Articles - BCP and IT DR
Does ‘scenario based’ continuity planning have a future?
The current approach to business continuity, which generally focusses on ‘what could happen’, has significant limitations says Graham Goodenough. In this article he explains why this is the case; and suggests a better, more positive, method.
The use of the term ‘resilient enterprise’ as expressed in this article, applies to a business that has been purposely designed to have the ability to adapt to significant increases, or decreases, in production/service demands from the market it serves, and which can adjust demands within an acceptable time frame that is not financially detrimental to the business. Establishing such an ability for critical activities to respond within the business for normal operations and any unplanned disruptions will provide flexibility within the organization that will enable capacities to be delivered as needed, and maintain business income, whatever may be the cause of disruption.
Born from the necessity for organizational management to mitigate risks to their company’s exposure to interruptions from hazards, business continuity has its origins in the crisis management of IT data recovery during the 1970s. The subject has subsequently evolved into a recognised business continuity profession through emerging legislation, various regulations, and a multitude of standards and through enforcement of specific business continuity activities and certification specified in the profession’s development.
Since the beginning, business continuity articles and business continuity training practitioners have highlighted the struggle with the ‘sale’ of business continuity to senior executives within organizations.
The primary focus from the early days of business continuity has been seen as an emphasis on mitigating disasters and implementing appropriate emergency response to incidents from identified risks. The approach has predominantly adopted a reactionary response towards business recovery, or continuity, after a perceived event has occurred. This, by nature, has emphasised ‘what could go wrong’, as compared to ‘what needs to be achieved’. In essence, the focus has been on mitigating identified causes of disruption and risks to ensure that the enterprise can continue in business.
The weakness in this approach is the attempt to identify potential threats (i.e. causes) of disruption from potential risks to the business from a myriad of options, and then to develop mitigation and responses which will reduce the extent of the perceived impact immediately at the ‘task activity’ level. This is often attempted before identifying what needs to be achieved for the benefit of the business as a whole.
As history and surveys have repeatedly demonstrated, what is predicted as a potential threat of disruption or risk to an organization does not necessarily materialise, either in cause or magnitude. This often means that the time, expense and development of mitigation plans for the identified event have only limited value to the business, and have no value if the event does not occur.
The effect is for the management of an enterprise to perceive business continuity management (BCM) activity as a cost, rather than as the price of doing business by supporting and enhancing their own business interests.
What seems to be missing in the current focus of business continuity is any guidance that would enable senior management within an organization to use the principles developed for BCM and resilience to directly achieve enterprise objectives with, or without, a disruptive event. What this would require is a significant change from the current reactive focus and a transition towards business continuity activity becoming a more proactive approach that emphasises the positive requirements of a successful business. Such a transition requires a top down approach and activity that will directly protect and support the maintenance of key income streams within the normal business interests of the organization. Identifying and quantifying the company’s key income streams, their dependencies on mission critical activities within the internal and external supply chains and establishing what is required for the company to deliver essential products and/or services to the organization’s customers at the business level, is an essential part of normal business strategy. This should be the primary initial focus of any strategic review for becoming a resilient enterprise.
The review should establish what is required to enhance the resilience of those critical activities which are directly associated with the receipt of key income streams. The overriding objective, for ultimate business survival, needs to ensure that at least the minimum level of income is obtained from the customer base in the event of any disruption to normal operations. The mitigation action selected through a business continuity plan (BCP), supply chain continuity management (SCCM) or enhancing the organization’s ability to achieve the minimum income necessary for survival through economic resilience, should be derived from ‘what needs to be managed right’ to achieve the minimum objectives for the continuity of the enterprise, irrespective of the cause and extent of disruption downtimes.
This article highlights a number of significant limitations to the prevailing business continuity practises; and it presents an alternative approach which is anticipated to readily add value to an enterprise’s senior management. The concept is delivered in a brief summary format and in no way represents the full analysis typically required.
A business continuity management survey of 1,021 managers from the Chartered Management Institute between 2007-2012, was published in 2013. A consolidation of the results compressed into a single diagram is shown in figure one, below.
Figure one: Summary of anticipated and actual causes of disruption.
The figure shows the percentage of managers who stated what they anticipated to be the likely causes of disruptions to their business during the future period. The following year the same managers were asked what disruptions to their activities over the period they had actually experienced.
