Choosing a Business Continuity Consultant (Updated January 2020)
2019 was a year of disruptions to people, supply chain, infrastructure and organisation's reputation. With the promise of further disruptions on the horizon, now is the perfect time to reinvigorate your business continuity programme and ensure your resilience no matter what 2020 has in store. With that in mind, here’s my definitive guide on ensuring you choose the right business continuity consultant for the coming year.
No different from purchasing any other type of consultancy
First of all, choosing your business continuity consultant is no different from choosing any other consultant; chemistry and personality are key. Do you like the person who is offering you consultancy and would you happily spend six months (or longer) working alongside them? Are you happy for them to go in front of the CEO, explain his role in a crisis and critique his performance in an exercise? Can they speak the language of business as well as business continuity? Will they fit into the organisation’s culture and do you feel comfortable that they will deliver what you have asked them to? If you want lots of workshops or presentations, then ask them as part of the selection process to give you a presentation or interview them on how they would carry out a business continuity workshop. As with choosing all consultants, "beware of the bait and switch", you have to ensure that the business continuity expert who comes along to your initial meeting is the person who will be carrying out the work and that this will not be delegated to a junior person who does not have the same level of skills and is simply learning how to implement business continuity at your expense. Ensure that who is actually going to carry out the consultancy work is written into your contract.
Be an informed buyer
I have replied to a number of tenders where it is obvious that the organisation putting out the tender has little or no understanding of business continuity. This makes it very difficult for those replying to the tender to cost the job correctly. If you are going to put out a tender or employ a business continuity consultant, I would recommend you go on a business continuity course yourself so that you understand what you are buying. There are a number of courses available which will give you a reasonable understanding of business continuity. I would recommend you go on the CBCI Course run by Business Continuity Training.
I was asked to do some work for a client who had employed a consultant from their insurance company to implement their business continuity programme. They weren’t happy with his work but didn’t have the knowledge to challenge him. They went on the BCI 5-day course (with myself as the tutor) and at the end of the course, they had the knowledge to ask him all sorts of in-depth business continuity questions which he couldn’t answer. I was then employed as his replacement. The better you understand the subject, the better and more cost-effective your purchase of business continuity will be. Even if you attend the BCI 5- day course at a cost of around £1,800, or the two day Introduction to Business Continuity course at £1,050 you will save this amount by making savings on your business continuity purchases.
"Are you happy for them to go in front of the CEO, explain his role in a crisis and critique his performance in an exercise?"
Once you have identified the consultancy you may want to use, you want to check the consultant’s qualifications. In the United Kingdom, the Business Continuity Institute’s (BCI) qualifications are the most widely used. I personally think the lead consultant should at least hold the MBCI or an FBCI qualification. Supporting consultants should be AMBCI qualified or at least be working to achieve it. In the United States, the most common awarding body is the DRI, who offer a similar set of qualifications to the BCI.
The CBCI qualification offered by the BCI is less of an experience qualification. By gaining the certification it again points to the consult taking their industry seriously and wanting to demonstrate their qualifications. It is awarded if you pass the BCI certificate exam, 120 multiple choice questions in two hours. To pass, the consultant has to get 70% and 85% for a merit. Most good consultants should have gained a merit in the exam.
You may also want to ask the consultant what formal training or academic courses they have been on, as there are a number of under and postgraduate courses in business continuity and other related disciplines. If your consultant does not have a qualification, I would question why they “never got around to it” or “don’t need a qualification to show my expertise...” For me, if a consultant has not bothered to get one or more business continuity qualifications, they are not serious about their profession or may not have sufficient experience to achieve a formal qualification.
Business continuity is evolving, changing constantly and is linking and integrating with other disciplines such as information security, cyber and crisis management. The new Good Practice Guide 2018 brought in new terms and there is a raft of ISO Technical Specifications covering BIA, People Aspects, Procedures, Crisis Management, Supply Chain and Resilience. On top of this, there are multiple blogs, LinkedIn articles, academic journals and new books on the subject or around the subject.
As part of your selection of a consultant, you should be asking them what CPD they carry out and how they keep themselves up to date? What was the last book or article they have read or who do they follow in the industry? Often consultants have been churning out the same business continuity for years and have taken no account of new developments, terminology or ideas.
"Often consultants have been churning out the same business continuity for years and have taken no account of new developments, terminology or ideas".
