main objective of the BSI is to publish and proliferate standards and standardisation both domestically and internationally.” Is becoming the leading authority on Business Continuity a secondary objective? Does this compromise its role as a standards body?
One of my clients has come up with an approach to the introduction of business continuity that contradicts conventional advice, but which makes a great deal of sense in the long-term.
The client has taken on board the long-term aim of embedding business continuity in the organisation’s culture, so that it is just part of the way that they do things, and has quite reasonably decided to introduce business continuity as just another process that the organisation will undertake rather than making a big deal out of it by planning and implementing special campaigns and projects.
Will this low-key approach actually work? I must admit that a lot of organisations introduce business continuity as new and important initiative, which provides an initial impetus and yet leads in the long-term to staff and managers ignoring the process when the next new initiative comes along. The low-key approach might well be the right way – but we won’t find out for a few years yet.
So, the debate continues. What is the relationship between Risk Management and Business Continuity? Is one a subset of the other? Are they separate disciplines? Has Risk Management got any role in Business Continuity? Is Business Continuity simply a risk mitigation measure for low probability high impact events? Will the antipodean view of the standards for Risk Management and Business Continuity prevail? Is it correct? Will the US view prevail? What will the new ISO standard look like? Etc, etc.
Does it matter? Does anyone care, apart from the various institutes and standards bodies, who have the most to gain, and lose? Does it matter in practice? Aren’t Risk Management and Business Continuity just two facets of a multi-dimensional and multi-disciplinary approach to corporate security and survival? Aren’t Emergency Planning, Crisis Management, and Insurance other facets of the same thing?
If human behaviour is anything to go by, the situation will just become more splintered and entrenched as the various disciplines and standards divide and multiply. Or maybe sense will prevail? Answers on a postcard please.
Success. Today I was with a client presenting a review that I’d undertaken of their initial work to implement Business Continuity Management to the steering committee that had been appointed to oversee the implementation. One of the key things that I’d identified in the review was that they had not yet determined the scope of their BCM programme, both in terms of products and services and the scale of the incident that they were going to plan to survive.
This message was taken on board by the steering committee, and developed by one of the members of that committee who suggested that the decision makers needed to meet not only to determine the scope, but also to set the priorities for implementation based on the dependencies between the products and services and main supporting activities. In other words, a strategic Business Impact Analysis (BIA). This is exactly what the client needs to do, and it was great that the steering committee came to this conclusion and have decided to act on it.
My immediate role with the client came to an end today with the presentation of my review, but I’ve asked the Business Continuity manager to let me know what happens in terms of whether they really do go ahead with the strategic BIA in the short timescale that they were discussing at the meeting.