There seems to be a growing trend in large organisations towards playing “Pass the Parcel” with responsibility for managing Business Continuity. For those of you not familiar with the children’s party game, a wrapped parcel is passed from child to child with music playing, and when the music stops the child holding the parcel can unwrap the present and keep it.
Business Continuity has always been something that managers put to the bottom of their pile of things to do, but now it appears that those that are being given responsibility for managing Business Continuity are trying to pass that responsibility on as quickly as possible before the music stops. Or in this case, before the incident occurs.
Why is this? Usually, managers are only too keen to extend their areas of responsibility, and are not renowned for handing things on to others. In the case of Business Continuity, it seems that nobody is too keen to add it to their empire.
My take on this is that Business Continuity is a thankless task, and is seen by most managers as a distraction from what they should be doing. Get it right and nobody notices, get it wrong and you’re in serious trouble.
Reading about one of the causes of the catastrophic failures at Mid Staffordshire NHS Trust, which lead to more than 1,200 patient deaths, reminded me of a similar issue that plagues many implementations of Business Continuity Management (BCM) programmes. This was the Trust’s concentration on achieving targets that would enable them to get a good rating from the NHS auditors rather than the most important objective, which was to ensure that patients left hospital in a better state of health than when they were admitted.
The issue in many BCM implementations is that organisations are looking to get a good rating from their auditors by doing all the things that a standard states they should do rather than the working to achieve the most important objective, which is to improve the organisation’s resilience.
Setting targets based on readily measurable things is straightforward, and allows auditors to identify whether or not an outcome has been achieved, or how close it is to being achieved. Setting targets on things that it’s difficult to measure is problematic, and gives auditors a major problem when making an assessment. Unfortunately, the trend in many sectors over the past 20 years has been to rely more and more on these measurable targets when assessing performance, and to ignore the most important target. BCM has been no exception – achieving compliance against BS 25999 or ISO 22301 is commonly seen as the main objective, not becoming more resilient.
Hopefully, what has happened at Mid Staffordshire NHS Trust will be the start of the end of relying on peripheral, measurable targets, and the world will move back to looking at how well an organisation is achieving its critical objectives. Don’t bet the house on it though.
What is your organisation’s Business Continuity planning horizon? By that, I mean what time-scale after an incident that causes disruption do your Business Continuity Plans cover? A day, a week, a month, longer?
Every organisation that I’ve ever come across determines some kind of time limit, which is linked to the level of service that it plans to recover to. Without such a planning horizon, recovery plans would cover the complete resumption of the organisation back to its original state – which would be far too detailed and complex, and assume that nothing would change after the incident.
This planning horizon needs to be agreed at an early stage of the Business Continuity Management (BCM) process, before the Business Impact Analysis (BIA) is undertaken. This is because the BIA needs to concentrate on those activities that need to be recovered within the planning horizon. If this boundary hasn’t been put on the BIA, then a lot of time and effort will be wasted analysing every single activity.
So what? If everyone has a planning horizon then why mention it in a blog? Because it’s something that the Business Continuity industry chooses to keep secret. Try finding it is the ISO standard or the BCI’s Good Practice Guidelines. The idea of concentrating on the urgent activities in the BIA is there, but you won’t find anything about top management deciding on a planning horizon in the BCM Programme management sections. What’s everyone being so coy about?