Following his recent bulletins about whether business continuity is in decline and why resilience is not the solution, this week Charlie looks at how BC managers can save the profession.
Over the last couple of bulletins I have discussed whether business continuity is in decline, and whilst moving into a resilience role may be a good career choice for the business continuity manager, it is not the silver bullet which is going to save the profession. In this bulletin, I am going to put forward some ideas for how business continuity managers can make themselves more relevant within their organisation, add value and, by expanding their role, save the profession.
As we all know, we live in a volatile and changeable world. Regardless of advances in our technical ability, we haven’t managed to tame the forces of nature and the breakdown of technology, which we absolutely rely on. There are no less threats than there were twenty, fifty or one thousand years ago, the threats just change. Global warming, cyber criminality, terrorism and the tight coupling of technology to our daily lives, are some of today’s threats and these will continue to change over time. So, for our business continuity managers there are lots of threats to plan for, mitigate and prepare the organisation's response to.
The first task of the business continuity manager in this new world is to expand their remit beyond the main role advocated in the Good Practice Guidelines of PPRS (People, Premises, Resources and Suppliers) and beyond the confines of the business continuity lifecycle. As we have seen in other bulletins, with improvements in IT technology, planning for loss of office becomes irrelevant. Staff can work from anywhere and IT systems are always on, so recovery RTOs and RPOs become irrelevant. Our business continuity coordinators can update their plans and BIAs, and often carry out their own exercises. Therefore, to add value and to make best use of our existing skills, I believe we have to find new roles within our organisation, beyond just going slavishly round the business continuity lifecycle.
I am well aware, due to the composition of organisations and the position of the business continuity manager that not all of the following roles and tasks can be carried out. However, if you go to a department and offer to take some of their pain, they will often jump at the chance. Detailed below are some of the roles the business continuity manager should take on, using their existing skills to add value across different parts of their organisation!
1. Work with your risk department and those responsible for strategy to identify new threats to the organisation. You should be horizon scanning to identify new and developing threats. There should no longer be black swan incidents taking place in your organisation, as you have identified an incident occurring elsewhere and worked out that this incident could occur in your organisation. This could expand to cover competitor and market intelligence if your own organisation does not do this already.
2. Be the ‘go-to’ person for incidents. When events occur, such as the London car attack a couple of weeks ago, Brussels airport bombing, or the Paris attacks, organisations should account for their staff and make sure that they are not killed or injured. You should be the person the organisation goes to, to account for staff. It may need a multidisciplinary response, but you are the person senior managers go to, to coordinate your organisation’s response.
3. Many organisations, especially those in oil and gas, manufacturing and transport industries, have emergency response plans in place. You might also have business continuity plans in place, but there is often a gap between where the emergency response plans end and the recovery can start. In the diagram above, you can see some of the issues which need to be managed after the emergency response phase is over. You can add value by producing a crisis management or incident plan which will deal with these issues. The response to the issue usually goes beyond the exact site of the incident. Therefore, your organisation needs to manage the response to the issue, including the media, local authorities and the effect on the local population. As a central function, you are often better placed to develop the plans for the area covered by the red arrow, as you have a central remit and can develop the plans with the relevant central functions.
4. Issue management is all about identifying the issues within an organisation which could become a crisis and making sure that steps are taken to avoid this. You could work with Corporate Communications to use your facilitation skills to help them identify possible issues, as well as monitor them and develop contingency plans if they are required. If you want to learn all about issue management read 'Crisis, Issues and Reputation Management' by Andrew Griffin.
5. Your organisation may have IT teams or other teams which manage incidents, where you provide a technology service to your customers. You may also have duty managers which respond to incidents. This is an ideal opportunity to use some of your incident management skills - give them the tools, techniques and confidence to manage an incident.
6. I don’t think business continuity managers should be involved in cyber, by teaching people to use better passwords. I think this makes business continuity become a part of IT, when it has a much wider remit than this. In terms of cyber, the business continuity manager should be working with IT and senior managers to produce a playbook of incident responses, educating them on the different scenarios and decisions they may have to make during a cyber incident, as well as exercising the plans.
7. If your crisis communications team has a crisis response play, why not run some exercises to help them practice their response to an incident? There are several companies out there with social media simulators and you could get one of them in to help make the exercise more realistic.
8. Do you have a travel security policy, with a country risks assessment, a staff helpline and a response plan for responding to an incident involving staff travelling abroad? If you don’t, have this in place, as there is the opportunity to add value by getting a multidisciplinary team and developing your organisation's framework.
9. Managers are always looking for interesting topics to cover on staff away days. Again, make yourself the ‘go-to’ person, so that they come to you first. You can create interesting and exciting events which entertain and challenge staff, but at the same time promote business continuity throughout the organisation.
Not all of these tasks will be possible for all business continuity managers, but we must strive to find outlets for our skills within our organisations, as well as being seen to add value. If business continuity can be seen as the ‘go-to’ people for managing an incident, response planning, risk identification, and preparation for any adverse events, then we are on the right path to making sure that our profession has a future and is seen as an essential part of any organisation.