The same managers were then asked how they would categorise the impact of the disruptions to their business in terms of ‘major’, ‘minor’ or ‘no impact’ over a 12-month period by number and impact for each cause of disruptive incidents experienced over the year 2011-12. The results are shown in figure two.
Figure two: Number and impact by cause.
It should be noted that the importance of IT in any industry is directly related to how linked the activity is to generating a critical income stream.
For example, the loss of IT in industries such as financial, parts of media, on-line retail and any function that has direct contact with consumer purchasing power where income can be measured in thousands of currency units per unit of time can have a major impact from even the shortest period of disruption. By contrast, IT associated with internal activities may be less sensitive to time and have less impact.
The study revealed a number of interesting facts, including:
- The actual cause of a major disruption cannot be reliably predicted at any one time, or over any period.
- The meaning of a ‘major’ impact to a business has different significance, and is very dependent on to whom and within which part of the organization the question is asked.
The important overriding conclusion from the study is that you cannot realistically predict causes of disruption to an enterprise, or reliably safeguard a business, or design mitigation responses to perceived causes. This is where insurance policies typically step in to bridge the gap. The time and effort associated with responding to an event that may never happen, therefore, provides limited value to the organization’s business interests, or to senior management. These conclusions run contrary to the prevailing emphasis in the business continuity profession. For example:
The prevailing business continuity approach, which appears to be promoted, is the reactive focus in the definition of BCM (ISO 22301). In particular:
“…identifies potential threats to an organisation and the impacts to business operations those threats, if realized, might cause…”
This approach has been continued into the structure of the standards for the business impact analysis (ISO 22317) and the supply chain (ISO 22318). The above definition typically suggested to mitigate risk to an enterprise appears to include:
- Firstly: Identify the (potential threat(s), risks) to the organization’s critical functions.
- Then: Evaluate (quantify) the impact from the perceived disruption to the business should the threat be realised for an assumed period of time.
- Then: Assess the risk through an impact/probability matrix.
- Then: Determine the acceptability of the risk to the organization. (i.e. compare with the risk appetite.)
- Then: Strategies the appropriate BCP/BIA/SCCM response to mitigate the risk.
- Then: Implement the BCP/BIA/SCCM strategy to mitigate the impact through established BCM principles.
The weakness in this approach is the attempt to identify potential threats (i.e. causes) for disruption and then to develop a response to mitigate the extent of the perceived impact immediately at the ‘task activity’ level, before identifying what needs to be achieved for the benefit of the business at the top level of the business. As history, and surveys as above, have repeatedly demonstrated, what is predicted as a potential threat of disruption to an organization does not necessarily materialise either in cause or magnitude. This often means that the time, expense and development of mitigation plans for the identified event have only limited value.
The effect is for the management of an enterprise to perceive BCM activity as a cost, rather than as the price of achieving an improved level of service to their business interests by enhancing a reliable delivery of products and services to their customers.
The implication from the above observations is that the current approach to business continuity mitigation, which generally focuses on the negative ‘what could happen’, needs to be turned on its head and moved more towards a positive approach of ‘what needs to be managed right’ to deliver the enterprise’s products and service to customers and achieve minimum objectives for survival. Essentially, to implement a culture of protecting the enterprise’s present and future income streams derived from their customer base, and securing the minimum level of income established by the enterprise’s defined appetite for risk through a process of enhancing a natural resilience.
Among the initial actions of top management in developing such strategies, and before implementing the detailed tasks and guidance specified in the prevailing BCM standards, therefore, should be to formalise an understanding of the customer markets served and establish the financial requirements of the business. This should include the following as a minimum: 1. Management should establish the top level operational financial requirements for the enterprise which are necessary to achieve its stated business objectives, and identify the minimum costs required for business survival. The review should include, but not be limited to the following:
- Establish the minimum cash-flow requirements to sustain the business entity. These can be established from a financial review of the essential operational cash-flow requirements (such as the fixed costs plus) for the enterprise by each key product/service delivered. The minimum identified could be considered the risk appetite, to which the optimum level of resilience could be designed.
- Identify the major sources of income generated for the business and the associated customers;
- Establish the priority customers within this group and determine each customer’s market tolerance retention/recovery criteria for various periods when products may not be delivered;
- Establish which of these identified customers should be prioritised for maintaining products and services to achieve the income necessary to support the above operational cash-flows, or marketing objectives for the business.
