For Business Continuity, Accept the Unexpected
By
Brendan Monahan
01 August 2019
It is one thing to
expect the unexpected. It is quite another to accept the unexpected. Denial is
a powerful thing, and even the best of us can be convinced that our plans are
comprehensive and our preparedness complete.
The key ways to
overcome this sort of complacency are to link crisis management and business
continuity meaningfully, and to incorporate Adaptive Business Continuity
principles that enable an organization to react quickly to the unexpected.
Consider that the past
few years alone have seen increasingly active Atlantic hurricane seasons, major
cyberattacks against global corporations, and secondary losses of key
infrastructure following major disasters. Organizations in the public and
private sectors are asking their teams to do more with less while also
performing to higher standards. The need to recover quickly from losses is as
important as ever, while in many cases the resources are thinner than they used
to be. These realities require new and innovative approaches.
In addition, as our
society grows increasingly interconnected, businesses, organizations, and
governments will depend upon one another’s services to tighter and tighter
tolerances. Utility and communications regulators, for example, are demanding
that companies meet stricter reliability standards. This trend will continue
for the foreseeable future.
Meanwhile, the costs
and consequences of large-scale incidents will grow. Disaster events claimed
more than 11,000 victims globally in 2018. The estimated losses from natural
and manmade disasters in 2018 are estimated to be $155 billion, with global
insured losses estimated to be around $79 billion, according to data from the
Swiss Re Group.
These conditions paint
a frightening picture, but therein lies the opportunity. A well-crafted
business continuity program, clearly linked to crisis management activities,
can be a source of value for an organization—not only in response to disaster,
but on “blue sky days” too. The business continuity (BC) program and its
practitioners can become meaningful business partners with the organization.
A Tall Order?
Great organizations
confronted with crisis can choose to accept the unexpected, adopt a new normal,
and bring out the best in themselves and their people. In doing so, they take a
position of strength that recognizes crisis as a form of change and redefines
it for a better future.
To do this, the
organization needs to be poised in its response—not just when a crisis or
business interruption occurs, but ahead of it. Done skillfully, a business
continuity program can not only enable a better response, but also foster
continuous improvement and identify areas of operational improvement along the
way.
Security managers are
in a key position to influence their organizations if they adopt practical
notions in their BC approach. And, in some cases, it is the security manager
who is tasked with creating a new BC program where none existed, or worse—with
reviving one that has languished.
How does one proceed?
By connecting BC to the delivery of continuous improvement and operational
value and by linking crisis management and BC in a meaningful way.
To achieve the best
outcome, business continuity depends on the planning and preparation effort
that comes along with response and recovery. This is where the true blocking
and tackling of BC work takes place.
Some industries and
regulators are decidedly prescriptive about the required activities of BC
programs under their purview. They mandate activities such as assessing risk,
completing a business impact analysis, obtaining buy-in from senior leadership,
training, validation, testing and exercising, documentation, and communication.
This is especially true in the financial sector and in the healthcare industry.
Good Practice
Guidelines from the Business Continuity Institute and the standard ISO 22301
are good starting points where such accredited certification is needed or
preferred. However, such traditional practices are not the only route to a
meaningful BC program.
Pitfalls of
Tradition
In some cases, the
activities and approaches traditionally associated with continuity planning can
pose an obstacle to implementing a program. While these may have their
appropriate place within many BC contexts, they can also present
challenges.
This is especially
true in cases where an organization may have greater latitude in designing a
new program or revising an existing one, or in organizations with a culture
that favors iterative, agile processes over linear, sequential ones. In these
cases, it may be preferable to place the primary focus on quickly delivering
value.
For example, a core
concept of much BC planning activity is the focus on recovery time objectives
(RTOs). The use of RTOs is intended to help quantify recovery needs, prioritize
response activity, and drive planning activity.
However, employing
time as a target, instead of simply a restriction, can be problematic. In
practice, many times RTOs and recovery point objectives (RPOs) are subjective
or even arbitrary. They are best applied where truly static, precise, and
predetermined time restrictions exist, such as regulatory time limits,
violations, or specific matters of health and safety. Otherwise, the effort
undertaken to arrive at and assure an RTO may not return value. In other words,
if it is clear that failing to meet a six-hour time frame for service
restoration will result in a regulatory fine of a specific dollar amount, the
decision making process becomes quite straightforward because investment in
meeting the RTO can be clearly weighed against the risk of penalties.
