Charlie Maclean Bristol, FBCI, FEPS, looks at the current challenges facing business continuity managers; explains why traditional business continuity practices are becoming less relevant; and provides some positive ideas for how the profession can develop its role.
In my opinion, business continuity has lost its mojo over the last couple of years, and many in the profession are stumbling about trying to find a purpose for the field and their job role.
To me, there seems to be several factors which have converged to suggest that the business continuity profession is in decline. These factors are as follows:
1. The risks which business continuity is designed to deal with have slipped down the threat agenda. According to the BCI's Good Practice Guidelines, we BC professionals look principally at PPRS (people, premises, resources, and suppliers). With more organizations employing teams of staff able to work from anywhere, the need for premises and planning for loss of premises has reduced. Cloud computing and virtualization means that disaster recovery, RTOs and RPOs have become less important. When these systems go down, we all wait around until the cloud provider fixes the problem. Although there is still a need for business continuity, for many organizations loss of PPRS is not their top threat.
2. Cyber incidents are now considered to be the biggest threat to most organizations, but if we look at the business continuity literature and guides, we have very little to say about it. Managing cyber risks and the technical elements of information security require technical skills, which most business continuity people don’t have. So, currently, we are adding no value to managing this key risk.
3. As business continuity matures in organizations, there is less of a need for multiple business continuity staff. BC software can take a lot of the admin tasks out of managing BC, so administrators are not required. Business continuity coordinators from within the organization can often annually update their BIA, plans and run their own desktop exercises. True embedding of BC has taken place, so they have the skills to do it themselves. There is now physically less work for the BC manager to do, hence why many organizations have been downsizing their teams.
4. Those trying to stamp their name and their thoughts on the profession, have been involved in writing the ISO business continuity guidance and the BCI ‘How to’ guides, but this work is coming to an end. Most of the guidance is now in place, and these individuals are documenting the profession as is and echoing best practice, rather than reporting anything new. There are also those like David Lindstedt and Mark Armour, with their Continuity 2.0 manifesto, trying to take BC to a different place. Having read their manifesto, I am not personally convinced that what they are saying is anything novel. Some of the ideas are radical, such as getting rid of the BIA. However, a regulator or auditor will want to see your BIA, so I don't think there is really an opportunity to change the life cycle framework at the moment.
5. For me, business continuity is not really all that difficult conceptually. As long as you have a robust, tried and tested methodology, it doesn’t take very long to learn to implement a BCMS successfully. For those in second careers, BC suits us, as we are not going to have a third career. But for those starting in the profession, are they really going to be conducting BIAs for 40 years? For me, many of those who have been in BC for a while have become bored and are looking for new challenges.
Along comes resilience, which will be the saviour for all of us BC people, as it offers us the ability to use our existing skills and take on a whole load of new roles. Our career issues will be sorted and there is a new path to professionally take. However, I don’t believe that resilience is the answer, as I will explain…
Why resilience is not the saviour of business continuity
Many organizations, such as the Business Continuity Institute, are pushing the resilience agenda. Whilst I believe resilience is the answer to some issues, I do not think it is the sole answer to the future of business continuity.
I believe the promotion of resilience within organizations is an excellent idea, and many companies are embracing it. For example, in the public sector, Scotland Emergency Planning Units have renamed themselves as 'Resilience’ and I have seen a number of resilience roles within the banking sector.
The roles which could exist under the resilience umbrella include:
- Business continuity
- Health and safety
- IT DR
- Information security
- Crisis management
- Physical security
- Horizon scanning/corporate intelligence
The principle of bringing all these different disciplines under one umbrella will add value across an organization. There are many synergies between all these roles and each one can support the rest. Having identified a risk, other disciplines within resilience can help mitigate the risk and provide ongoing monitoring. This stops risks being managed in silos and mitigation measures in one area potentially increasing risk in another. The crisis management plan can be used to manage a reputation-type crisis, as well as business continuity, health and safety, and cyber incidents. The skills needed for resilience roles are not technical, but managerial, as it would be very rare to find one person who has the technical knowledge of all of these disciplines. Therefore, it is the resilience manager’s responsibility to manage a team of technical experts, who provide in-depth knowledge of each subject. The role of the resilience manager is one of coordination, audit and compliance.
Many business continuity organizations are heavily peddling resilience almost as ‘Business Continuity Plus’. Yes, the BC manager could take the role of the resilience manager, but there is absolutely no reason why the IT DR manager would not be equally as well placed. The role of the resilience manager is all about good management of a number of areas, and does not require the technical skills of the BC manager.
The BC manager has two sets of skills; their business continuity technical knowledge, such as how to implement the BC lifecycle, and their understanding of how to manage business continuity within an organization. The management skills are similar to those needed by the resilience manager, but the technical skills for BC are completely different to those needed to manage other areas of resilience.