- Establish which of the internal and external suppliers are critical in enabling the organization to deliver the key income stream products and services.
- Other business requirements:
- Identify any legal, regulatory and contractual obligations that may be necessary to maintain the business.
2. Where required, establish and implement suitable passive and active resilience strategies for each critical activity necessary to deliver products and services to achieve the stated objectives. The strategies should be designed to deliver products and services for however long it may take to resume the output back to normal levels without specifying a time limit, whatever may be the cause of the disruption.
3. The required mitigation for each activity can then be cascaded down and expanded out along each critical path within the internal and external supply chains for the key deliverables.
Once the top level objectives for normal operation and minimum delivery requirements have been established, the extent of discussion with the suppliers’ and their BCP activity can be limited to ensuring that their BCP will deliver at least the minimum quantity of products or services required to support the enterprises key customer base.
Further resilience can be designed into the enterprises’ own SCCM/BCP, subject to the suppliers’ response and established capabilities.
Market and financial reviews can typically establish the customers’ expectations and the minimum financial requirements of the enterprise. The data gathered for the BCP/BIA/SCCM (e.g.: recovery time objectives (RTO), maximum tolerable outage (MTO) etc.,), can become the basis for the design criteria for the SCCM/BIA and ultimately, the mitigating resilience for the relevant objectives.
The document must include a financial dependency matrix diagram that financially quantifies the enterprise’s dependency on mission critical activities throughout the enterprises assets, including their key internal/external supply chain suppliers. The matrix typically correlates the income stream dependency on each activity as a percentage of the total annual income for the enterprise. This is an essential part of identifying the financial importance of the internal/external supplier(s) (and other critical activities) to the business and is a key part in formulating cost effective strategies required to enhance the resilience of the key supplies and activities for the benefit of the enterprise and its customer base as a whole.
The analysis process briefly summarised above refocuses business survival activity away from the mitigation of identified or ‘perceived’ risks, (a negative approach) towards activity which is essential for the enterprise to achieve its objectives (a positive approach). This provides the ability of the enterprise to readily and securely adapt to changes in the market, customer orders and other capacity influences; with the added benefit of having the ability to adjust to delivering the minimum level of products and services to the customer base that is essential for business survival. Such an approach identifies directly with the objectives of the senior management of the enterprise for both normal operations, and those needed for survival following a disruption.
By enhancing the resilience of an organization through the ability to adapt capacity output during both normal operations and periods of disruption to the customer base, it can be readily seen that any costs incurred will be absorbed as the ‘cost of doing business’. By improving the reliability of delivery for products and services, it is clear that enhancing resilience will add value for the business and will benefit senior management.
Prior to retiring, Graham Goodenough’s career spanned some 35 years in various client servicing positions with legacy companies of FM Global. His career culminated in the position of assistant vice president (AVP) senior business risk consultant in the company’s Business Risk Consulting Group based in Windsor.
During the tenure with FM Global, Mr Goodenough was responsible for conducting property risk assessments, undertaking financially orientated business impact analysis (BIA), analysing financial exposures from global supply chains, developing risk improvement recommendations, advising on business continuity planning and presenting findings and recommendations to senior management in the company’s multi-national corporate clients. Mr Goodenough also provided training for FM Global’s staff members and participated in training presentations to clients.
A Chartered Chemical Engineer and a Fellow of the Institution of Chemical Engineers, Mr Goodenough is also a Member of the Chartered Management Institute.
Mr Goodenough holds a Bachelor’s Degree from the UK’s University of Surrey as well as Master’s Degrees in technical and management subjects from University of Sheffield and Bristol University respectively.
Contact Graham at email@example.com.
BRCCI - Business Resilience Certification Consortium International (www.brcci.org)
We are thankful to the author for allowing us to post this insightful article on our website. BRCCI provides a comprehensive training and certification program in business resiliency, continuity and IT disaster recovery planning:
- 3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program.
- 3-day CBRITP (Certified Business Resilience IT Professional) his is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry's standards and best practices.
- 2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry's best practices and standards including:
- ISO 22301: Business Continuity Management Systems – Requirements
- NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs
- ITIL v4: Information Technology Infrastructure Library
For information on the above program, please contact BRCCI (www.brcci.org, 1-888-962-7224).