Choosing a Business Continuity Consultant (and avoiding being sold snake oil)
Snake oil is applied metaphorically to any product with exaggerated marketing but questionable and/or unverifiable quality or benefit.
For the consultant, selling business continuity can be the ultimate snake oil. Often, the potential client has been told to implement business continuity and doesn’t know where to start. Along comes the consultant, offering to take all the potential client’s pain away. They make all the right noises about BIAs, MTPD, plans and RTOs but the client is never sure whether they are being sold the snake oil or a genuine cure. With other types of consultancy there is often a ‘cost benefit’, where the consultant will be able to show demonstrable changes or cost savings to the client.
In purchasing business continuity consultancy you buy from a consultant who plans for something which may never happen. If the plans have to be used, the consultant has been paid and is off to their next job. If the plan does not work, the consultant can blame the updating of the plan and not the original plan which they delivered. Therefore, providing business continuity consultancy is the snake oil peddler’s dream: it can command a premium price; you are often selling to a client who does not really understand what they are being sold; and it is very unlikely that your plan will actually be used and, if it is used, you most likely have been paid for the work and are long gone.
The purpose of this article
The purpose of this article is to give potential purchasers some ideas on what to look for in choosing a business continuity consultant, which will hopefully ensure that you get the services at the quality you require. By using the ideas within this article you should hopefully avoid the purveyors of snake oil and employ someone who will give you a genuine cure for your business continuity problem.
1. No different from purchasing any other type of consultancy
First of all, choosing your business continuity consultant is no different from choosing any other consultant. Chemistry and personality are key. Do you like the person who is offering you consultancy and would you be happy to spend six months (or longer) working alongside them? Are you happy for them to go in front of the CEO, explain his job in a crisis and critique his performance in an exercise? Can they speak the language of business as well as business continuity, will they fit into the organisation’s culture and do you feel comfortable that they will deliver what you have asked them to? If you want lots of workshops or presentations then ask them, as part of the selection process, to give you a presentation or interview them on how they would carry out a business continuity workshop.
As with choosing all consultants, "beware of the bait and switch2", you have to ensure that the business continuity expert who comes along to your initial meeting is the person who will be carrying out the work and that this will not be delegated to a junior person who does not have the same level of skills and is simply learning how to implement business continuity at your expense.
2. Be an informed buyer
I have replied to a number of tenders where it is obvious that the organisation putting out the tender has little or no understanding of business continuity. This makes it very difficult for those replying to the tender to cost the job correctly. If you are going to put out a tender or employ a business continuity consultant, I would recommend you go on a business continuity course yourself so that you understand what you are buying. There are a number of courses available which will give you a reasonable understanding of business continuity.
I was asked to do some work for a client who had employed a consultant from their insurance company to implement their business continuity programme. They never felt happy with his work, but didn’t have the knowledge to challenge him. They then went on the BCI 5-day course (with myself as the tutor) and at the end of the course they had the knowledge to ask him all sorts of in-depth business continuity questions which he couldn’t answer. I was then employed as his replacement. The better you understand the subject, the better and more cost-effective your purchase of business continuity will be. Even if you attend the BCI 5-day course (www.b-c-training.co.uk) at a cost of around £1,400, you will save this by making savings on your business continuity purchases.
3. Choosing a business continuity consultancy company
In finding firms to carry out your work you have a number of options. First step should be to Google business continuity consultants and see which companies provide the service. Don’t ignore the small local companies, as I will discuss later. Look in business continuity magazines (Continuity Magazine, CIR, etc.) for companies advertising in the magazines. Look also at portals, as companies often advertise on the portals. Look at www.ContinuityCentral.com, www.ContinuityForum.org and www.DRJ.com. Exhibitions and conferences such as the Business Continuity Institute’s World Symposium (www.bcm2013.com/) or the DRJs Conferences as there is an exhibition of business continuity companies and service providers and is a good opportunity to see, informally, companies that you might want to deliver your business continuity.
There are a number of different types of companies to purchase business continuity from, all of which have different advantages and disadvantages. Three possible options for companies to choose from are listed below.
