Skip navigation

Tag Archives: BCI

I have just attended a very good Business Continuity (BC) conference held in Malaysia by GRC Consulting Services in conjunction with the Business Continuity Institute (BCI), but I couldn’t help being concerned about the fact that the standards industry is producing more and more management systems standards in and around the subject of BC.

Why is this happening? Well, to my mind, there seem to be two drivers behind this trend, neither of which are good for BC.

The first one, which an increasing number of people seem to be talking about, is that the main bodies behind the development of all these standards have discovered a rich source of revenue and are now exploiting this for all that it’s worth. These bodies claim to be “not for profit”, but like many such organisations there are large numbers of people engaged in standards activities that derive considerable profit from the work that they do. The more standards that they produce the more these people profit from the work that they do.

This driver is simply the age old story of people making a profit when they can, and is not too dangerous as it will eventually come to an end when the people buying and using the standards come to realise what’s going on. The second driver though, it much more dangerous, as it strikes at the heart of BC and has the capacity to cause enormous damage.

This second driver is the desire to make something that is difficult, complex, and demanding, and which requires considerable skill and experience, simple to implement through a process that can be implemented by a management system. To see what I mean, you need look no further than BS 65000, the recently published Guidance for Organizational Resilience, which, to quote the body that produced it – “This landmark standard provides an overview of resilience, describing the foundations required and explaining how to build resilience.”

Organizational Resilience is something that every company continuously tries to achieve. It is nothing new, and has been an essential goal ever since the first company was founded. Few manage it over the long term, and the life of most companies is very short as the products and services that they produce become outdated and overtaken by new trends, ideas, and inventions. If explaining how to build resilience can be described in a short pamphlet and implemented by anyone with the capability to read and follow a set of procedures, then how come it was missed by so many millions of people involved in the running of the hundreds of thousands of companies that have failed?

The international standard for Organizational Resilience (ISO 22316) is due to publish in 2016, which must be a great relief for all those organisations that are struggling to survive in the ever more competitive markets in which they operate. All they now have to do is implement the standard, be audited for compliance, and get the certificate. So much easier than researching and developing new products, finding new markets, producing the products and services at competitive cost, controlling cash flow, hiring and maintaining the right people with the right skills, complying with ever increasing legislation, developing and enhancing reputation, etc.

 

I have been further convinced of the need for the Business Continuity (BC) profession to get back to its fundamentals by the juxtaposition of the publication by the Business Continuity Institute (BCI) of a comprehensive list of legislation, regulations, standards and guidelines in the field of Business Continuity Management (BCM) and the experience of many business that were affected by the recent floods in the north-west of England.

Some small businesses, mainly those that operate and serve very local markets, have temporarily closed until their premises can be refurbished, but others are up and running and continuing to trade even though their premises were badly flooded. The businesses that are back up and running had implemented BC, but not in the way envisaged by the BC profession through its standards and guidelines.

These businesses had taken steps to ensure that they could recover from incidents like the recent flooding by doing such things as backing up their data, implementing cloud computing, knowing where they could obtain replacement premises and equipment, being able to redirect their telephones, and having adequate insurance cover. They are also managed by people who know how to respond to incidents, are committed to the continued success of their business, and know what needs to be recovered by when without having to read a plan.

None of these businesses had implemented a formal BCM programme, none of them had followed any guidelines, and none of them had implemented a Business Continuity Management System (BCMS) or been certified to a BCM standard.

The publication by the BCI of a comprehensive list of BCM legislation, regulations, standards and guidelines is very useful, and I’m not decrying it. But, and it is a very big but, the purpose of BC is to enable organisations to be resilient to incidents that affect their ability to operate. The people who own and run business in the north-west of England that had taken steps to ensure that they could recover from the recent flooding are practising the fundamentals of BC, and by and large have never even heard of BCM legislation, regulations, standards and guidelines.

Don’t get me wrong, there’s nothing wrong with BCM legislation, regulations, standards and guidelines, but they are not the end in itself. I sometimes think that BC professionals lose sight of this.

As most people are only too well aware, the way that we find and use information is going through a radical and fundamental change, which is being driven by the Internet. What doesn’t seem to have permeated the world of Business Continuity though, is that this change is revolutionising the Business Continuity Plan.

Not too many years ago, in our house, we used to keep a telephone directory and combined bus and train timetable near our front door, close to where we had our telephone. Today, we have neither of those things, and if we want to find a telephone number or the time of a bus or train we’ll simply use the Internet, and rapidly find what we’re looking without wading through pages and pages of small print trying to decipher how the directory or timetable is organised before getting to the information that we want. We also had the depressing problem of finding out later on that we’d looked up the information in a document that was out of date, and that one of the family had inadvertently thrown away the new version and kept the old one.

Telephone directories and timetables are just two examples of documents that are being used by fewer and fewer people, and most of those are older people who find it hard to change a lifetime’s habits. Using printed documents to find information is becoming a thing of the past, as anyone who mixes with youngsters will confirm. Why then, do we persist with documents in the world of Business Continuity, what’s wrong with just finding the information that we need from the Internet?

