There has been a lot of talk lately in the Business Continuity industry about a “next generation” of Business Continuity planning. In a recent article from Continuity Central, David Lundstedt asserts that Business Continuity is Broken. But is it? Are we clinging too tightly to our old ways of creating plans and delivering results? Businesses and technologies change very rapidly—are we keeping up?
“The business continuity industry is evolving slowly. It must evolve, and some significant changes in perspective are warranted,” stated MHA CEO Michael Herrera. “We must be careful not to lose sight of the real goal: organizational survival/resilience.“
In the Continuity 2.0 Manifesto (first made available in September 2015) David Lindstedt and Mark Armour argue that “traditional approaches in business continuity management have become increasingly ineffectual.” Over the years, technology and organizations have undergone tremendous changes, but business continuity methodology has not kept pace. Small, incremental adjustments that focus increasingly on compliance over resilience are cited as contributors to “a progressively untenable state of ineffectual practice, executive disinterest, and an inability to demonstrate the value of continuity programs and practitioners.”
So, is Business Continuity broken?
Lindstedt lists three reasons “Business Continuity is failing us all” – It isn’t evolving; we can’t engage executives; and we have no meaningful metrics. This short list provides business continuity professionals with a useful and thought-provoking framework for discussion and action planning.
“Maybe it is time for a big shift,” Herrera said. “At MHA, we are advocating a more robust evaluation of risk, business needs and demonstrable recoverability of business functions. We can’t ignore the compliance portion of our work (even if we wanted to), but we need to keep sight of what our work is really all about.”
“For many years, complying with rules and regulations for business continuity and disaster recovery involved little more than checking a box. As an industry, we’ve moved away from that, attempting to create plans that actually work,” added Senior Advisory Consultant Richard Long. Executives are busy people and their attention and trust are difficult to secure. At the end of the day, they need to know if you can provide them with a “business continuity” solution that actually improves day-to-day workflows, customer service or response times. Can you reduce risk? Save them money? And of, course, can you help keep them out of jail?
What about metrics?
Effective measurements, metrics and exercises allow us to plan for necessary improvements in a way that is easy to understand and justify. “Exercises are not tests in the academic sense. They are designed to help us see where we need to improve, certainly, but more importantly they must be designed to teach,” Long says.
MHA has long been a champion of meaningful metrics. Going beyond the “checkbox” is what our BCMMETRICSTM application is all about. The tool assesses the state of your program (not just do you have the right elements, but do you test it, do you train people how to use it, etc.). In the soon-to-be-released Residual Risk (R2) component, the focus is on the risk that remains after mitigating controls are put in place for your recovery plans. Again, the tool evaluates not just the presence of the mitigating controls, but the effectiveness of those controls. Understanding residual risk helps executives allocate resources efficiently and effectively to those areas that expose the organization the most.
Are our tools obsolete?
Though there has been argument for abandoning some of our traditional tools (specifically the BIA and Risk Assessments), we believe that both of these tools still have value and relevance. New programs are created, and existing programs are re-evaluated and sometimes significantly overhauled. Those programs will always find value in an initial assessment and evaluation of their business processes.
“Use the tools that you have at hand to learn the business and understand what your executives need (and it may be compliance!),” Herrera suggests. “Use the BIA as an opportunity to learn about the enterprise operations; to learn what concerns your business partners; to learn how their needs are (or are not) being met by IT; and what types of risks exist. By engaging the business units in your process, you not only create a better end-product, you learn and grow, and you forge alliances that benefit your program and the business.”
We need to remember that it is about the process and not the document or the RTOs. The BIA process allows the BC practitioner to learn about the business; engage with business colleagues in a meaningful way; and eliminate silos by promoting and documenting the alignment of business continuity and disaster recovery to business goals and needs across the enterprise. It gives us the opportunity to teach our business partners and learn from them in return, creating lasting relationships that benefit the entire enterprise.