Did you watch the Snowden video? Life (and our work) would be more predictable if everything existed in the Ordered Domain – but in the real world it doesn’t.
Our organisations, especially when viewed in the contemporary risk/threat/vulnerability environment are complex adaptive systems. When we promote simple (which often become simplistic) solutions we are essentially doomed to fail.
I guess that brings me to the most recent contribution to the debate. Charlie Maclean Bristol’s “Revamping the business continuity profession” published in April 2017.
The Oxford Dictionary tells us that “revamp” (with an object attached) is a verb and it means
“Give new and improved form, structure or appearance to”.
Let see which of these elements are applicable here.
The starting premise is that the discipline has lost it’s “mojo” in recent years. If you are not familiar with the term beyond Austin Power’s losing his, it would imply that BC has either lost its voodoo charm bag, its libido or run out of morphine.
ROFL as the millennials would say.
The result seems to be that many in the field are “stumbling around trying to find a purpose for the field” and more importantly I would guess trying to establish the value for their role. And much of this, I would suggest, also has to do with the resilience barbarians who are storming the gates with their libidos intact!
There are 5 factors suggested that converge to highlight the decline.
1. The risks that BC addresses have slipped down the threat agenda.
The article defines BC very narrowly as planning for response/recovery of People, Premises, Resources and Suppliers. The advent of teams working from anywhere and Cloud Computing means that RTO/RPO and DR are less important. The evidence is that ..
“When systems go down, we all wait around until the cloud provider fixes the problem.”
Actually thats not really new, for BAU systems outages that is generally what really happened before Cloud. Especially when the function is totally reliant on ICT. Most RTO’s for business functions are wildly optimistic and don’t take into account the “as built” state of the systems – and the funding has never been approved to shorten the real RTO.
Cloud just brought it out into the open rather than being hidden by fantasy plans and unfunded RTO/RPO aspirations.
2. Cyber is claimed as the biggest threat to most organisations.
I do not believe this was true when written, however the events of the past weekend will certainly make it front of mind this week.
Putting that aside, because BC folks still don’t have the IT skills (that Cudworth and Apps advocated for in 2009) then we are “adding no value to managing this key risk.”
My problem with that is Cyber threat is not purely an IT issue. Dealing with the technical aspects of detection and clean up is an IT problem. Who should be stepping up to deal with planning for the business impact and recovery of operations?
The UK NHS is reportedly cancelling operations and closing hospitals in the aftermath of their most recent cyber attack. Doesn’t that sound like it could be in the domain of BC?
If running realistic simulation exercises is truely a core competency of the BC practitioner, then exercising the implications and aftermath of a cyber attack should have been something we have been doing for several years. Knowing that Windows XP is out of support and adds to your vulnerability should have been highlighted forcefully in such exercises – and doesn’t need a lot of IT competence to discover.
I discussed how we could improve our practice in this respect in my 2013 BCI World Conference presentation (Cyber threat opportunity : Exercising emerging threats to enhance relevance and engagement) and again in “Getting their Attention”.
3. BC has matured in organisations and there is less need for BC staff.
Growing maturity appears to be defined as using BC software to automate compliance reporting and local ‘BC Coordinators’ that can do an annual update of their documents and the token desktop walkthrough.
This is argued as evidence that “true embedding of BC has taken place”. Rather than recognition that it was just converted into a dumbed down compliance process.
Until BC practitioners understand culture there is never going to be any embedding. More in this 2013 article “Embedding Culture into BCM”.
It is also hard to swallow that BC is so mature when we can simply wash our hands of the impact of the alleged number 1 threat.
4. Codification is comprehensive and nearing completion.
‘Those trying to stamp their name and their thoughts on the profession” have been busily producing ISO and BCI “how to” guides. This is very correctly identified as documenting the ‘as is’ practice and not proposing anything new.
Best Practice is past practice. It can’t be anything else. If we want a revamp of substance this might be a good place to start. Again this is something I warned about in my Cyber Presentation at BCI World in 2013.
It is rather alarming to read that people think that knowledge is stagnant and any attempt to codify and document can ever be “nearing completion”.
Charlie notes that Adaptive BC (David Lindstedt and Mark Armour) is trying to take things in a different direction, but doesn’t see this as novel practice. Because an auditor will want to see a BIA then there is no opportunity to change the lifecycle at the moment.
