Mark Armour, one of the developers of the Adaptive Business Continuity framework, gives his reaction to Continuity Central’s survey into current attitudes to the business impact analysis and the risk assessment.
The results of Continuity Central’s survey about the business impact analysis (BIA) and risk assessment (RA) have been published and the results are extremely interesting. As developers of Adaptive Business Continuity, David Lindstedt and I have an interest in seeing the BIA discarded from business continuity practice. While many of our colleagues have either significantly reduced the BIA activity itself or eliminated it entirely from their programs, what about the wider business continuity community? This is where Continuity Central’s survey results are quite telling.
Let’s look at the fundamental question asked in the survey: “Do you think that it is possible to omit the BIA from the business continuity process?” Nearly 20 percent of respondents said, “Yes, and the resulting plan would be fully functional.” That is one fifth of the business continuity profession! Furthermore, fewer than two thirds of respondents consider the BIA a vital part of the business continuity process. What does it say about our profession when every documented practice and standard specifies that a BIA must be done, yet a significant portion of professionals don’t support its use as a tool in effective preparedness planning?
Let’s look at the last question. It asks, “Thinking about compliance with the business continuity standard, which comes closest to your view.” It should come as no surprise (even to Adaptive BC adherents) that 71.36 percent of responders believe that both a BIA and an RA “…are essential for compliance with this standard”. A higher percentage of folks believe the BIA is necessary for compliance purposes (nearly 86 percent) than who believe it is vital to the business continuity process (64.79 percent). This quite clearly illustrates what many of us have already suspected: a significant number of practitioners (over one fifth of the profession!) perform this task in order to be compliant and not because it adds value.
Remember that the Continuity Central survey is predicated on two assumptions: 1) that compliance with standards is a necessity and 2) all widely publicized standards have identical sets of deliverables, including a BIA. Introduce a new standard – one that does not require a BIA – and that changes. Once an alternative is more widely known and accepted, responses are likely to change. I foresee a time when the question will no longer be “How do you comply with accepted standards?” but instead, “To what type of standard do you comply: Traditional or Adaptive?”
The house of cards
The other problem is that our support of the BIA comes not from the actual value it delivers but from its essential position within existing practices. The BIA is a fundamental component of legacy methodologies. BIA results form the basis of many subsequent activities and deliverables. If one has not prioritized their organization’s functions, how does one determine where to devote scarce resources? How can one possibly organize recovery efforts without knowing which process should be recovered first? Without defined recovery time objectives, how can one develop a viable strategy to meet them? Without a clearly defined maximum allowable downtime (MAD) how do you know when you need to pull the trigger and execute recovery activities following a significant disruption?
These questions are based on the assumption that prioritizing functions and defining recovery times is essential to being adequately prepared. The truth is, effective preparedness does not need to address these questions. Defined recovery time objectives are not necessary to improving upon existing recovery capabilities. Activities that seek to make some functions a priority put all other services and processes at risk. Not to mention that recovery times and priorities are certain to change over time or in response to an event. What is critical when the BIA is performed – that is, when there are no problems and everything is fully functional – can change considerably based on the consequences of the event itself. Focusing on time targets leads practitioners to ignore other factors that are equally or more important to effective recovery. This includes things like capacity, functionality and the cost and effort of executing recovery activities. Determining whether to execute recovery is determined by a host of factors and not just whether some arbitrary time has been exceeded. MAD, MTD, MDTP and their equivalents were merely introduced to mask the ineffectiveness of the RTO (For more on this, see: “Our deep misunderstanding of time in preparedness planning” at http://bit.ly/2omrQIs).
Not really ‘best’ practices
I genuinely believe that many of my colleagues are not satisfied with existing business continuity methodology. Yet, for much of the existence of the profession, there have been no viable alternatives. Mavericks within the business continuity industry have simply done things differently, eschewing traditional practices altogether, for lack of any other solutions. There are a handful of folks who have learned what these innovators are doing and are adopting similar approaches. But the alternatives have never been promoted and no formal methodology was ever developed to accommodate them. These practices existed not in a single bubble but in many bubbles all across the globe. They were practiced only by the individuals and teams that intentionally chose to beat a new path or were fortunate enough to stumble upon someone else’s. The rest of us have simply soldiered on, unaware that there were any other means to organizational preparedness.
I believe the results of the Continuity Central survey indicate that the tide is starting to turn. Adaptive BC is still in its infancy. Awareness, understanding, and formal adoption of its framework have yet to really hit the mainstream. Yet, a significant percentage of business continuity professionals are already adopting its principles. What will the results of a similar survey yield a year or two from now when white papers and evidence of Adaptive BC’s value become more widespread?
I was a loyal adherent of legacy practices for most of my career. I believed our standards had been born of a process by which many competing approaches were objectively evaluated until a single, best practice was determined based on an objective measure of the value returned for the capital and effort invested. I think a large number of my fellow practitioners believed (and many continue to believe) the same. But such is not the case.
We live in an era when everything from vehicles to soft drinks come in more sizes and varieties than one can reasonably count. Yet we’ve been content with only one choice in operational preparedness. Worse still, we’ve failed to demand evidence of its value. I say it is time to change all that. Let’s start by giving up the wasteful and fruitless BIA!
Mark Armour helped develop the Adaptive Business Continuity framework along with co-authoring the Adaptive Business Continuity Manifesto with David Lindstedt, PhD.