Another cornerstone of
the BC world is the business impact analysis (BIA). While the BIA can be an
invaluable tool for the BC practitioner, it can also be a subject fraught with
confusion.
In actuality, the
proper sequence of service restoration will always depend on the exact nature
of the post-disaster situation. As such, responses need to be flexible and
adaptive. This is especially true in today’s environment where the cause of a
service outage might not be immediately obvious—as in the case of a deliberate
cyberattack.
As a consequence of
all this activity, an overwhelming amount of documentation can be generated
which needs to be guarded, maintained, and updated. But rarely is it used in
actual response activities. In some cases, BC and response plans are so
voluminous that they could not possibly serve a practical purpose in a real
emergency. They become the proverbial shelfware.
Lastly, traditional
methods emphasize obtaining exclusive senior-level executive support and doing
so at the outset. While important, it can be more meaningful to engage at many
levels in the organization.
The real danger here
is slipping into a trap where the organization is carrying out extensive
business continuity activity for business continuity’s sake, which only
delivers value on an arbitrary or periodic basis and could create a false sense
of preparedness in departments where little actually exists. The goal, instead,
should be to explicitly link to the organization’s objectives and to deliver
value incrementally and continuously.
A Practical Approach
Consider some of the
following practical approaches in connecting BC to the delivery of continuous
improvement and operational value. These are notions borrowed directly from the
approach called Adaptive Business Continuity. Five of Adaptive BC’s core
principles, outlined here, are essential for better partnership between crisis
management and business continuity.
Exercise
first. In the strictly
sequential approach often favored by traditional BC practitioners, testing and
exercising come during later stages of the cycle, after plans and assessments
have been completed.
But discussion-based
tabletop exercises are the single most powerful tool an organization can use to
identify gaps in planning and address assumptions in both crisis management
response and BC. Dollar-for-dollar, there is no better value. So why not start
there? By walking through a scenario as a group, a team can quickly and easily
spot gaps and identify solutions.
Such exercises can be
lightweight and even informal. The key is to have a direct, focused approach
driven by one or two clearly defined objectives.
For example, the
objective of this exercise might be to assess the initial size up and response
to an unplanned event; to evaluate the escalation protocol defined in the
planning documents; or to review the organization’s ability to activate the
crisis management plan.
By driving toward the
objective, a planning team can steer away from overly complex exercise
scenarios. Inevitably, the discussion will uncover lowhanging fruit of an
operational nature; the exercise players will establish closer personal
connections; and the collective team will identify gaps around the
predetermined objectives.
Consequently, the
results are both of immediate value and can be used to drive action planning
over the medium and longer term. And, in doing so, the team has also
established clear connections between BC and crisis management capabilities.
Simplify
documentation. Elaborate crisis
management and BC plans that are hundreds of pages long are a detriment in
three critical ways. First, they require extensive—often labor
intensive—maintenance and continuous updates. Second, they are not practical in
an actual crisis. Lastly, these are not value-generating activities. BC
activity and documentation for its own sake is a common pitfall.
Simplify plans so they
can be internalized and recalled easily by the people that need to know them.
Where appropriate, checklists are an excellent tool.
The exceptions, of
course, are cases where such plans are mandated or regulatory requirements,
such as in the finance and healthcare industries. Absent any compliance or
other compelling need, voluminous documentation should be replaced by slim,
user-oriented playbooks.
A practical example of
this is an organization with a 75-page corporate incident response policy. Key
leaders in the organization had acknowledged that because of the policy's
length, it was universally ignored—posing a critical risk. The solution was to
reduce the most significant end user elements of the policy—what the responder
truly needed to know first—into a one-page infographic.
The infographic was
introduced to the working teams through a series of short, focused tabletop
exercises. Teams were asked to use—and break—key aspects of processes contained
in the infographic.
In the course of the
exercises the teams also uncovered critical communications gaps and assumptions
and were able to address them. They formulated the catchphrase “Don’t Hesitate
to Escalate” to drive home their solution to the communications problem. In
doing so, they delivered immediate value to the organization, improved
operational efficiency, and established a basis for continuous improvement of
their BC and crisis management capabilities.