3a. Large multi-discipline consultancies
The old adage goes that “nobody ever got sacked for employing PWC”. If you are going to employ one of the large multi-discipline consultancies, check that they employ business continuity specialists (see sections 4. and 5. below) and that they are not just employing generalists who turn their hand to anything and will learn business continuity ‘on the job’. Large consultancies will normally charge towards the top end of the consultancy rates but they usually have depth (i.e. a number of business continuity consultants) and experience at delivering consultancy. You may want to check who the consultant is they will use on your job. This is because, as they get busy, (or they may do this for all business continuity work), they contract the work to a small independent consultancy firm. If they are doing this, you may be able to go directly to the independent consultancy, saving yourself the premium price of employing a large consultancy.
3b. Smaller multi-discipline firms
Beware of what I call the business continuity ‘dabblers’. These are consultancies who claim to be multi-discipline and claim to be able to carry out disaster recovery, information security risks management etc. Often, their staff are generalists not business continuity professionals; they will make all the right noises, but don’t really understand business continuity. If they know more about business continuity than you, you can never be sure whether they really know what they are talking about. Employing generalists can also apply to firms which principally sell IT software, IT services or disaster recovery. They sell business continuity as a bit of an aside but it is not really their core business. They may also sell consultancy as a way of introducing their software or services into the company. Employing generalists in business continuity roles also applies to some companies that seem to have every different sort of risk service on their website in the vain hope that a potential client sees it and asks for that service. Again, with large multidiscipline companies check the qualifications and experience of their consultants.
3c. Large or small independents
Business continuity consultancy is still a cottage industry. There are very few large consultancies that specialise in business continuity and the majority of consultancies (even the large multi-discipline ones) have ten or less business continuity consultants. Most are 2-3 person bands (although if their website is to be believed they have many more staff than this!) and consist of loose alliances who bring in associates to deliver larger jobs or to help out when they are busy. If you want good value business continuity consultancy these are the firms to approach. They will often be flexible on price (especially in the present climate) and, as they are small, they are able to offer a bespoke and flexible service to the customer. If you are choosing one of these, make sure you choose a business continuity specialist and avoid the dabblers, who provide a wide variety of risk services. Consider using a company local to you, as they will know the local environment and local risks and you can save money by not having to pay expenses. The downside of using a small local company is that if something happens to your consultant the company may not be able provide an alternative and so you may have to contact another company to cover the work.
4. Consultant’s qualifications
Once you have identified the consultancy you may want to use, consultant’s qualifications should be checked. In the United Kingdom, the Business Continuity Institute’s qualifications are the most widely used. I personally think the lead consultant should at least hold the MBCI or an FBCI qualification. Supporting consultants should be AMBCI qualified or at least be working to achieve it. In the United States, the most common awarding body is the DRI, who offer a similar set of qualifications to the BCI. The CBI qualification offered by the BCI is less of an experience qualification but is awarded if you pass the BCI certificate exam (120 multiple choice questions in two hours!). You may also want to ask the consultant what training or courses they have been on, as there are a number of under and postgraduate courses in business continuity and other related disciplines. If your consultant does not have a qualification, I would question why (“never got round to it”; “don’t need a qualification to show my expertise…”). For me, if a consultant has not bothered to get one or more business continuity qualifications they are not serious about their profession, or they may be a dabbler who would not have sufficient experience to achieve a formal qualification.
5. Consultant’s experience
If you are employing someone to carry out Business Impact Analysis interviews, check they have experience at carrying them out. If you want someone to implement business continuity throughout the whole of your organisation from scratch, check they have the experience of doing it in the past. This may seem obvious, but many consultants have experience of implementing part of the business continuity life cycle and not all of it. So, get yourself some knowledge of business continuity and then check in some detail your consultant’s experience and that they have the knowledge of the parts of the life cycle you want carried out. This is especially important if you have little or no business continuity in place within the organisation and the whole of the business continuity life cycle needs to be implemented. Interview them to check how they have implemented their business continuity theory into practical solutions. Ask for references and check them. It is very easy for individual consultants to talk up their experience when they could have actually been part of a larger team and weren't in a lead role.
I personally think that experience of the industry is less important than the consultant’s knowledge of implementing business continuity; although certain sectors, like financial services, seem to only want to employ consultants or contractors with financial service experience. The industry experience, I feel, can be learned on the job; the consultant is coming at the organisation with a fresh set of eyes and is not trying to implement a solution using the same templates and documents they developed for the previous organisation they worked for.
