Skip navigation

Tag Archives: managing BCM

A few days before the recent British Airways (BA) catastrophic IT failure I was in Kuala Lumpur, Malaysia, giving a talk at the second ASEAN Business Continuity Conference entitled “Building a Robust ITDR Plan”.

The main thrust of this talk was that as IT is at the heart of every organisation, ITDR is at the heart of Business Continuity, and that it is up to the organisation’s top management to ensure that its ITDR plans both meet the needs of the organisation and are known to work.

It appears that BA’s ITDR plans did not work, and although we don’t know whether the plans were appropriate for BA, the possibility is that they weren’t. In any event, the failure certainly came as a nasty surprise to BA’s top management.

I was asked to provide a closing thought to my talk on “Building a Robust ITDR Plan”, and I used a quote from Georges Clemenceau, the Prime Minister of France in the First World War, to sum up my ideas. For those of you who aren’t that aware of the catastrophe suffered by France in that war, it lost a generation of young men. Out of 8 million men conscripted, 4 million were wounded and 1 in 6 killed.

Georges Clemenceau said “War is too serious a matter to entrust to military men.”

I said “ITDR is too serious a matter to entrust to technologists.”

BA will have learnt that lesson, as France did, the hard way.

Yesterday I finally got round to doing a job that I’d been putting off for weeks – updating my company’s Business Continuity Plan (BCP). The system that we use to manage Business Continuity, Mataco, had been regularly sending me reminders that it needed to be reviewed, but I’d been ignoring them because it wasn’t my top priority and besides, it’s an extremely boring job.

Now, my role in Merrycon is to provide Business Continuity consultancy, and the need to keep BCPs up to date is one of the things that I keep telling my clients that they need to do. I seem to spend significant amounts of time and effort helping clients set up structures and procedures to ensure that BCP maintenance is carried out in a timely and effective way, and in training client staff in how to update their BCPs. To be fair, I do advise my clients that it’s a task that people don’t like doing, but I regularly find myself in the position of criticising clients for not keeping their BCPs up to date.

So, the question is, how do I make the task of keeping BCPs up to date exciting? How do I make people want to spend time checking through their BCP to see what needs to be updated, then spend time updating the BCP, and then to spend time making sure that everyone has a copy of the new version of the BCP? I need the answer to this question not only for my clients, but for me as well.

There seems to be a growing trend in large organisations towards playing “Pass the Parcel” with responsibility for managing Business Continuity. For those of you not familiar with the children’s party game, a wrapped parcel is passed from child to child with music playing, and when the music stops the child holding the parcel can unwrap the present and keep it.

Business Continuity has always been something that managers put to the bottom of their pile of things to do, but now it appears that those that are being given responsibility for managing Business Continuity are trying to pass that responsibility on as quickly as possible before the music stops. Or in this case, before the incident occurs.

Why is this? Usually, managers are only too keen to extend their areas of responsibility, and are not renowned for handing things on to others. In the case of Business Continuity, it seems that nobody is too keen to add it to their empire.

My take on this is that Business Continuity is a thankless task, and is seen by most managers as a distraction from what they should be doing. Get it right and nobody notices, get it wrong and you’re in serious trouble.

 

Reading about one of the causes of the catastrophic failures at Mid Staffordshire NHS Trust, which lead to more than 1,200 patient deaths, reminded me of a similar issue that plagues many implementations of Business Continuity Management (BCM) programmes. This was the Trust’s concentration on achieving targets that would enable them to get a good rating from the NHS auditors rather than the most important objective, which was to ensure that patients left hospital in a better state of health than when they were admitted.

The issue in many BCM implementations is that organisations are looking to get a good rating from their auditors by doing all the things that a standard states they should do rather than the working to achieve the most important objective, which is to improve the organisation’s resilience.

Setting targets based on readily measurable things is straightforward, and allows auditors to identify whether or not an outcome has been achieved, or how close it is to being achieved. Setting targets on things that it’s difficult to measure is problematic, and gives auditors a major problem when making an assessment. Unfortunately, the trend in many sectors over the past 20 years has been to rely more and more on these measurable targets when assessing performance, and to ignore the most important target. BCM has been no exception – achieving compliance against BS 25999 or ISO 22301 is commonly seen as the main objective, not becoming more resilient.

Hopefully, what has happened at Mid Staffordshire NHS Trust will be the start of the end of relying on peripheral, measurable targets, and the world will move back to looking at how well an organisation is achieving its critical objectives. Don’t bet the house on it though.

This week I’m in the Cotswolds, in the UK, giving the Business Continuity Institute’s five day Good Practice Guidelines (GPG) course. As usual,the delegates all complain about the fact that GPG is a difficult book to read, and that if anything, it’s a great cure for insomnia. This is all a bit embarrassing for me as my name appears in the GPG as a contributor and one of the chief reviewers, but I can explain that is was written by committee and that it’s difficult to make such a document an exciting read.

I went on from this to explain that a new version is being written, and again, I am a contributor. On hearing this, one of the delegates asked me if the new version was going to be any better in terms of being easier to read. A very good question. I would hope so, but I couldn’t give a definitive answer as I’m just one of a number of contributors and the end document will be reviewed by a QA group. However, I will try and make it my business to see that we get a more readable version, if only for the sake of avoiding the inevitable criticism that I’ll be subjected to if it isn’t.

 

For my sins, I’m helping the Business Continuity Institute with the update of its Good Practice Guidelines. Actually, I volunteered to help, and despite the frustrations it’s well worth the effort. However, it can lead to you to doubt your own sanity at times. Today is one of those days, as I’m thinking about the difference between Strategic, Tactical, and Operational Business Continuity issues.

Organisations operate at three levels. Strategic is where decisions are made, policy is determined, and resources allocated. Tactical is where operations are coordinated and managed. Operational is where activities are undertaken.

By definition, managing Business Continuity is Tactical. It is where the process of Business Continuity Management (BCM) is managed. The activities undertaken when implementing BCM, such as developing a plan, are Operational.

So far, so good, but isn’t managing BCM just an activity? If it is, then it must be Operational, not Tactical. Does this matter, is it relevant, or is it just semantics? Am I losing the will to live?