If you are employing someone to carry out Business Impact Analysis interviews, check they have experience at carrying them out. If you want someone to implement business continuity throughout the whole of your organisation from scratch, check they have the experience of doing it in the past. This may seem obvious, but some consultants have experience of implementing part of the business continuity life cycle and not all of it. So, get yourself some knowledge of business continuity and check that they have the knowledge of the parts of the life cycle you want to be carried out. This is especially important if you have little or no business continuity in place within the organisation and the whole of the business continuity life cycle needs to be implemented. Interview them to check how they have implemented their business continuity theory into practical solutions.
Ask for references and check them. It is very easy for individual consultants to talk up their experience when they could have actually been part of a larger team and weren't in a lead role.
I personally think that experience of the industry is less important than the consultant’s knowledge of implementing business continuity, although certain sectors, like financial services, seem to only want to employ consultants or contractors with the financial service experience. The industry experience, I feel, can be learned on the job; the consultant is coming at the organisation with a fresh set of eyes and is not trying to implement a solution using the same templates and documents they developed for the previous organisation they worked for.
If you need to certify your organisation to ISO 22301 you should try to choose a consultancy that is accredited to ISO 22301. If they are not accredited, find out why. More important is to ask them how many companies they have taken through to certification. Many consultants will have worked on part of the certification or aligned the organisation to ISO22301 but have not actually taken the organisation through to full certification. If you want ISO 22301 certification, the consultant who has taken an organisation through to ISO 22301 will understand the requirements, how it is audited and will probably give you the best chance helping your organisation achieve the standard.
Two final points on ISO 22301 implementation. I would avoid ISO or “standards” experts to take your organisation through to ISO 22301. These are people who specialise in taking organisations through to various ISO standards (ISO 9001, ISO 140001, ISO 27001). They may be able to get your organisation through to the standard, but as they are not specialists in business continuity and the quality of their business continuity solution may be poor and hence not work when needed. I suspect nobody ever has died due to a poorly implemented ISO 9001 implementation but there is a much greater chance of this happening in an ISO 22301 implementation!
Lastly, I would warn against choosing an organisation that will do the consultancy work to get you to ISO 22301 and then will certify you to the standard. I would always choose a UKAS accredited certification body such as BSI, NQA, SGS, Certification Europe or LRQA to carry out the certification. UKAS checks the quality of their certification and their code of practice means they cannot certify their own work. With organisations which certify to a standard but are not UKAS accredited, you have no control over their quality and they may be more interested in getting recurring certification revenue rather than concentrating on the quality of their business continuity consulting work. Often organisations will not recognise your ISO certification if it is not carried out by a UKAS accredited certification body.
Choosing a business continuity consultancy company
In finding firms to carry out your work you have a number of options. The first step should be to Google business continuity consultants and see which companies provide the service. Other places to look could be in business continuity magazines (Continuity Magazine, CIR, etc.) for companies advertising in the magazines. Look also at portals, as companies often advertise here. such as www.ContinuityCentral.com, and www.DRJ.com.
Exhibitions and conferences such as the Business Continuity Institute’s World Symposium or the Disaster Recovery Journal’s conferences as they include exhibitions of business continuity companies and service providers. Attending one of these conferences is a good opportunity to see, informally, companies that you might want to deliver your business continuity.
There are a number of different types of companies to purchase business continuity from, all of which have different advantages and disadvantages. Four possible options for companies to choose from are listed below.
Large (multinational) multi-discipline consultancies and outsourcers
There is a multitude of large multidiscipline companies out there. Some are the accounting “big 4” plus some of their smaller rivals such as BDO and Grant Thornton. Then there are the large outsourcing companies such as G4S and Capita and then there are also the international IT outsourcers such as IBM and Accenture.
The old adage goes that “nobody ever got sacked for employing PwC”. If you are going to employ one of the large multi-discipline consultancies, check that they employ business continuity specialists and that they are not just employing generalists who turn their hand to anything and will learn business continuity ‘on the job’.
Large consultancies will normally charge towards the top end of the consultancy rates but they usually have depth (i.e. a number of business continuity consultants) and experience at delivering consultancy. You need to check which consultant they will use on your job. Although they often employ some very experienced business continuity people, as they get busy, (or they may do this for all business continuity work), they subcontract the work to a one person bands. I have seen recently adverts by a big 4 accountancy asking for consultants to work for them on a day rate as they have too much work for their existing full time employed teams. If they are doing this, you may be able to go directly to the independent consultancy or person, saving yourself the premium price of employing a large consultancy.
If they are going to do a gap analysis or audit of your present level of business continuity, check that they are going to give you a substantial tailored report which actually details what the gaps are and also the work required to fill them. I have seen a number of gap analysis from the ‘big 4’ which contain very little actual organisation specific analysis, filled up with generic text and the main part of the report is a very expensive shopping list of items for you to purchase.
