How did the managed service provider industry successfully hijack the term ‘business continuity’?
- Published: Thursday, 24 January 2019 09:07
Alex Janković claims that some managed service providers have successfully managed to equate business continuity with IT disaster recovery, resulting, at best, in confusion among those new to the profession and, at worse, the development of business continuity plans that are not fit for purpose.
There is something which bothers me as a management consultant in the business continuity and information technology fields. Have you tried to search for the terms ‘Business Continuity’ or ‘Business Continuity Planning’ on Google or Bing search engines recently? Please do and the results may surprise you. Once you skip over a few Google ads and relevant, but not local, articles, you will find link after link to articles written by local managed service providers (MSPs).
If you are wondering what an MSP is, TechTarget defines it as “a company that remotely manages a customer's IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model.”, but I digress.
If you are brave enough and decide to click on any of those searched links, you will be met with a carefully designed and written corporate landing page. They will all have some very high-level, but somewhat relevant business continuity related jargon, but in the first few sentences the narrative will change from business continuity to IT disaster recovery. Furthermore, if you care to continue reading, these MSPs will start to pitch whatever product or vendor they are licenced to sell and distribute. The web-page message, tone, and the focus are ultimately geared around the capabilities of that product, and not necessarily anyhow related to the business continuity planning process or methodology itself. On top of that, MSPs will also suggest helping your organization develop business continuity or IT disaster recovery plans, which I am sure will be geared around the products they try to sell you, and will probably be developed without truly understanding the ins-and-outs and the complexity of your business.
And that is exactly where the problem is. My wild guess is that either, these MSPs found a way to use search engine optimization (SEO) techniques to their benefits, or the industry professionals don’t write much about business continuity at all.
All of this is making things very difficult for businesses which are trying to address their organizational resilience challenges and increase their business continuity maturity levels.
Business continuity is not a backup
So, let me address at least one of the problems these articles are trying to promote. Business continuity is not a backup. Let me repeat. Business continuity is not a backup. It is a strategic and tactical capability of the organization to plan for, and respond to, incidents and business disruptions in order to continue business operations at an acceptable predefined level. The ISO 22301:2012 standard similarly defines it as “the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident”.
As you can see, business continuity, and more broadly organizational resilience, are much more than IT systems backup and recovery capabilities, which usually happen after the disruption. The new ISO 22316:2017 standard defines organizational resilience as the “ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper”.
Organizational resilience is a discipline, and there is no single approach to improve it or enhance it. Many business management disciplines, including business continuity management (BCM) and operational risk management (ORM) contribute to continuous improvement and safeguards of the organization’s resources and strategic goals. The end goal is all about changing the organization’s culture to ‘live and breathe’ the resilience and implement good business practices to effectively manage risks.
Start with a business continuity management (BCM) program
A good first step your organization can take to address organizational resilience is the implementation of a BCM program. One of the approaches which can be followed is the Disaster Recovery Institute International (DRII) methodology, which introduces the following disciplines:
- Risk assessment and business impact analysis;
- Business continuity strategies and business continuity planning;
- Incident response (crisis, emergency, etc.);
- Training, awareness and exercises;
- Crisis communication and external agencies coordination.
And only then, after the BCM program implementation is started, business risks and threats are evaluated, and recovery strategies are developed, organizations should start addressing their IT disaster recovery backup and systems recovery requirements. Most smaller to mid-size MSPs might not be capable of meeting all the business continuity requirements outlined in this article, but for sure they will help you implement the cloud-based product of their choice (read: with the highest margin) and develop a subpar business continuity plan.
And please don’t get me wrong. I am not against MSPs. They provide invaluable services for organizations with limited information technology resources. They are the guys who can provide you with the cloud-based infrastructure required for your business, and whom you call when you have problems with your applications or desktop issues. They are also the ones who will ultimately help you recover your IT systems and applications past disruption. However, because many of them sell products and run IT fulfillment business lines, they will usually not provide objective and vendor agnostic business continuity or IT advisory related services.
Over the years, I have worked with and assessed quite a few MSPs, and I see a pattern which is somewhat concerning. Once the cloud-based IT disaster recovery platform of their choice is implemented, few MSPs develop a written business continuity or IT disaster recovery plan which are based on outcomes of the business continuity planning activities. Moreover, once plans are implemented, they are not at the table when new products or services are discussed and introduced across the organization.
Over time, this approach creates a capability gap and problems are usually only discovered once something goes seriously wrong. The usual chain of events during a business disruption is a failure of the business to recover, finger pointing with an MSP, loss of business and revenue, and possibly a loss of employment for the few individuals deemed responsible. Only after this process will organizations reach out for help and seek an independent and objective business continuity professional.
Bottom line. We, the business continuity professionals, must educate our clients about what organizational resilience is, and how they should implement it. In addition, small and mid-sized organization’s must assess their MSPs capabilities and ensure that their recommended IT Disaster Recovery solutions are in line with their business requirements. This usually means a full assessment by an objective third party, and not somebody who’s revenue fully depends on their clients buying more products or services.
What should organizations do? And what are the organization’s business continuity requirements? Well, the organization can start with a BCM program assessment, which will provide a capability gap and recommendations for addressing program deficiencies. The result could be the full-blown implementation of a BCM program across the organization, or a series of program component updates which will ensure alignment with industry standards and the organization’s strategic vision.
And as you know from reading this article, this is not something your organization should ask an MSP to execute.
Alex Janković, CMC is the founder of StratoGrid Advisory. He is an IT strategist, business continuity advisor, and speaker.