Resilience is a natural process to bring together organizations which identify and manage risk on an ongoing basis. I would like to see a chief resilience officer (CRO) who takes this role and ensures that the silos between all these disciplines are broken down and brought together. I would also like to see organizations, such as the BCI, separate BC from resilience and concentrate on the discipline of BC, without clouding the picture by talking about resilience all of the time. Perhaps there should be a ‘Resilience Institute’ which provides guidance on how to carry out the role of a good CRO and introduce guidance on how to manage several disciplines together, including how to audit and assess levels of maturity. Finally, I would like business continuity people to concentrate on using their business continuity skills to add value across the organization, not by trying to become the resilience manager, but by using their existing skills to improve the organization’s response to an incident.
I think there is a lot of value that business continuity managers can add, without trying to incorporate resilience, and there is lots to be done which will safeguard the profession. Business continuity does have a bright future, but we have to keep evolving, we cannot stand still…
Business continuity - the future?
As we all know, we live in a volatile and changeable world. Regardless of advances in our technical ability, we haven’t managed to tame the forces of nature and the breakdown of technology, which we absolutely rely on. There are no less threats than there were twenty, fifty or one thousand years ago, the threats just change. Global warming, cyber criminality, terrorism and the tight coupling of technology to our daily lives, are some of today’s threats and these will continue to change over time. So, for our business continuity managers there are lots of threats to plan for, mitigate and prepare the organization's response to.
The first task of the business continuity manager in this new world is to expand their remit beyond the main role advocated in the Good Practice Guidelines of PPRS and move beyond the confines of the business continuity lifecycle. Detailed below are some of the roles the business continuity manager could / should take on, using their existing skills to add value across different parts of their organization.
I am well aware, due to the composition of organizations and the position of the business continuity manager that not all of the following roles and tasks can be carried out. However, if you go to a department and offer to take some of their pain, they will often jump at the chance.
1. Work with your risk department and those responsible for strategy to identify new threats to the organization. You should be horizon scanning to identify new and developing threats. There should no longer be Black Swan incidents taking place in your organization, as you have identified an incident occurring elsewhere and worked out that this incident could occur in your organization. This could expand to cover competitor and market intelligence if your own organization does not do this already.
2. Be the ‘go-to’ person for incidents. When events occur, such as the London attack in March, the Brussels airport bombing, or the Paris attacks, organizations should account for their staff and make sure that they are not killed or injured. You should be the person the organization goes to, to account for staff. It may need a multidisciplinary response, but you are the person senior managers go to, to coordinate your organization’s response.
3. Many organizations, especially those in oil and gas, manufacturing and transport industries, have emergency response plans in place. You might also have business continuity plans in place, but there is often a gap between where the emergency response plans end and the recovery can start. In the diagram below, you can see some of the issues which need to be managed after the emergency response phase is over. You can add value by producing a crisis management or incident plan which will deal with these issues.
The response to the issue usually goes beyond the exact site of the incident. Therefore, your organization needs to manage the response to the issue, including the media, local authorities and the effect on the local population. As a central function, you are often better placed to develop the plans for the area covered by the red arrow, as you have a central remit and can develop the plans with the relevant central functions.
4. Issue management is all about identifying the issues within an organization which could become a crisis and making sure that steps are taken to avoid this. You could work with corporate communications to use your facilitation skills to help them identify possible issues, as well as monitor them and develop contingency plans if they are required. If you want to learn all about issue management read 'Crisis, Issues and Reputation Management' by Andrew Griffin.
5. Your organization may have IT teams or other teams which manage incidents, where you provide a technology service to your customers. You may also have duty managers which respond to incidents. This is an ideal opportunity to use some of your incident management skills - give them the tools, techniques and confidence to manage an incident.
6. I don’t think business continuity managers should be involved in cyber by teaching people to use better passwords, for example. I think this makes business continuity become a part of IT, when it has a much wider remit than this. In terms of cyber, the business continuity manager should be working with IT and senior managers to produce a playbook of incident responses, educating them on the different scenarios and decisions they may have to make during a cyber incident, as well as exercising the plans.
7. If your crisis communications team has a crisis response play, why not run some exercises to help them practice their response to an incident? There are several companies out there with social media simulators and you could get one of them in to help make the exercise more realistic.
8. Do you have a travel security policy, with a country risks assessment, a staff helpline and a response plan for responding to an incident involving staff travelling abroad? If you don’t, help put this in place, as there is the opportunity to add value by getting a multidisciplinary team and developing your organization's framework.
9. Managers are always looking for interesting topics to cover on staff away days. Again, make yourself the ‘go-to’ person, so that they come to you first. You can create interesting and exciting events which entertain and challenge staff, but at the same time promote business continuity throughout the organization.
Not all of these tasks will be possible for all business continuity managers, but we must strive to find outlets for our skills within our organizations, as well as being seen to add value. If business continuity can be seen as the ‘go-to’ people for managing an incident, response planning, risk identification, and preparation for any adverse events, then we are on the right path to making sure that our profession has a future and is seen as an essential part of any organization.
Charlie Maclean-Bristol, FEPS, FBCI, is Director of Training at PlanB Consulting.