Choose your firm wisely. Certain large outsourcing companies may give you a very good price to carry out your work, but this may be because they are in financial difficulties. If the firm collapses or majorly restructures during your project this will have an impact on its delivery and as a worse case, you may need to start again.
Smaller (national) multi-discipline firms and IT outsourcers
Beware what I call the business continuity ‘amateurs’. These are consultancies who claim to be multi-discipline and claim to be able to carry out disaster recovery, information security risks management etc. Often, their staff are generalists, not business continuity professionals; they will make all the right noises but don’t really understand business continuity. If they know more about business continuity than you, you can never be sure whether they really know what they are talking about. Employing ‘amateurs’ as business continuity consultants can also apply to firms which principally sell IT software, IT services or disaster recovery. They sell business continuity as a bit of an aside, but it is not really their core business. They may also sell consultancy as a way of introducing their software or services into the company.
Employing generalists in business continuity roles also applies to some companies that seem to have every different sort of risk service on their website in the vain hope that a potential client sees it and asks for that service. Again, with large multi-discipline companies check the qualifications and experience of their consultants.
Specialist Business Continuity Consultancies
If you want business continuity carried out why not use a company which specializes in business continuity? Within the UK business continuity is still slightly a cottage industry so there are no specialists with more than 10 consultants. Those which look larger than this, are often resilience consultancies which cover a multitude of disciplines or are umbrellas organisation’s for a number of independent consultants.
Specialist business continuity consultancies give you the best of both worlds they employ consultants who specialise in business continuity but at the same time they have depth as they will normally designate two consultants to your project, so if one goes sick you have someone who can continue your project. They will also have company methodologies, so you will get consistency across your work.
Again, with all consultancies check that the consultant they allocate to your work has sufficient experience to deliver your project. Check also that they are employed by the organisation as a fulltime salaried employee and are not an independent contractor brought in when they are busy. I personally find the best way to check this is to visit the consultants LinkedIn profile. If they name consultancy as their full-time employer, they are likely to be employed by them, but if they put their own consultancy details down or their own consultancy plus the name of the consultancy they are not likely to be full time employed. If you get an associate as a consultant rather than a full-time employee then they may not be versed in the company’s methodologies and so there is no advantage of employing the specialist consultancy.
One person bands and independent contractors
There are a large number of single person consultancies out there who can provide business continuity services. Some of them are semi-retired from large business continuity consultancies or have had business continuity jobs and are looking for some additional income or to get themselves “out of the house”. Others operate consultancy companies and have one or two partners who run the business and deliver the consultancy. There are also the independent contractors who move from contract to contract to implement business continuity for their clients on a day rate basis often taking on a project from 3 months to a year. The advantage of using one person bands and independent contractors is that they can be local so you are not going to have to pay expenses and secondly they will often be cheaper than using consultant companies.
The disadvantage is that you are introducing a single point of failure into your business continuity programme. If they become unwell or are unable to work, you have to halt your programme until they are back at work. As most consultants have a particular way of doing business continuity it may be difficult to get in another consultant to carry out their work and the project may have to be restarted again.
If you are going to employ a senior an ex-policeperson, senior army or senior business continuity person such as an ex-Head of Global business continuity, check that they have the knowledge and skills to actually do the work. In their previous careers they may have managed people to do the actual business continuity work, but they haven’t for years got their “hands dirty” actually doing the delivery. You will want someone who can do the work and deliver and not only talk about it. Check their skills, ask them to provide examples or ask for references from previous employers.
HMRC are taking a much greater interest in independent consultants and whether they should be PAYE employees rather paid as contractors. This needs to be taken into account when employing one person bands and independent contractors and if they are paid as employees the organisation employing them loses flexibility and cost effectiveness of employing a third party to carry out their business continuity project.
"You can have the most brilliant technical business continuity consultant - but if they do not fit within your organisations culture, then they will kill your business continuity project and you will find it very difficult to resurrect it".
As I said at the beginning of the article, business continuity consultancy is like all consultancy in that it is all about people. You can have the most brilliant technical business continuity consultant - but if they do not fit within your organisations culture, they will kill your business continuity project and you will find it very difficult to resurrect it with a different consultant. Business continuity is a technical subject and just because you know a bit about Security, Information Security, Crisis Management or Disaster Recovery doesn’t give you the skills to carry out full lifecycle business continuity. So, alongside choosing the right personality fit you want to choose the person with the right technical business continuity skills and experience. Make sure you check their references and interview them on their skills, training, knowledge and their CPD.