To BIA or not to BIA is not the question…
- Published: Tuesday, 08 August 2017 08:16
Continuity Central recently conducted a survey to seek the views of business continuity professionals on whether it is feasible to omit the business impact analysis (BIA) from the BC process. Mel Gosling, FBCI, explains why he believes this is the wrong question to ask…
The big picture
It’s always useful to step back and see the big picture, and with the question of ‘To BIA or not to BIA?’ this bigger picture is that the BIA is an integral part the business continuity management (BCM) process specified in ISO 22301 and promoted by business continuity professional associations such as the BCI in its Good Practice Guidelines. Rather than looking closely at the detailed question, we should look at the bigger picture and ask ourselves whether or not we should use this specific BCM process at all.
Most business continuity professionals simply answer this question in the affirmative because ISO 22301 is an international standard and supported by the BC professional associations, but is this a good enough reason? After all, the history of mankind is littered with internationally accepted practices that have later turned out to be just plain wrong or that could have been improved. Two simple examples of these will suffice.
The first example is the way to avoid cholera. In the early nineteenth century the disease was thought to have been transmitted by a miasma or ‘bad air’, and the internationally accepted practice for avoiding the disease was to improve the air. We now know that the disease is caused by the strand of bacterium called Vibrio cholerae, which flourishes in warm water and is transmitted through intake of contaminated food and water. The way to avoid cholera is to have access to non-contaminated food and water.
The second example is the playing formation used by association football (or soccer) teams. The modern game of soccer originates from the formation of The Football Association in London, England in 1863, and by the 1890s, a 2-3-5 pyramid formation was considered to be the best and became the standard formation in England. It then spread throughout the world and was used by Uruguay to win the 1930 FIFA World Cup. However, by the 1950s both Brazil and Hungary were experimenting with a 4-2-4 formation, which was then used by the Brazilian national team in 1958 when they won the FIFA World Cup in Sweden. By continuing to use non standard formations they managed to dominate international soccer for more than a decade. Nowadays a wide variety of formations are used by all soccer teams, and coaches will select and deploy different formations based on the skills of their own players and the opposition.
Football had been played in various forms for hundreds of years before the formation of The Football Association in 1863, and in a similar way business continuity has been practiced in various forms for hundreds of years before it started to be recognised as a discipline (initially known as DR – disaster recovery) in the 1970s. In a strikingly similar way to the 2-3-5 pyramid formation in football becoming the standard formation within about 30 years, the basic BCM process used in ISO 22301 started to become accepted practice within about 30 years of the emergence of disaster recovery.
Unfortunately, rather than just being seen as an accepted way of implementing and managing business continuity, ISO 22301 seems to have taken on a sort of religious orthodoxy for BC professionals in a similar way that the Ten Commandments are believed by many to have been received from God by Moses. I make no apology for the analogy; both appear to be instructions written in ‘tablets of stone’ that need be obeyed. Rather than suffer eternal damnation though, business continuity professionals who don’t follow the instructions are threatened with a report of non-conformance.
Most business continuity professional are not heretics and follow the seemingly divine wisdom of the ISO prophets, but there are an increasing number who have their doubts.
Outcome not process
The crux of the problem seems to be that a standard has been created that tells you how you should implement business continuity rather than telling you what the outcome of the process should be. This is not a popular view as it flies in the face of conventional wisdom about management systems standards.
Standards are, by and large, a good idea, but take a moment to think about how they have been applied and successfully used in many industries over the years. In doing this, take a simple example, such as the JPEG standard. This standard identifies a common format for storing and transmitting photographic images – in other words it defines the outcome, not the process that you need to go through to produce the outcome. Who cares how a JPEG file is produced? So long as it behaves like a JPEG file and can be used by other computer applications as a JPEG file the process by which it was produced is totally irrelevant.
So, stand back again from the detailed question, which has now become ‘To use the ISO 22301 process or not?’ Imagine that you are the soccer coach of Brazil preparing for the 1958 FIFA World Cup. Should you use the standard formation that everybody has been using for the last 60 years, or should you choose a formation that you think will enable you to achieve your objective of winning the World Cup?
What is the objective?
So what is your objective? If your objective is just to tick a box to show the auditors, a regulator, or a potential customer that your organization is ISO 22301 compliant then you should religiously follow the ISO standard. If your objective is to make your organization more resilient, then you need to determine the most cost effective solution for your organization. You will need to look at the ISO 22301 standard and decide whether or not it produces the desired outcome for an acceptable cost, but if it doesn’t then you’ll need to identify a better way of achieving your objective.
I make no judgment here, either about religion or business continuity. You need to make a personal decision about whether to follow the orthodox approach, or whether to look for a better way. And herein lies the most pernicious effect of the ISO standard: it stifles innovation.
Business continuity is a young and evolving discipline and is an integral part of a technological revolution that is changing mankind. The environment in which business continuity is practiced and the tools that are available are developing rapidly, and the idea of sticking to a way of implementing BC that is essentially more than 20 years old strikes me as being ridiculous.
Business continuity should be changing, BC professionals should be innovating. If not, BC will be seen as out of date and irrelevant.
The real question
The question that needs answering is not, ‘To BIA or not to BIA?’ Rather it is “How on earth did the BC profession get itself into the position of stifling innovation, and how are we going to get ourselves out of this self-inflicted straightjacket?”
Mel Gosling is a Fellow of the BCI and the founder and principal consultant of Merrycon Ltd, a company that specialises in providing business continuity services, and has more than 18 years of experience in the field of business continuity management. He came into BC after more than 20 years in software development, IT management, and IT disaster recovery, and has successfully introduced BCM to a wide variety of types and sizes of organization, working with Merrycon’s clients to review their implementation of BCM, run BC exercises, develop of BCM guidelines, and train staff in all aspects of BCM. Contact firstname.lastname@example.org