Continually
improve. The most
compelling case a BC professional can make to a client or constituent is that
the cost and effort required of proposed BC-related activities will offer some
immediate payoff, as well as continuous, iterative improvement throughout the
process.
Free from
documentation for its own sake and a strictly sequential BC cycle, the BC
professional discovers the opportunity to take more of a role as a partner in
the business. Where performance measures like RTOs are needed, along with
taking an inventory of key business processes, discussion around these topics
should not focus on an arbitrary target.
Rather, an opportunity
exists to engage stakeholders about their goals for the organization and to
rationalize the findings of their assessments—challenge them to apply their own
intuition to the targets and see if they pass the test of common sense. And by
asking why the target is there, call into question how it may be reached on a
“blue sky day” more efficiently.
The BC process can be
a source of continuous improvement by providing a venue for these conversations
among stakeholders. People are eager to share personal experiences of working
through crises—with outcomes that were positive or negative for the
organization—especially in a setting where that experience can add value.
For example, one
organization recognized that its list of key business processes was extensively
detailed and complicated. A very candid, common sense discussion reduced this
list from dozens of items to six, only one of which was considered critical.
Consequently, the BC management process was simplified, and the crisis
management response framework was easier to internalize.
Plan
for effects. The causes of
catastrophe are innumerable. We cannot plan for every eventuality, and even if
we could, our best laid plans often get overtaken by the events. Instead, we
should focus on effects.
Generations of
military leaders have understood that “No plan survives first contact
with the enemy.” The notion is familiar and often repeated in more contemporary
contexts, but perhaps best by Mike Tyson: “Everyone has a plan until they get
punched in the mouth.”
Consider the extreme
weather phenomena experienced by the U.S. Northeast in 2011 and 2012. In the
fall of 2011, the area experienced a nor’easter and Hurricane Irene in rapid
succession. The following fall in 2012, it experienced yet another nor’easter
and Superstorm Sandy.
All four events can
easily be described as storms, natural disasters, or extreme weather. The acute
causes of the localized emergency were highly specific, however. Each storm had
its own unique character: inland flooding, coastal flooding, a snow event, or a
tree event. Some would argue that this calls for four unique types of plans—or
that each cause needs a corresponding plan.
On the contrary, the
effects of these catastrophes are much fewer. The effects will only be the
unexpected unavailability of people (staff), places (facilities), or things
(resources and critical suppliers).
Focusing on effects
makes for much simpler, more meaningful and manageable planning.
Know
the business. Above all, the people
responsible for carrying out any BC or crisis management activity need to know
the business. BC practitioners should align closely with operational teams at
every level of the organization—not just at the senior leadership level. Having
executive support is beneficial to driving outcomes, but the discovery of
ground truth comes from frontline teams. The best BC professionals don’t just
drive an arbitrary BC cycle. They understand the people, places, and things
that make the business unit tick—and why.
If we consider crisis
management an unexpected opportunity to change, then BC should serve as the
practical, sense-making corollary. In other words, the lessons learned in acute
responses to crises can be sharpened into operational improvements and
ultimately greater resilience when incorporated by the BC process.
The BC professional’s
biggest client in any organization is operations. Delivering value during
crisis means having close integration between business continuity, crisis
management, and the real needs of the business.
If we accept that
organizations will continue to be challenged in unexpected ways by the external
environment—and that this will result in losses—we have to look at how our BC
efforts match with the demands placed upon them.
The organization that
is in a position of strength is one that has truthfully inventoried itself,
assessed its own assumptions, and made use of what it learns along the way—not
just in the moment of crisis or business interruption.
The path to this
outcome can follow a traditional, prescriptive route as defined in the ISO and
the Good Practice Guidelines—but it can also take more innovative and ongoing
forms by linking BC and crisis management to the goals and orientation of the
organization. A more practical, agile, and lean approach like the one outlined
by Adaptive Business Continuity is likely to provide more value—and at a faster
pace—than traditional practices we currently have in place.
Brendan
Monahan is the chair of the ASIS International Crisis Management and Business
Continuity Council. He is an Associate director at Novartis, responsible for
coordinating business continuity and for risk and crisis/emergency management
in the U.S. country region.
