Over time, organisms that are capable of adapting to change thrive while those that don’t go extinct. The same thing is true of organizations and business continuity professionals. In today’s post, we’ll look at seven ways the practice of BC is evolving and describe how BC practitioners must adapt to stay relevant and productive.
Related on MHA Consulting: Roll with the Changes: A New Generation Requires a New Approach to BCM
It is comforting to think that if we master one set of marketable skills, we’ll be able to make a living from them for the rest of our careers; however, recent history shows that option is no longer available (if it ever was).
Right now, the pace of change in the broader society is as fast as I’ve ever seen it, and that looks to continue for the foreseeable future. Those changes are impacting business continuity, both in terms of the threats to our organizations and how we keep them safe.
There are seven areas where in the recent past and immediate future we have been and are likely to see significant changes in how BC is practiced and should be practiced.
Significantly, there is also one overriding, critically important way that BC has NOT changed and will not be changing anytime soon. I’ll explain what that is at the end.
Seven Areas Where BC Is Changing
For now, let’s take a look at those seven areas of business continuity where big changes are under way:
- The threat matrix. These days the threat matrix is ever-expanding, and the threats have become global in nature. The range, severity, and potential frequency of the threats facing organizations today are greater than I’ve ever seen them. Organizations now have to contend with a heightened risk of drought, flooding, heat waves, wildfires, hurricanes, political unrest, global conflict, cyberattack, power outages, active shooters, supply chain disruptions, pandemic, social-media impacts, and all the rest. The pandemic underscored the fact that events taking place 10,000 miles away can impact us with great severity in a very short time. And the odds that organizations might have to deal with multiple disruptions at one time have increased. The expansion of the threat matrix challenges us like never before.
- Cybersecurity. The risk of cyber attacks continues to grow, and the job of beefing up cybersecurity will consume an increasing share of organizational energy and resources. In consequence, BC is likely to find itself taking a back seat. I think BC professionals need to accept this as a fact of life and focus on being a partner of this effort rather than its foe. The situation is dire enough. MHA has many hospital clients, and I can tell you the current environment is terrifying from their point of view. Indeed, the situation has gotten so bad for business generally that even Google has begun restricting employees’ internet access to minimize cyber exposure.
- Operational resilience. In our recent ebook, The Shape of Things to Come: 50 Predictions on the Future of Business Continuity (free download with registration), we observe that, “The operational resilience standard that originated in the banking industry in the U.K. and Singapore, and which focuses on protecting core services (rather than everything), will gain a significantly higher profile in the U.S.” This is likely to make our job somewhat easier by limiting what we are required to protect. BC pros who want to stay relevant would be well advised to familiarize themselves with the concepts of OR and begin moving their programs in that direction.
- AI. Artificial intelligence is coming to BC. AI has the potential to be good at helping with risk assessment, impact analysis, and guiding staff through incidents. However, it is unlikely to replace BC professionals as a group because so much of the job is about human interaction. This is still a people-based effort: executing response and recovery still comes down to human beings. All the same, the wise BC professional will make his or her peace with AI and begin thinking about how it is likely to alter the job in the coming years.
- The time crunch. In recent years, management and the business departments have been sharply restricting the amount of time they make SMEs available to us for the information-gathering necessary for us to do our jobs. I don’t see that changing, and in fact it’s likely to get worse. What can a BC professional do about this situation? I think we need to accept it and make the best of it. In my experience, there are two things that can help in making the most of a 30-minute departmental interview (if that’s all the time you get). One is you have to have a high emotional IQ. Under these circumstances, the only way to have a fruitful session is by being personable, understanding, positive, and confident. The other thing is, you have to know your stuff and know the company, because you can’t afford to waste time shuffling through papers and asking the experts questions you could have found the answers to on your own.
- Documentation. Traditional BC documentation is shrinking. This shrinkage is inevitable and unstoppable, and our job as BC professionals is to recognize the change and adapt to it. The 300-page recovery plan is a thing of the past. The younger generation lacks the attention span to wade through such doorstops. What’s more, our experience with our Silicon Valley clients shows wordy documents are not necessary. Digital natives are adept at making their way through the internet by intuiting connections and skipping around, and they can do the same thing with recovery documentation. The focus moving forward is going to be on concise, checklist-type plans that set forth only what a seasoned pro might forget. Honestly, when I look back at some of the huge plans we wrote in the past, I wonder what we were thinking. If I were doing those engagements now, I would make them much lighter from a documentation perspective and put a lot more emphasis on our next and last topic, training and exercises.
- Training and exercises. When it comes to training and exercises, many organizations continue to cling to the old way of doing things even as it would be better for all involved if a shift was made to newer approaches that have already proven themselves to be highly effective. The old school approach to educating staff on recovery procedures is for the BC staff to hold a big, once-a-year training session where a BC person goes through a deck of 40 slides and the employees struggle to keep their eyes open. There is a better way and the heightened threat matrix and all the other challenges we discussed above demand and deserve that it be used. Moving forward, enlightened companies will devise training programs that focus on actively involving employees in solving outage-related problems, begin holding numerous mini-exercises throughout the year, and employ chaos testing, in which recovery exercises are made harder by the introduction of unplanned challenges.
And One Area That Hasn’t Changed
There you have seven areas where BC is undergoing great change—and where BC professionals need to adapt if they wish to continue to protect their companies and prosper in their careers.
We now come to a contrasting topic I mentioned in the beginning: the important area where BC has not changed. This is the area of fundamental BC concepts and methodology, and the need for BC professionals to understand these things inside and out if they hope to have a positive impact.
The foundational concepts and practices of business continuity management include such matters as assessing threats and risks, applying mitigation controls to reduce risk, identifying the organization’s most critically time-sensitive business processes, protecting processes in proportion to their criticality, identifying and closing gaps, aligning BC plans with IT capabilities, and similar topics.
These concepts remain as valid as ever., and no one can hope to be an effective BC practitioner without having a solid grasp of them.
Adapting to Change While Holding onto BC’s Core Concepts
The rapid pace of evolution in society is driving significant changes in business continuity, requiring BC professionals to adapt in order to stay relevant and productive. These changes include the expansion of the threat matrix, the prioritizing of cybersecurity, the shift toward operational resilience, the emergence of AI, increasing time constraints, the obsolescence of lengthy recovery plans, and the need for frequent and more engaging training.
Amid these changes, one aspect remains constant—the importance of the fundamental BC concepts and methodologies. Adapting to change while strengthening their grasp of BC’s core principles will enable BC professionals to safeguard their organizations and thrive in their careers.
We’ve written a lot on how the field of BC is changing and what it takes to thrive as a BC professional in the current environment. “What It Takes: How to Succeed as a BCM Professional” tackles the latter subject while “Roll with the Changes: A New Generation Requires a New Approach to BCM” discusses how the arrival of digital natives in the work force is impacting BC. “A BC Consultant’s View of the Risks of Generative AI” looks at the dangers of artificial intelligence. For a walk down memory lane, check out, “Gone With the Wind: 12 BCM Practices That Have Become Outdated.” Finally, “Weird Weather: How to Be Resilient In a Time of Climate Chaos” looks at the impact of climate change on BC and “Testing, Testing: Our Best Blogs on BC Testing and Mock Disaster Exercises” is a roundup of our best blogs on the subject of BC exercises.