Business continuity management has matured over the past few years, but as this process happens is there a risk that the profession becomes change-resistant? Standards have emerged, but could this emergence, coupled with a growing demand for accreditation and certification result in a lack of innovation?
It is undoubtedly easier to follow tried and tested formulae, but questioning the status quo is always healthy and necessary so let’s ask some hard questions.
Has business continuity arrived? Is it the finished product? Are the current standards and best practices the destination of two decades of evolution from disaster recovery? Or is the current stage simply part of a journey to a new and different destination? Are our current plan development methods and business continuity management strategies the pinnacle of what the profession can achieve? Or are we half way up the mountain taking a breather?
My inclination would be the latter. Business continuity management as it stands is an interim stage of the development of something broader, more wide-ranging, more effective and more holistic. Personally I believe that it is possible that we are on a journey towards ‘organizational resilience’.
Of course, business continuity managers have always understood that business continuity is inextricably linked with resilience but has the subject only partially been explored and incorporated by current standards?
In the definition of business continuity management provided by BS 25999 we read that BCM is a “holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.”
So it is clearly recognized that the aim of business continuity management is to provide a framework for organizational resilience, but what does BS 25999 mean by organizational resilience? It defines resilience as the ‘ability of an organization to resist being affected by an incident’ and it defines an incident as a ‘situation that might be, or could lead to, a business disruption, loss, emergency or crisis’. Therefore BS 25999 is clearly focussed on resilience in terms of response to an unusual incident, something which happens outside of the normal day-to-day activities of the organization. Organizational resilience within BS 25999 is closely related to incident response; a somewhat narrow view of organizational resilience?
A wider view of resiliency is that it is as much about maximising the availability of systems and processes in day-to-day situations as it is about responding to unusual and disruptive events.
So, whereas BS 25999 sees one of the major outcomes of an effective business continuity programme as ‘key products and services are identified and protected, ensuring their continuity’, in organizational resiliency ALL products and services and ALL processes are important to protect. And while recovery is important, the main focus is upon hardening systems and processes so that damage, downtime and outages are minimized.
At the heart of organizational resilience is culture change. Its essence is the development of resiliency thinking so that resilience is not retro-fitted into systems and processes; instead it is designed into systems and processes from day one. And risk management and monitoring are not the role of a separate siloed department; they are the clear responsibility of every manager and every employee.
None of the above is intended as a criticism of current business continuity standards, or of BS 25999 in particular. It is clearly fit for purpose for today’s market and profession. However, I believe that business continuity management can be the vehicle that allows operational resilience to fully emerge. But only if we allow business continuity management to evolve further. Only if we aren’t afraid to go back to the very basics when future revisions are made to business continuity standards. Only if we encourage those who think outside the box. And only if we admit to ourselves that we are on a journey rather than at the destination.
0 comments:
Post a Comment