The slow death of business continuity management or just a wobbly knee?
- Published: Wednesday, 29 November 2017 10:37
Carl Gibson argues that the concept of a more cohesive and comprehensive critical incident management capability may be more effective than conventional business continuity management, which is held back by rigid standards.
I have just got back from the Risk Management Institute Australia conference in Canberra, where, despite Qantas’ best efforts, I managed to join my Panel presentation (for its last fifteen minutes) to discuss developments in Australian and international Standards. I also presented a full session on VUCA, neuropsychology, sensemaking and their relationships to resilience. I had intended to be controversial about the narrow and limited role of business continuity management (as it is promoted by some bodies and standards) and the much wider importance of a very different thing – the continuity of business (both strategic and operational). I had expected a backlash, but was surprised by the number of people that approached me after the presentation with examples of their own poor experience with business continuity management as it currently stands. It has been expressed to me many times that there are things that should be in standards and there are things that should not. Part of the problem with business continuity standards is that they are based upon rigid management systems standards, originally designed to standardise factors such as quality in highly controlled, highly routine, highly predictable operations such as manufacturing assembly lines. With the expectation that the management system approach will work in loosely controlled, volatile, complex, non-routine, highly uncertain, and unpredictable environments that produce disruption.
There appears to be a growing number of practitioners (becoming particularly vocal online) that are critical of the cost, complexity, and inflexibility of the business continuity management process. Part of the problem, I think arises from false expectations. Since the earliest publications on business continuity (and yes, I have been responsible for a number of Australian and other jurisdictions’ standards publications- so I should be held to account for that) the process has been promoted as a near universal panacea for managing the effects of a disruption. For which it is plainly not, given the growing number of disruptions where business continuity management has had little to contribute.
Now I am not suggesting for one moment that business continuity management cannot be a valuable, even an essential capability for most organizations. However, it must be recognised that business continuity does have substantial limitations. It is after all an approach that is based upon Newtonian thinking, a linear construction of cause and effect. That is fine for situations where simple cause and effect relationships exist, for example: ‘there is no power - therefore the computer will not work - therefore turn on the generator or use a manual process’. However, many disruptions are not Newtonian in character, and as organizational systems become increasingly complicated, business continuity management becomes less effective and less relevant. Where we encounter true complexity, business continuity’s relevance is doubtful at best.
It is a case of ‘horses for courses’, and that are some racecourses where the hurdles are just too big for BCM to run.
One characteristic of business continuity management that has received little attention is that activating a business continuity response can be disruptive in itself. Business continuity arrangements are by their very nature less effective and less efficient than business as usual (BAU)(otherwise they would have become BAU). Business continuity management works where its inherent disruptive nature is less than the disruption caused by the adverse event (that initiates the intervention) and also where the benefits of using business continuity outweighs the cost and disruption that it introduces. As we move away from the simple technical interruptions to more complex disruptions, this cost-benefit equation changes, increasingly moving from the ‘benefit’ side to the ‘cost’ side.
The concept of a more cohesive and comprehensive critical incident management capability is becoming more accepted as an approach where the management of risk, emergency management, issues management, crisis management, and contingency arrangements, (a deliberate introduction of an old term, meaning more than just business continuity management) work together seamlessly. This includes the capability for an extended business as usual operation, one where routine processes are able to function over a wider range of conditions without becoming disrupted.
Business continuity practitioners will continue to find it difficult to get ‘time at the big table’. I am already seeing the title of Business Continuity Manager being replaced more and more by the titles of BC Coordinator, BC Adviser, BC Consultant, etc., and being pushed further down the hierarchy. It seems that business continuity practitioners will be increasingly seen as technicians, with business continuity management eventually becoming just one technique alongside a multitude of others, such as criticality analysis, event tree mapping multi-criteria approach etc.
There is an interesting paper that I had originally missed when it was published last year. The work came out of the prestigious Wharton School at the University of Pennsylvania and highlights research demonstrating how continuity plans can be harmful, promoting poor performance in the pursuit of primary organizational goals (Shin J., & Milkman K.L. (2016). [How backup plans can harm goal pursuit: The unexpected downside of being prepared for failure. Organizational Behavior and Human Decision Processes, 135, 1-9).]
Also worth a look is the recently published book by David Lindstedt and Mark Armour – ‘Adaptive Business Continuity’. The book considers a range of problems with the currently used approaches for business continuity management and counters with simpler and easier to implement solutions. They present some compelling arguments, and whilst I do not agree with every one of their contentions, it is a useful contribution to moving away from the limitations and vacuous contentions we see in some of the ‘standardised methodologies’ in use today.
Meanwhile, I am trying to finish my latest writing endeavour, a book on critical incident management. With the chapter on contingent arrangements still to finish and the chapters on recovery, and on leadership and culture yet to start, I am hoping to complete this tome over Christmas and to send out to reviewers in the New Year. Oh, and would you be surprised to know that it features a critique on business continuity management?
Carl Gibson, Executive Director Risk, Resilience and Transformation at Executive Impact Joint Venture Impact. Contact Carl.