Bulletin / The Business Continuity...

The Business Continuity Manager 2017

Author: Charlie Maclean-Bristol

This week we thought we would publish a paper that Charlie wrote in 2013, about Business Continuity managers in 2017.

As the business continuity landscape changes over time then the business continuity manager will also have to change. This article will look at what are the typical tasks of the business continuity manager today and will contrast them with the tasks of the business continuity manager in 2017. It will also outline the skills the business continuity manager will have to acquire in order to thrive in the new environment. The article applies equally to the business continuity consultant selling skills to organisations as to the in-house employed business continuity manager.

Because all organisations, parts of the world and groups of organisations move at a different pace, this paper will generalise regarding the state of business continuity today. Some organisations will be already carrying out the business continuity I predict in 2017, while others may not have started developing their business continuity by then!

1. The Business Continuity Manager Today

  • The business continuity manager today is a ‘doer’ and sits within his/her organisation developing business continuity. Internal business continuity activity is strongly dependent on the activities of the business continuity manager.
  • Immature organisations. The business continuity manager operates within an immature business continuity organisation, which is still developing his/her business continuity capability and has not yet developed a high level of business continuity maturity. 
  • Develop BIA. The business continuity manager will have developed the BIA process and documentation. He/she will be teaching the organization how to fill in documentation or may be filling it in themselves after conducting BIA workshops or a series of interviews. Strategies may be untested and uncoordinated, and the organisation may not know whether they will work, as they have not all been tested or exercised.
  • Develop plans. Plans may be in place or the business continuity manager will be teaching those within the organisation how to fill in plan templates. 
  • Large complex exercises. The business continuity manager may be the only person within the organisation who can plan, run and report on an exercise. As his/her time is limited, he/she will have to run large exercises trying to exercise as many parts of the organisation within the same exercise. The exercise will be complex, as only a very limited number of exercises are run each year, so the business continuity manager feels it must be complex in order to achieve maximum value for the organisation.
  • Business continuity life cycle. The organization may have only gone through the business continuity life cycle once or twice, or different parts of the organization are at different levels of business continuity maturity. Embedding has not really taken place and the governance and management of business continuity is loose, being either not well defined or not carried out in line with policy.
  • Expert. The business continuity manager is seen as the expert within the organisation and little activity happens without him/her initiating it. Business continuity coordinators (managers within the organization who have the lead for business continuity within their own part of the organization) may be identified but they have a low level of business continuity skills and therefore need support. In larger organisations there may be a number of business continuity professionals employed to support and develop business continuity within different parts of the organisation.
  • Training and embedding. The business continuity manager, as part of his/her role, will train business continuity coordinators, those who have a role in incident teams and new starters. He/she will be leading a ‘one (or several) person crusade’ to ensure that all relevant people are trained and that business continuity is embedded within the organisation.

As a business continuity doer the role is one of development and trying to ensure that the existing business continuity is in place and is kept up to date, at the same time developing business continuity in other parts of the organisation.

2. The Business Continuity Manager in 2017

The business continuity manager will change over time from being a doer into becoming a facilitator as business continuity becomes embedded within the organisation and becomes just a part of how it does business. As line managers become much more exposed to business continuity they will develop the skills to manage the business continuity within their own part of the organisation without the support or help from the business continuity manager. This, I believe, will lead to a reduction in the number of business continuity professionals who will be employed full time within the organisation, and will lead to a change in their role.

  • Advisor. As the levels of business continuity skills within the organisation increase the business continuity manager will move from being the expert to providing advice. This will mean that having an understanding of the business continuity life cycle and process will not be enough. Innovation, adding value, providing a strategic overview, implementing new techniques and the latest thinking will be essential responsibilities for the role of the business continuity manager, and he/she will have to work harder in order to remain relevant to the needs of the organisation rather than being an expensive overhead. Alongside involvement in business continuity, the business continuity manager will be involved as a resilience advisor in business decisions beyond the remit of business continuity. This could include being consulted on disaster recovery, mergers and acquisitions, business resilience, risk management and identification of up and coming threats.
  • Audit plans and BIA. The organisation will be able to update their own BIAs and plans without the intervention of the business continuity manager, and they will have been doing so for a number of years. The only role of the business continuity manager will be to occasionally update the BIA methodology or plan templates in order to meet the latest business continuity thinking. Business continuity mangers will be involved in auditing the plan and the BIA. This will be important to ensure that plans are ready for use and are up to date regarding changes within the organisation. They will also provide audits to ensure that all parts of the organisation are covered by business continuity plans.
  • Continuous improvement. Once the organisation has completed the business continuity life cycle a number of times and all the component parts of the life cycle are in place, it will be the role of the business continuity manager to promote and monitor continuous improvement. This will involve the setting of business continuity objectives, ensuring that a business continuity learning culture is promoted throughout the organisation, which may involve the use of a ‘maturity model’. This can help the organisation to set goals and to then measure improvement. Compliance or certification to one of the business continuity standards may also help promote business continuity improvement.
  • Evaluation of exercises. With the increase in embedded business continuity skills within the organisation, exercises will be run internally with staff exercising their own plans without the help of the business continuity manager. The manager’s role can then change to helping and advising those running exercises in order to obtain best value and maximum benefit from the exercises. This could include developing ways of cross organisation evaluation of exercises so that performance can be compared across the organisation or devising inventive ways of running exercises.
  • Policy and compliance. The business continuity policy will be key to defining governance, responsibilities and the standards which the organisation must meet. The business continuity manager’s role will involve keeping the policy up to date and auditing compliance with the policy. This will be one of the most important parts of the business continuity manager’s role in order to ensure that the organisation is compliant with its business continuity obligations and is reporting to senior management on the level of compliance. 
  • Lifecycle +. Once the organisation has completed the business continuity life cycle a number of times, they will begin to ‘get bored’ and will be looking for the business continuity manager to introduce new ways of thinking and new ways of carrying out routine activities such as exercising. The business continuity manager will also have to think beyond the activities contained with the business continuity life cycle. He/she will seek to take the skills of those who will respond to incidents to a higher level. This could include, for example, specialist areas of training such as ‘logging and defensible decision making’, training teams in advanced incident management skills and new ways of managing information through the use of commonly recognised information pictures (CRIPs).
  • External training and embedding. Training of new business continuity coordinators, general business continuity awareness training for all staff and induction training may be carried out by others rather than the business continuity manager. Training or human resources departments may have the responsibility for carrying this out or it may be carried out internally by each part of the organisation.As can be seen from the above, the role of the business continuity manager is going to change over the next few years. Basic business continuity skills and understanding will be needed, but this will not be enough, as business continuity knowledge, techniques and understanding spreads throughout organisations. The business continuity manager and consultant will have to raise their skill level in order to thrive in this changing situation.