The problems of document based Business Continuity Plans are only too well known. Unfortunately, more often than not, they are difficult to use in a crisis, contain unnecessary information, and are out of date. What we really need is something that is simple to use, delivers exactly what is required, and provides the latest information. That is an App.

An App is short for an Application, and is quite simply a piece of software designed to fulfil a particular purpose, and is downloaded by a user to a computing device from which it can be used. Apps can be used to obtain information, and when designed to provide the information required to respond to an incident, they are an ideal and powerful tool.

Don’t make the mistake of thinking that holding a Business Continuity Plan as a PDF document and making it available on the Internet via an App is the same thing as an App designed to enable someone to respond to an incident, it’s not. You don’t look up the time of a train on the Internet by opening up a PDF document and searching through it, do you?
A Business Continuity App can provide responders with clear, action orientated, and time-based direction, while allowing quick access to relevant and up to date support information. Exactly what we want to achieve.

This revolution has profound consequences for world of Business Continuity, and if you’d to find out what these are, then come and listen to me present at the BCI World Conference and Exhibition in November. The Business Continuity Plan, as a document, is dead, long live the Business Continuity App.

There seems to be a growing under current of opinion that is seriously starting question the current direction of Business Continuity (BC). It is best summarised by three issues that have been identified by David Lindstedt: it isn’t evolving; executives aren’t engaged; and there aren’t any meaningful metrics. To these I would add a fourth issue, and this is that the profession seems to have backed itself into a standards corner.

By pure coincidence I’ve just come across a new way forward for BC whilst undertaking research for a paper that I’ll be presenting at this year’s BCI World Conference and Exhibition in London in November. The title of my paper is “The BC Plan is Dead!”, and whilst looking for a practical example of the ideas that I’ll be presenting, I came across a novel and exciting approach to BC that has been implemented by a major UK company. I don’t want to spoil the presentation, so I can’t reveal yet who it is and what I’ll be saying, but a representative from that company will, as part of my presentation, show a new approach that is measurable, adds value to the business, has the active support of the Top Executive, extends the traditional boundaries of BC to include all disruptive incidents, and puts BC in front of the Top Executive on a regular basis.

On the assumption that this new approach “holds water”  when publicly presented, I intend to explain and document it after the Conference. I have to admit that it’s not an approach that I’ve developed, I just stumbled across it. However, I’m so impressed by what I’ve seen that I believe that it needs to be properly put in front of Business Continuity professionals.

The prevailing view of the Business Continuity (BC) community is that the only benefits of not having a Business Continuity Plan (BCP) are that you’ll be saving a small amount of time and money, but with huge downsides if you ever suffer from an incident that causes major disruption to your operations. But this may have to be revised as a result of fire at a Dogs’ Home in Manchester in the UK last Thursday evening.

The fire, which was tackled by more than 30 firefighters, was a tragic event that killed about 60 animals. Some 150 dogs were saved, and from all the reports it looks as if the staff did not have a pre-prepared BCP. However, the public rallied round after the Dogs’ Home asked for people to provide temporary foster care for the rescued dogs. Large numbers of people turned up to help, volunteers at the site began collecting dog food, bedding and other items donated by the public, and a JustGiving account set up by the Manchester Evening News raised more than £1.2m. In fact so many people tried to turn up to help that the Cheshire Police tweeted: “High Volume of Vehicles at Cheshire Dogs Home to adopt dogs following the recent tragic fire. Avoid area if travelling.”

Volunteers are saying they have been overwhelmed by the response and that they now have rooms full of dog food, blankets, crates and baskets, and although many members of staff say they’re devastated by the fire, there’s a sense of optimism and comradeship as as fosterers turn up to take dogs home.

The net result seems to be that the Dogs’ Home is far better off than if they had had a BCP that clicked seamlessly into operation and hadn’t had to ask for help. So, before you decide to spend time and money on developing a BCP, ask yourself if you should just wait until an incident happens and hope that help and assistance will be provided by the public. Maybe this would only happen in the UK and to a Dogs’ Home. I wouldn’t recommend that a bank tries it!

Just when you thought that the Business Continuity (BC) profession had grown up and stopped quoting bogus statistics about the effects of not having Business Continuity Plans along comes another report trying to scare management with fairy stories.

This time the story comes from non other that the Business Continuity Institute (the BCI), which has published a paper called “Counting the Cost” as part of Business Continuity Awareness Week, in which the author states that “Figures show that 40%-60% of businesses without a BC plan never reopen after a significant incident, and the response for the first 10 days are critical to survival”. These figures come from something published on a website called visual.ly, and are totally unsubstantiated, as are all such statistics.

The author cautions the reader that “This report aims to be descriptive rather than normative. The figures cited come from surveys conducted by the BCI and other organisations (eg. IBM, Ponemon Institute, etc.), which also acknowledge the same limitations. Hence, statistical inferences cannot be applied to this data.”

If you can’t make statistical inferences about data, then don’t use the data! Pretty simple really.

Maybe, just maybe, some time in the future, the BC profession will grow up and realise that you can’t just go around quoting unsubstantiated statistics about the benefits of BC.