02/04/2015 Does BC really manage the real risks to your organisation?
This week Charlie discusses the remit of a typical Business Continuity Manager.
This week I noticed that there have been large power outages in Holland effecting Schiphol Airport and also it seems, half of Turkey. I feel at times these incidents happen to keep us business continuity managers in a job and remind our senior managers that we live in a fragile world and they need a business continuity manager!
I thought this week I would share some thoughts on business continuity and whether we are really doing enough to manage the real risks to our organisations?
Often within an organisation the business continuity manager is the only person who is looking at risks and also building a framework for management response to the risks if they occur. There will be within the organisation those concerned with managing operations, however their roles are very much looking at keeping operations delivering to set targets. The IT department may be identifying their risks and building in disaster recovery to the systems they manage but they do not concern themselves with the management of an IT incident beyond recovering their systems. Even those concerned with information security manage the information security risks and may concern themselves with reacting to an event at the technical level, but again do not involve themselves with the tactical and strategic management of the incident.
The business continuity manager is often the only person in an organisation who has a formal role in preparing the organisation to respond to a major incident. The issue I see is that the scope of the typical business continuity manager’s role is too narrow and they, in many cases, are not addressing the full range of incidents the organisation may have to face.
Having taught the Good Practice Guidelines (GPG) course last week, I am very up to date on the teaching of the types of incidents we are preparing for. We as business continuity people concern ourselves with looking at the threats and managing incidents where we lose our Premises, People, Resources (including IT) and Suppliers (PPRS). I always teach my students that they should be preparing for PPRS. Different industries have different drivers and risks and so the business continuity manager’s remit may be wider, however the GPG concerns itself with managing these four categories. It does have a line which states we have to have a team in place which can manage any event; where there is not something actually lost such as reputation, the GPG is quite vague on the type of incident this could cover.
I think as business continuity managers we need to add value to our unique position of being the sole person responsible for identifying potential incidents and then putting together a framework for managing them. We need to engage further with different parts of our organisation and talk about how incidents which they are responsible for can be placed within our response framework. This could include how the organisation would respond to an information security incident. Often those responsible have tools and methodologies for managing the technical response to an incident but have not looked at the reputational elements of the response, which if managed badly can compound the negative impact of the incident. Have we also coordinated our plans with Operations and understood the type of incident caused by a failure of product or service? If we have to do a product recall which again can have a major reputational impact, do the production team have a plan for this? If you have a reputational incident or a security incident such as a kidnap, have your plans been coordinated with their plans or have you all been writing plans in silos? The worst thing you can have is three strategic/crisis level plans all being deployed simultaneously for a complex incident.
The planning for these events brings me back to the GPG and the toolkit it gives us. The more and more I look at the BIA part of the business continuity lifecycle I am not sure it is fit for purpose. Its remit to me seems too narrow with a concentration on PPRS which does not look holistically across all the risks an organisation faces. It is also too narrow in that it looks at external events which could affect the organisation rather than internal processes and procedures, which if not fit for purpose or have become corrupted over time, can cause the incident. Looking at internal processes and identifying potential issues is a lot more difficult than looking at the more obvious external threats that we as business continuity managers love such as fire and flood.
So when you have a spare moment over Easter and you’re taking the dog for a walk and need something to think about, consider whether you are coordinating enough within your organisation - are you ready to manage any event? Secondly, I am interested in hearing from anyone who would like to join in the discussion, ‘is the BIA as it is portrayed in the GPG fit for purpose or does it need a radical overhaul?!’