3. New skills required

All business continuity managers will be required to have the basic skills in order to understand and implement all elements of the business continuity life cycle, but they will also have to learn a number of new skills in order to adapt to the changing world.

  • Audit and compliance. A key role will be the ability to audit business continuity against external standards such as ISO22301 or against the organisation’s internal standards. 
  • Continuous improvement and use of maturity models. Organisations will be looking to ensure that there is continuous improvement in their business continuity provision and will look to the business continuity manager to be able to put mechanisms in place to demonstrate this. Both consultants and internal business continuity managers should have methodologies in place for measuring the level of business continuity within an organisation. This has to be more sophisticated and must contain a quality evaluation rather than just checking that all the component parts of the business continuity life cycle are in place. 
  • New ways of doing the same thing. Once an organisation has carried out a number of desktop exercises and has tried all the likely scenarios, they will be looking for the business continuity manager to bring in new ideas and different ways of carrying out routine tasks such as exercises. Techniques such as Speed Exercising™, using different criteria of evaluating exercises and looking at incident team dynamics, will add to the skill level and will ensure that the business continuity manager can add value and bring interest to routine tasks.
  • Improvement of business continuity management systems. Developing the policy, governance, roles and responsibilities and the way business continuity is managed will be a key role for the business continuity manager. This may include incremental updating of the policy document and ways of working to make the ongoing management of business continuity more efficient. The management of business continuity will face the same scrutiny as the management of all other processes within the organisation and will need to be able to demonstrate value and efficiency.
  • Delegation. Where there are routine tasks such as ongoing training of new business continuity coordinators, embedding training or induction training, this should be delegated to the relevant departments within the organisation, freeing up the business continuity manager’s time.
  • New skills. The skills involved in developing the component parts of the business continuity life cycle will not be enough in future. Business continuity managers may find that if they do not have new skills they will not be employed within mature organisations, as they have little ‘added value’. Once there is a BIA process in place and it is being regularly updated the business continuity manager needs to offer more. Incident management techniques, evaluation of business continuity activities, supply chain risk management, being up to date with the latest techniques, and knowledge of implementing standards will all ensure that the business continuity manager has the desired skills to be employed in business continuity mature organisations. 

There will always be a role for those with the skills for implementing the business continuity life cycle but, as more organisations develop mature business continuity, this role will lessen, and it is likely that consultancy rates and salaries for these skills will reduce. In future, organisations who are seeking to develop their business continuity may already employ personnel whose business continuity skills were gained in other organisations and so they may decide to ‘do it themselves’ without the help of a business continuity professional. As business continuity matures within organisations there will be also more scope for good managers who are not business continuity professionals to manage the business continuity function, because the skills are embedded within the organisation and so there is no need for in-depth knowledge of business continuity skills.

Managers and consultants need to see this change coming and need to adapt their consulting offerings or their personal skill sets in order to take advantage of the coming changes within the industry.

4. Conclusion

In five years time the business continuity landscape will not have completely altered, but there will be a change from the main task of business continuity managers developing business continuity within their organisation to managing business continuity within a mature organisation. In mature organisations the business continuity manager will have to bring new skills so that they can add value and do not lose the role to those who are not business continuity professionals. Consultancy companies will have to change, as many of them offer little beyond developing elements of or developing the full business continuity life cycle for their clients. This change will be gradual, but unless those within the profession learn new skills and embrace the change, they will be in danger of finding themselves ‘obsolete’.

My ten predictions for the business continuity manager in 2017 are:

  1. Reduction in the number of business continuity professionals in organisations.
  2. Move from a ‘doer’ to a facilitator.
  3. Business continuity skills will be embedded within organisations. 
  4. Audit and compliance will be a key part of the role.
  5. Need to measure the quality of the business continuity in place.
  6. Need to demonstrate business continuity improvement and be able to use maturity models.
  7. Need for knowledge beyond the business continuity life cycle.
  8. Be innovative, knowledgeable and technically up to date.
  9. Need to provide advice in areas such as disaster recovery, mergers and acquisitions, business resilience, risk management and identification of up and coming threats.
  10. Be seen to add value. 

This article is based upon a webinar given by Charlie Maclean-Bristol as part of Business Continuity Awareness Week 2013.

You may be interested in the following course

CBCI Certification Course (GPG) course

Sign-up to our weekly bulletin

Twitter feed

Bulletin
What lessons can we learn from Marriott’s response to their Cyber Breach?

This week Charlie discusses the Marriott hotel hack and how you can prepare your organisation for a potential data breach.

7 December 2018

“This was a valuable course since it helped the delegates collectively to understand their current level of maturity in managing supplier risk and the improvements they needed to make. It has instilled some momentum among the group of people who now need to take this forward.”

John Stanley
UCAS
View further testimonials