In this article Rico Andrew Patron points out that, unlike some other professions, the business continuity profession does not have a set of clearly articulated core principles. He makes the case for the development of the Core Principles of Business Continuity and suggests what these could be.
I had the chance to do some major cleaning over the past few weeks and I rediscovered my stash of old books I’ve read since my early days in the corporate arena.
At one time, I tried my luck in the area of information security, so I had a book or two as my guide. In the first few pages of the book, I was immediately introduced to the discipline’s core principles of CIA which stands for ‘confidentiality, integrity and availability’.
"The information security program must ensure that the core concepts of availability, integrity and confidentiality are understood and supported through the implementation of security controls designed to mitigate or reduce the risk of loss, disruption, or corruption of information." Official (ISC)2 Guide to the CISSP CBK (1st ed), 2007
The definition of the core principles of CIA followed suit and what its specific impact is to the implementation of information security.
Over the years, the CBK (or Common Body of Knowledge) has evolved from 10 domains now compressed to 8. There used to be a specific domain for business continuity and disaster recovery planning in the CBK but has since been dropped.
But what impressed me the most upon re-reading some of this outdated material is the fact that their core principles have, thus far, survived the test of time. For someone in my position then, wanting to learn more about information security, the introduction to the core principles found in the first few pages of the book was spot on as to what to expect of the discipline and what was to be expected of me should I pursue it.
This made me reflect on the core principles of business continuity - and my mind was blank. All I can think of is the framework and the activities involved but I initially struggled to define what they were. Going through the BCI’s Good Practice Guidelines (GPG) didn’t offer me an answer either.
"Business continuity management identifies an organization’s priorities and prepares solutions to address disruptive threats." 'What is Business Continuity?' Good Practice Guidelines, 2018
The introduction tells me what business continuity is but not what it intends to achieve when applying the discipline. Some of you may be thinking – “It’s organizational resilience, duh!” – but that is more of a long-term objective. The 2013 version of the GPG even cited it as such.
"… the long-term goal of the BCM programme is to improve organizational resilience." Good Practice Guidelines, 2013, p. 23
While the previous statement no longer appears in the 2018 version of the GPG, quite possibly since resilience may be achieved in a shorter time span, I think everyone will agree that true resilience is not achieved with a one-time event.
Resilience, from my perspective, comes from repeated exercising of business continuity practices. It has to be consistent and disciplined. You don’t grow muscles by lifting weights just once or twice.
So, I am not convinced when people say that their organizations are resilient enough to come out of this pandemic relatively unscathed even in the absence of any business continuity structure; thereby, belittling the value and/or contribution of the BC profession.
Those organizations that coped in the absence of any business continuity structure had everything working for them at the right time. They had the right people who knew their jobs inside and out and how to adapt to the situation they were in. They had the resources in hand to support their response. They were led by someone with the right mindset on what activities to prioritize in recovery. Good for them.
This success, however, doesn’t necessarily mean you will be successful again in the future. Things inevitably change. Sometimes it is better to be lucky than good, although I wouldn’t bet the farm with that kind of mindset.
Different situations present different impacts which may require different responses. People get sick. People get tired. People leave. Knowledge may be passed but some may be lost. Funds and resources get depleted.
What if another incident with global implications (i.e. not a pandemic) were to hit your organization?
- Can you recover again with greater efficiency?
- Can you recover again at a lesser cost to the organization?
- Can you recover again with a different team?
- Can you even recover again?
For me, resilience is not the core principle of business continuity. The core principles should refer to what all these activities aim to achieve once they’re completed. To phrase it in another way, if these activities do not help achieve at least one of the core principles, why bother doing them in the first place?
At some point, the business continuity community needs to define these core principles so that practitioners, both present and future, all agree on a common path even though we may have different ways of getting there. We can argue on methodology and frameworks all day long but we can all agree that, despite these differences, we are all after the same thing – that is, to achieve our core principles.
To start the discussion, maybe our core principles may be described as follows:
"The implementation of the business continuity management programme shall endeavour to reduce the impact of an incident, recover the organization’s products and services and for these to be made available to all interested parties at the soonest possible time, as if the disruption never occurred."
The core principles of business continuity are:
Reduce the impact of incidents
The principle of reducing impact revolves around identifying what factors can disrupt your business, recognizing its impact and formulating strategies on how to recover from the incident at the soonest possible time.
Reduce the time of disruptions
The longer the disruption, the greater the damage. Damage may come in the form of financial loss, negative impact to reputation, loss of investor confidence, and the like. This is what we want to avoid in the principle of reducing time.
Regaining your organization’s operations at the soonest possible time can project a level of confidence to all interested parties that the organization and its management are very much prepared for and are in control of the incident.
Reach your recovery position
[ Author’s note: This part gets to be tricky as there is no clear definition of the term ‘recovery’ from a business continuity perspective. Not in the GPG. Not in ISO. Not with the BCM Institute. The BCMI’s glossary does show a definition for recovery made by ENISA and DRII uses a definition as found in the NFPA 1600 standard. ]
Whatever the defined recovery position is, it should be the organization’s goal to get there and not be content to recovering a particular process or a particular activity or a particular resource.
Restore availability to interested parties
Availability of recovered products and services should be restored for all interested parties. Be it your directors, your employees, your regulators, the media but most especially, your customers who will define your organization’s reputation in response to the incident. (I am very biased towards the latter part being an operations guy by default so I tend to look at everything through the lens of service.)
Reaching your recovery position is an achievement but it will mean nothing if they are not made available to all interested parties.
The principle of restoring availability is the culmination of all your business continuity activities during an incident. At this point, you have successfully recovered your products and services which are made available to all interested parties. Your organization is functioning as if the incident never occurred.
A call to action
I know it will take a long road to getting a consensus across the community on what the Business Continuity Core Principles should look like. But I think now is the opportune time to have this discussion and have a common definition of who we really are as BC practitioners.
Rather than convincing the CXOs on what value the BCM programme can bring, let us instead introduce them to our discipline, to our core principles and to what we can exactly bring into the organization.
Rico Andrew Patron AMBCI, MBA, is an operations, resilience and technology professional based in the Philippines.
Author’s note: I would like to thank David Window who served both as inspiration and resource for this article… Thank you for your inspirational webinar that triggered all of this and for your time to let me pick your brain.