Charlie Maclean-Bristol discusses the remit of a typical business continuity manager and asks whether the BIA is fit for purpose.
Last week I noticed that there were large power outages in Holland effecting Schiphol Airport and also, it seems, half of Turkey. I feel at times these incidents happen to keep us business continuity managers in a job and remind our senior managers that we live in a fragile world and they need a business continuity manager!
I thought I would share some thoughts on business continuity and whether we are really doing enough to manage the real risks to our organizations?
Often within an organization the business continuity manager is the only person who is looking at risks and also building a framework for management response to the risks if they occur. Within the organization there will be those concerned with managing operations; however their roles are very much looking at keeping operations delivering to set targets. The IT department may be identifying their risks and building in disaster recovery to the systems they manage but they do not concern themselves with the management of an IT incident beyond recovering their systems. Even those concerned with information security manage the information security risks and may concern themselves with reacting to an event at the technical level but, again, do not involve themselves with the tactical and strategic management of the incident.
The business continuity manager is often the only person in an organization who has a formal role in preparing the organization to respond to a major incident. The issue I see is that the scope of the typical business continuity manager’s role is too narrow and they, in many cases, are not addressing the full range of incidents the organization may have to face.
Having taught the Good Practice Guidelines (GPG) course recently, I am very up to date on the teaching of the types of incidents we are preparing for. We as business continuity people concern ourselves with looking at the threats and managing incidents where we lose our premises, people, resources (including IT) and suppliers (PPRS). I always teach my students that they should be preparing for PPRS. Different industries have different drivers and risks and so the business continuity manager’s remit may be wider, however the GPG concerns itself with managing these four categories. It does have a line which states we have to have a team in place which can manage any event; where there is not something actually physically lost, such as reputation, the GPG is quite vague on the type of incident this could cover.
I think as business continuity managers we need to add value to our unique position of being the sole person responsible for identifying potential incidents and then putting together a framework for managing them. We need to engage further with different parts of our organization and talk about how incidents which they are responsible for can be placed within our response framework. This could include how the organization would respond to an information security incident. Often those responsible have tools and methodologies for managing the technical response to an incident but have not looked at the reputational elements of the response, which if managed badly can compound the negative impact of the incident. Have we also coordinated our plans with Operations and understood the type of incident caused by a failure of product or service? If we have to do a product recall, which again can have a major reputational impact, do the production team have a plan for this? If you have a reputational incident or a security incident such as a kidnap, have your plans been coordinated with their plans or have you all been writing plans in silos? The worst thing you can have is three strategic/crisis level plans all being deployed simultaneously for a complex incident.
The planning for these events brings me back to the GPG and the toolkit it gives us. The more and more I look at the BIA part of the business continuity lifecycle I am not sure it is fit for purpose. Its remit to me seems too narrow with a concentration on PPRS which does not look holistically across all the risks an organization faces. It is also too narrow in that it looks at external events which could affect the organization rather than internal processes and procedures, which if not fit for purpose or have become corrupted over time, can cause the incident. Looking at internal processes and identifying potential issues is a lot more difficult than looking at the more obvious external threats that we as business continuity managers love; such as fire and flood.
So when you have a spare moment consider whether you are coordinating enough within your organization: are you ready to manage any event? Secondly, I am interested in hearing from anyone who would like to join in the discussion ‘Is the BIA as it is portrayed in the GPG fit for purpose or does it need a radical overhaul?’
I understand where you are coming from, Charlie, but I wonder if we are blurring two distinct response functions: Incident Response and Crisis Response.
In my own company, we define a crisis as being a situation that has the potential to challenge the corporate governance of the company. Even major incidents, if managed effectively, fail to meet this criterion; whereas a badly handled minor incident such as a chemical spill, has the potential to escalate into a crisis if somebody is injured or the cleanup is bungled. For us, a product recall or regulatory action would automatically be a potential crisis. What I'm saying is that the two domains overlap but are not on the same continuum: i.e. a crisis isn't just a big incident.
My role covers both business continuity (including incident response) and crisis management. In my experience, crisis management requires quite a different response style. The focus is often on effective internal and external communication; particularly with the media in all its forms. Additionally, the crisis management process is far less procedural than with incident response. To emphasise the distinction, in our company executive management owns the crisis management process, whereas operations management owns the incident management process.
All companies should have a crisis management process in addition to their incident response process, but I favour recognising the distinctive characteristics of the two and managing them accordingly.
Gareth: I agree with your points in that some organisations differentiate between and incident and a crisis and have different ways of dealing with each. I also agree with your point one has a much great potential impact than the other. It must be noted that incident response and crisis response happen after the event.
What I am trying to say (perhaps not well!!) is that our identification of potential issues which could become major incidents or a crisis should go beyond the PPRS (premises, people, resources and suppliers) which is mentioned in the BCI's Good Practice Guidelines. We need to be more proactive. We should go wider than these threats to take in some of the other relevant threats such as kidnap, cyber crime, product recall etc. Once we have identified the most obvious threats (we can’t imagine every potential threat) then we should develop contingency plans (if appropriate) or the relevant experts in the organisation should do so.
We then always need to have an incident management structure which then implement the plans in response to the incident we have planned for and manages the incidents which we have not planned for. How we manage the different types of incidents and magnitude of incidents is up to individual organisation's preference.Charlie Maclean-Bristol FBCI FEPS