Interestingly, The Times newspaper in the UK ran a two page spread on Nassim Taleb on Saturday (the man who wrote “The Black Swan – if you haven’t read it, then do so, now). He has a lot to say on risk, most of which is very controversial with risk managers in banks, but The Times quoted something that he said which, in my opinion, sums up the difference between the two management disciplines of Risk Management and Business Continuity. He said “Instead of trying to give yourself the illusion of predictability, you want to build systems that are naturally robust to error”.
You can have the best Risk Management that money can buy, and you can take all the mitigating measures that you want, but you cannot remove the chance of something going wrong. You need to plan for things going wrong, and be able to recover and survive in the long term. This a robust organisation.
I’ve recently had another example of an organisation that seems to be a bit confused about the scale of incident that it should plan for when implementing Business Continuity. This one has just outsourced its ICT, and as part of the agreement has made sure that the outsource company has disaster recovery arrangements in place. So far, so good, but the only problem is that the main and backup data centres are in the same city, less than 10 miles apart.
Now, this particular organisation is in the public sector, and provides services to the whole of the country in which it operates, and reports to an arm of that country’s government. Its computer systems are absolutely essential to its operations, and if its outsource supplier loses both its main and backup data centres at the same time, this organisation will be unable to operate, and will never recover.
Being an ever helpful consultant, I pointed this issue out, and was told that the chances of both data centres being lost at the same time were too small to worry about. And anyway, if it did happen, the incident would be so large that most of the staff would be lost or unwilling to work.
So, their maximum survivable incident is the loss of only part of the city in which they operate, which clearly does not meet the requirements of the country in which it operates, or the customers that it provides services to. Are they bothered? Watch this space.
ISO 22301 is a standard for Business Continuity Management Systems. The key word here is “Systems”, which is why the standard contains more about management systems than it does about Business Continuity. It is not a standard for Business Continuity, and so many people seem to think.
This is all understandable and quite logical, but what defeats me is why ISO 22301 contains so much about risk. ISO has already published a standard for the implementation of risk management, ISO 31000, and is busy working on a whole series of standards under the 31000 heading. Why then, should risk form such a significant part of a standard on Business Continuity Management Systems?
Risk Management and Business Continuity Management are related disciplines, and their implementation should be be coordinated and complementary. The links between the two need to be clearly identified in each standard, but I can’t really see the point of putting a statement in ISO 22301, which is supposed to be about Business Continuity, that says “Top management shall ….. by defining the criteria for accepting risks and the acceptable levels of risk”. This is Risk Management, not Business Continuity. By all means put a statement into ISO 22301 that says that an organization should implement Risk Management, but that’s all it needs.
The long awaited ISO 22301 has finally been published, and despite all the hype that’s been built up over the past year, the reaction of the Business Continuity world has been fairly muted. This is probably due to the fact that its content has been known for a long time, and that is says nothing new about the subject.
I would go further than this though, and contend that it says very little about Business Continuity, and an awful lot about management systems. Anyone who is looking to the standard for help on implementing Business Continuity is going to be very disappointed. However, its companion, ISO 22313, the guidance for Business Continuity, is expected to contain a lot more information. Let’s hope so.
It’s been some time since I posted anything new on my Business Continuity blog – very remiss of me. Nobody will bother to follow a blog that isn’t kept up to date. In my defence I’ve been very busy providing training and consulting, but that’s not really an excuse.
This is, of course, very similar to the problem that a large number of Business Continuity initiatives run into, which is that they are not kept up to date. And what happens when they’re not kept up to date? The same as happens to an out of date blog – nobody takes any notice of it, and nobody reads it.
There’s a lot to include in this blog, not least of which is the release of ISO 22301. So from now on, no matter how busy I am, I’ll try to keep this blog up to date.