I wonder when the right time is to introduce innovation and new thinking?
David and Mark have published their own response to Charlie’s article on Continuity Central if you are interested.
The BIA debate is on one level a circular argument and on another an example of a lack of innovation. Auditors follow a fixed process of comparing what you have done to some form of accepted controls. They only want to see a BIA because somebody told them that is what they should ask for – change the “Best Practice” so that it doesn’t include a BIA and they will stop asking for one.
Also they are often not that well informed so just give them something with the label “BIA” if that is all they want.
Adaptive BC challenges us to think about a lot more than just if a BIA is required. You may find my podcast interviews with the guys an interesting background on their thinking.
5. BC is easy, any idiot can do it.
It seems for some that the practice has devolved into simply implementing a BCMS, no wonder it is in decline. Another factor leading to the decline appears to be that the discipline has attracted a number of semi-retirees. “For those in second careers, BC suits us, as we are not going to have third careers.”
Yes, I deliberately took the quote out of context. It is appalling as an argument and sad as an assertion of the state of thinking and practice.
I leave it to David Lindstedt to deal with the “tried and tested methodology” assertion.
But consider that to my knowledge 2 of the last 3 winners of “BC Newcomer of the Year” have left the discipline. Perhaps we might want to update those 30 year old practices (and the thinking behind them) soon?
If we want to innovate we need to listen to and learn from the new generations. It would be interesting to see what a GPG revision approached as a “green fields” initiative and authored by practitioners with no more than 5 years experience would look like. That would also exclude those with 1 year of experience repeated 10 times.
Resilience is not the saviour.
Very true. Because resilience does not provide the BC practitioner with new status and skills. It actually took root as a concept with management BECAUSE of the way BC is currently practised.
To benefit from the resilience boom we are going to need to widen our skills. As Charlie notes “The skills needed for resilience roles are not technical, but managerial.” The advice to the BC practitioner should be go out and get some of these skills. Seek a role as a manager in a profit centre and learn, even a cost-centre management role would suffice.
You won’t learn them as the BCMS Administrator.
Learn to “Be the ‘go-to’ person for incidents.” To do that you need to refine the skills and be respected for your role in BAU issues. Perhaps go and talk to your IT Incident Management people who are probably all over it already. Facilities and Supply Chain people may also have some expertise to learn from in this regard.
Likewise the PR and Corporate Comms people most likely have processes in place for Issues Management and reputation impacts. This week they may be busy responding to the malware attacks so they may appreciate the offer of assistance.
Above all else remember that resilience is absolutely NOT about “coordination, audit and compliance.”
A rejuvenated BC practice for the future is argued to start with breaking the shackles of the Good Practice Guide and the Lifecycle. Personally I think those shackles have only been in the mind of the practitioner for many years.
Like many before him this article encourages the BC practitioner to get out and engage in the wider organisation. It is hard to reconcile Charlie’s perspective of a compliance-based BC practice with the set of skills he thinks practitioners currently possess – and the value he thinks the organisation places on a compliance practitioner.
As I noted earlier I think a practitioner wanting to get out and engage would do well to assume that other areas may already be better skilled. In fact if you haven’t totally engaged Comms in your Crisis Management planning efforts then your plan is really not useful at all.
Good to see the encouragement for practitioners to actually step up and exercise around Cyber impacts. But this doesn’t jell with comments earlier in the article.
Overall I find this view of the present and the future reflects very siloed thinking. E.g. The role that BC takes in respect of Cyber is defined such that BC will not be seen as part of IT, little talk of collaboration and plenty about compliance.
Certainly practitioners need to expand and diversify the practice. Also agree wholeheartedly that the GPG/ISO/Past Practice is holding it back. But there is nothing here about breaking that fundamental obstacle and the skills deficit that flows from it. Not surprising that the ISO addressing resilience doesnt promote the same levels of compliance and certification.
Charlie exhorts that “we have to keep evolving, we cannot stand still ..”, but I detect a reluctance to actually innovate – unless somebody else is doing it first!
Overall I would say the revamp here is about appearance rather than substance. Unfortunately this seems to reflect a widespread problem as I found in some recent research. More on that in the next part of this series.
Here is a little homework to get you thinking about innovation. It features one of my “go to” management thinkers – Rosabeth Moss Kanter. When she talks ‘company’ think the discipline, customers are management, export to other disciplines.