Resilience Ninja

Coaching and ideas to help build agile and resilient practices.

You are here: Home / BC Practice / … BCM at the crossroads

… BCM at the crossroads

I read an interesting piece of thought leadership today – Luc Klein’s paper that challenges us to think critically about what BCM should be, entitled “Is Business Continuity Management a misnomer?

If you haven’t heard about this paper you soon will, and you should click through and read it.

The author argues that BCM as a discipline, needs to make a decision about its direction and focus. Does if continue down its current path of being focussed on operational recovery – or take a new road to address all the risks that can lead to an entity going out of business.

I agree it is a misnomer, for two reasons;

  • first, and the main thrust of Klein’s argument, it does not really address the full spectrum of risks that can cause a business to stop.
  • my other reason would that the “management” part is the misnomer. It is a ‘discipline’ that is not practiced by managers in an organisation.
Klein argues that BCM, as defined in BS25999 and the BCI’s GPG, is a management approach to address a wide range of situations that could lead to business disruption and the ultimate crisis of the business ceasing to operate.
He contrasts this with the observed practice of BCM being primarily concerned with establishing  recovery plans, which are enacted after an event has occured.

Klein also observes that recovery and incident management plans normally do not address the areas covered by ‘Strategic Risk’ and ‘Financial Risk’.

In this way the practice of BCM has become totally focussed on the domain of ‘Operational Risk’, and would normally be perceived as dealing with the recovery of operations after a major disruptive event.

Klein sees ERM as the discipline that looks at both cause and consequence, while BCM is only addressing the consequence. BCM is concerned with what happens if the ERM controls fail. In truth it has been like that long before anybody added the ‘E’ to Risk Management. It is interesting that he does not see BCM as part of the risk family. ERM is made up of different type of risk domains;

  • Strategic Risk
  • Financial Risk
  • Operational Risk
  • Legal & Compliance Risk
  • Environmental, OH&S Risk
BCM is not seen as part of the ERM family, as it does not (generally) address the first two domains of risk. Clearly recent experience with the GFC have highlighted that a business could easily be forced to stop operating by the realisation of a risk from these two domains.

There are probably more cases where a business has failed due to strategic or financial risk failure, than has occurred as a result of fire, flood or asteroid strike.

I  was disappointed to find no reference to AS/NZS 5050 – the Australian Standard that addresses the management of  “Disruption-related risk”, and which positions what Klein is calling BCM clearly within the risk management domain. My series on AS5050 is still one of the most frequent searched on the blog. This standard was also labeled as heresy by the BCI so would qualify as another suggestion for change of focus and direction for the industry.

Klein suggests there are two potential ways forward;

  • rename BC to Operational Continuity in order to clarify the discipline based on what it generally does, this would include narrowing the defined range of incidents that the discipline can respond to – or
  • broaden the focus of BC (as practised) to include the impacts that flow from Strategic and Financial risks.
    • I was disappointed with Klein’s analysis around this point. Essentially he becomes trapped in his own critique, where BCM can only be talked about if it is associated with the activation of a specific type of recovery plan.
    • Many financial institutions have response plans to liquidity events – and I know of some clients who will trigger these plans based on a specific % change in the local Share Market index.
      • Rarely are these plans included in the domain of BCM, nor developed by the BC folks, for all the reasons Klein outlines.
      • They represent sound disruption-risk management (and therefore the new BCM order he is encouraging) – and if BCM is to have a broader meaning then we need to stop defining the concept in terms of response and recovery plans.
I would also have liked to see a comment in the paper about how we may have to change the way we approach this ‘New Generation BCM’ and the skills of the people we would need to do this work.

I am going to talk a little more about these aspects tomorrow.

In the interim please read Klein’s paper. I would appreciate hearing your thoughts.

Are we actually at a crossroads?

Does anybody feel that we need to change direction? Or are you happy with the current direction and focus?

Leave a Reply

Your email address will not be published. Required fields are marked *