6. Implementing ISO22301
Every consultant I know (myself included) talks about ISO22301 to their potential clients and claims that all their work is compliant with ISO22301. Most business continuity consultants will claim that they will be able to implement ISO22301 in your organisation. If you can implement business continuity it is obviously only a very small step towards implementing ISO22301. I was under this misconception until, about three years ago, I started to implement BS25999 (successor to ISO22301) in my own organisation. ISO22301 is a long step from your more ‘typical’ business continuity implementation. A while ago I had a chat with a friend who works in a bank and who had got in a consultancy firm that advised them that they were 95% on the way to BS25999. They invited in an accreditation body to do a gap analysis on ISO22301, only to find they were a very long way from achieving the standard and that a lot more work was required.
If you need to certify your organisation to ISO22301 you should try and choose a consultancy that is accredited to ISO22301. If they are not accredited to ISO22301, find out why. More important is to ask them how many companies they have taken through to certification and the award of ISO22301 and BS25999. Many consultants will have worked on part of the certification or aligned the organisation to ISO223013 but have not actually taken the organisation through to full certification. If you want ISO22301 certification, the consultant who has taken an organisation through to ISO22301 will understand the requirements, how it is audited and will probably give you the best chance helping your organisation achieve the standard.
Two final points on ISO22301 implementation. I would avoid ISO or “standards” experts to take your organisation through to ISO22301. These are people who specialise in taking organisations through to various ISO standards ISO9001, ISO140001, ISO27001. They fit into the dabbler’s camp. They may be able to get your organisation through to the standard but as they are not specialists in business continuity so the quality of their business continuity solution may be poor and hence not work when needed. I suspect nobody ever has died due to a poorly implement ISO9001 implementation but there is a much greater chance of this happening in an ISO22301 implementation.
Lastly I would warn against choosing an organisation that will do the consultancy work to get you to ISO22301 and then will certify you to the standard. I would always choose a UKAS certification body such as BSI, NQA, SGS or LRQA to carry out the certification. UKAS checks the quality of their certification and their code of practice means they cannot certify their own work. With organisations which certify to a standard but are not UKAS certified means that you have no control over their quality and they may be more interested in getting recurring certification revenue rather than concentrating on the quality of their business continuity consulting work.
7. In conclusion
As business continuity is a newish profession there are not a large number of people with the skills to carry out consultancy and so consultants can charge a premium over other related disciplines. Secondly, as the plans may never be used they don’t necessarily need to be able to work, as long as they look the part! Thirdly, as many purchasers don’t often understand what they are buying, it is then difficult to check if they are actually getting what they need. Within this situation there are lots of professional, well-experienced consultants and others learning the trade and gaining in experience but there are also the dabblers and the purveyors of snake oil. I believe that if you make an effort to understand what you are buying and check the qualifications and experience of your consultant before you purchase their skills, you will give yourself the best chance of achieving your business continuity goals.
Charlie Maclean-Bristol MBCI, FEPS, CBCI, CPP
PlanB Consulting is an ISO22301 certified company.
Charlie would like to thank all those members of BCMIX - Business Continuity Management Information eXchange who responded to his request for help “I am looking for any advice or words of wisdom on hiring a business continuity consultant. Can anyone send me some hints, tips or pearls of wisdom?” who provided their experience which added to this article.
This article is ©PlanB Consulting 2013. If you would like to reproduce this article then contact PlanB Consulting for permission at firstname.lastname@example.org
Checklist for choosing a business continuity consultant
- Define what you want them to do.
- If you don’t understand what business continuity is, then go on a training course or find someone in the organisation to help you design the brief.
- Research which companies you might like to provide the service not excluding small local companies.
- Meet and interview the possible consultants. Checking that they: -
- have the skills for the job
- have done the work before
- will they be creditable and fit into your organisation
- enquire about their qualifications and training
- is the business continuity person turning up to the meeting the actual person who will be doing the work
- ask them to provide references
- Check their references
- Perhaps get them to carry out a small bit of work to check the quality of their work
If there is a requirement to go out to tender for the work these checks can be built into the tender process.