One of the more difficult areas of Business Continuity Management (BCM) appears to be getting senior management to agree the scope of their BCM programme in terms of the maximum scale of incident that they are planning to survive. This will drive such concepts as the “safe separation distance”, and must be determined before meaningful BC strategies ands tactics can be developed.
A few of my clients have found it easy, such as the single site family owned manufacturing company based on a trading estate just outside a rural town in northern England. This client decided that they would not try to survive an incident that resulted in the complete loss of their factory and its warehouses. Most clients though, are not able to make such decisions, and even those that are find themselves very reluctant to make the decision public.
I was reminded of all this by the events in Korea, and of someone from Seoul who came of one of my BCM training courses earlier in the year. If war breaks out and the North tries destroy Seoul, how many companies will have planned to survive a complete loss of the city and its environs?
According to the BCI’s Good Practice Guidelines, the purpose of documenting a BCM Policy is to communicate to stakeholders the Business Continuity principles to which the organisation aspires. Should this document be kept confidential to the organisation, or should it be publicly available?
In theory, because the term stakeholder applies to staff, shareholders, suppliers, customers, and neighbours, amongst others, it can be argued that it should be publicly available. However, every time that I have mentioned this to one of my clients, or on one of the BCM training courses that I regularly provide, the idea is met with horrified gasps. For some reason, the thought of making the BCM Policy document public seems to be too radical an idea to be contemplated.
Why is this? Do organisations think that their BCM Policy document contains some kind of competitive secret? The BCM Policy should be short, sharp, and to the point. It is, after all, just a communication to inform stakeholders about the objectives and scope of its BCM programme, who has what responsibilities for the programme, and the methods and standards that are going to be used. Do organisations have proprietary methods that they want kept secret?
Another way of looking at this is to say that if your BCM Policy document can’t be made public, then maybe it contains things that should not be there.
As it’s getting near the year-end, and my company, Merrycon, starts its annual planning and budgeting exercise, I have been reviewing the consultancy contracts that we have been awarded this year and beginning to estimate the business that we can expect to win in 2011. The budget for Business Continuity consultancy income for 2010 was quite conservative because of the economic downturn and expected cuts in government spending, and actual income has been pretty much on budget. However, the number of proposals that Merrycon prepared in 2010 was as large as in a good year, with the take-up rate of these proposals being very low.
The reason for the low take-up rate of proposals is that a very large proportion of organisations appear to have simply decided to postpone their planned implementation or review of Business Continuity Management (BCM) to 2011. In some cases there was no reason given, but a major factor seems to have been the need to save money. The work had been in their budget, hence the request for a proposal, but when faced with actually spending the money they have decided to try to cut down on expenditure.
It is an unfortunate fact that BCM is an easy target for saving money. The immediate impact on the organisation will appear positive (saving money and freeing up management time), and unless there is an incident that causes significant disruption to the organisations operations, the effect of the postponement on the organisation’s resilience will not been seen. There might also be a negative outcome to an audit, but this is something that most senior management teams can live with – they can always plan to do the work in 2011.
So, hopefully, 2011 will be a bumper year for consulting income for Merrycon. Should I, as a result, prepare an optimistic budget, or should I be a realist and assume that many of these projects will be quietly forgotten about or postponed to 2012?
Business Continuity Plans (BCPs) should be short, concise, and easy to read. Unfortunately, far too many BCPs are loaded up with so much document control and other standard information required by the documentation standards of the organisation, that they become long, too wordy, and difficult to read. The result is that the user of the BCP has to wade through pages of information that, quite frankly, have very little to do with the BCP, before they can get to the part of the document that tells them how to respond to an incident and what they need to do.
Trying to get organisations that have such documentation standards to understand that the standards are a hinderance to using BCPs is just a waste of time and energy. These are usually the types of organisation that do not allow their staff any flexibility, and greet any such suggestions with horror. And I’m not joking when I say that many these organisations often don’t care what’s actually in the BCP and whether it’s of any use, so long as the documentation standards have been adhered to.
I’ve often wondered what the solution to this problem is, and maybe it’s because I’m too close to it that I needed someone to point out to me a very simple device that usually allows the documentation standards to be met whilst making the BCPs easy to read. This device is to put all the document control and other standard information at the back of the document rather than the front. If you do this, the user of the BCP gets straight to the useful part of the BCP without losing the will to live by reading through pages of irrelevant information.
Another day, another Business Continuity proposal for a client. This time it’s an insurance job, which means that the client has been told by the insurer that they must have Business Continuity Plan.
The one thing that these insurance jobs have in common is that the client wants to do the smallest amount possible to satisfy the needs of the insurance company. Generally this means just developing a Business Continuity Plan, and does not include any form of exercising, maintenance, or review. In other words, a partial, and in my opinion, worthless implementation of the BCM process.
This particular client made it quite plain that they did not want to include any exercise of the Business Continuity Plan in the proposal. It’s not that they intend to do it themselves, it’s just that they don’t really think that it’s worth the time, effort, and cost. I did try to explain to them that a plan that’s not been exercised is not worth the paper that it’s written on, and that problems were bound to be encountered the first time that it’s used, but they were not interested.
So, if that’s what the client wants, that’s what the client is going to get. I’ll try again to pursuade them to exercise the plan once it has been delivered, but I know that I’ll be wasting my breath.
A standard is something that is agreed by general consent or by an accepted authority as a basis for comparison – an approved model. At the last count, I identified more than 10 published standards that relate to business continuity, all of which differ to a greater or lesser extent, and some of which come from the same authority (e.g. the BSI). Which means that we have at least 10 approved models that we can use as a basis for comparison, and more are appearing each year at a seemingly increasing rate.
Business continuity is very much a practical subject, and as its implementation will vary greatly from one organisation to the next, the whole concept of a standard has to be brought into question. Despite such variation in practice I think that there is a case to be made for a standard, but perhaps the standard needs to be a bit less prescriptive than most of the current standards. Maybe the need for practical variation is the driving force behind why there are so many standards, but I think not.
To my mind, the time has come for business continuity practitioners to take a step back and look at what is happening, and to consider whether all these variations on the business continuity theme are actually standards or just the result of groups of people pushing their own agendas forward to try to gain the high ground in what is still a young and growing discipline. If this is the case, there is no standard. All we have today are accepted approaches.
The Business Continuity Institute’s Good Practice Guidelines states that “A planned Exercise Programme is required to ensure that all aspects of the plans and personnel have been exercised over a period of time, avoiding disruption to the whole business”. Very sound advice – if you haven’t exercised your plans, how do you know that they’ll work? However, when this is applied in practice, it leads to the need to have a large number of exercises.
When I run the Business Continuity Institute’s 5 day training course on the Good Practice Guidelines I always get the delegates to undertake an activity that requires them to produce an exercise programme for the coming 12 months for an example organisation. Even for a small organisation with a relatively simple response structure, this often produces a programme that envisages an exercise every single month as ensuring that all aspects of the plans and personnel have been exercised usually requires a lot of exercises. In reality, it’s often difficult to get a small organisation to undertake more than a single exercise a year, which means that it could take up to 10 years to exercise all aspects of the plans and personnel.
Clearly, having an exercise programme running for 10 years is not sensible. Plans and personnel change, and after a couple of years you’d have to start again, well before you’d finished the programme. This would lead to an exercise programme that would never be completed.
Using the rather novel concept of “if the theory doesn’t work in practice then the theory is wrong”, shouldn’t the Business Continuity Institute’s Good Practice Guidelines point out the problems and offer some practical advice?