In his last bulletin of 2020, Charlie discusses how COVID-19 has impacted the future of business continuity.
This is my last bulletin of the year so I thought I would share some ideas with you about a subject I have been thinking about a lot. In line with last week’s bulletin, ‘Is the response to COVID-19 a business continuity issue’ I have stopped thinking about our response to the existing pandemic and have moved my thoughts to the impact of COVID-19 on the future of business continuity. These are very much thoughts in motion, rather than the finished article, so please treat them as such.
As part of the Glasgow Caledonian University MSc Module that I teach, there is a short section on the history of business continuity. I think business continuity’s history starts with the need for IT disaster recovery and then expands to look more holistically at businesses and mitigating the impact of loss of other elements within the organisation, the foremost one being the loss of building. The IRA bombings on the City of London in 1990’s accelerated the importance of recovery after your building has been destroyed. It also spawned the work area recovery business. Up until 2020, this was always the most tangible threat we were planning for and the one we put the most effort in to prepare for. The BCI taught us to prepare for PPRS (people, premises, resources and suppliers). Many of the risks associated with PPRS were identified but there was a limited amount of contingency planning we could do for recovery. In our loss of people plan we had a list of recruitment agencies. For loss of IT there were manual workarounds in some instances, but on the whole most processes can't take place without IT and we were not really sure what a loss of supplier plan looked like, except to find another one.
The loss of building was something we could really get our teeth into. The BIA told us which activities need to be recovered by when and in which order, it gave us a nice list of how many seats per department were needed over a number of different time frames and a prioritised list of IT systems to be available at our recovery location. The BIA had to be done properly as this was important information for our recovery and if we used work area recovery services, we needed to get the right number of seats, enough to continue our business but not too many as they cost £200-£500 per seat per year. The BIA was extremely important at planning the recovery.
The pandemic has completely blown a hole in planning for loss of building. Almost every organisation has a work from home capability and the organisation is a lot more resilient, as less people will be working in cooperate buildings on a day-to-day basis and more from home. Yes, there may be an issue if the office is evacuated and everyone leaves their laptops on their desks, but the pandemic has shown if you need equipment with enough will, effort and money, replacements can be found at short notice. Therefore, much of the BIA carefully collected information is superfluous and no longer needed.
A lot has been written on the death of the BIA, but it has always proved premature until now. I have always said that the essence of business continuity is about prioritisation and looking at which of your organisation’s activities need to be brought back first and which can be parked for a while. I am doing a COVID-19 debrief for a large multinational organisation and I was discussing the BIA with their Business Continuity Manager, so I asked about prioritisation in the early response to the pandemic. He said that there was no prioritisation at the beginning of the pandemic and with the use of BIA information they wanted everything back immediately. In this new business continuity world, will it be acceptable for HR to sit at home and not work for a month if they have the longest RTO?
While I am talking about the BIA, let's go ‘all in’ on its purpose or perhaps lack of it. With the loss of building as a greatly diminished risk, it would be interesting to do a survey on where the BIA actually now adds value. I suspect that a considerable amount of the information within it is not used and just sits there waiting to be updated each year. I was speaking to Ritchie McGlave of C2, the business continuity software provider, about this the other day and we were discussing that there are two types of business continuity software users. One who embraces the functionality of the software, spends an immense amount of time getting all the relevant information into it, and keeps it up to date so they can use it dynamically on the day of an incident to understand its impact. The other type of user, definitely the majority of users, puts information into the system, but it is of limited quality and not always up to date, then don’t go near it during an incident.
For example, a key part of a BIA is understanding which IT systems underpin which activities. This is normally done as part of a workshop or an interview. The person reels off the top of their head which systems they use on a day-to-day basis and tick, this bit of the BIA is done. This is probably enough for a small uncomplicated organisation, but for a large complex organisation if the information is inaccurate it would require a 6-month project to capture all the systems and which activities they underpin correctly. In the same way, information captured during business continuity analysis activities are very often superficial. Kim (wife and BC practitioner) and I found ourselves wandering around a very large multi-floor data centre in Germany. We had 2 hours to do their threat and risk assessment part of the BIA. The bank who was going to take one of their floors for their data centre as part of their due diligence had 2 HVAC engineers risk assessing their data centres cooling. How could we do anything worthwhile in 2 hours?
I don’t think that the whole of the analysis phase of the business continuity lifecycle is a waste of time. The risk assessment is vital in identifying threats and risks which either need mitigating, a contingency plan in place for dealing with them or both. I think when looking at risks we have to think outside the business continuity silo of PPRS. One of the biggest threats to organisations at present is cyber but business continuity has a slightly uneasy relationship with information security, we all know it is a threat but are unsure whether it is our job to do something about it and we haven’t been given the tools to address it. Then there is the whole reputation and crisis management world, which again we sit on the edge of, we follow the business continuity syllabus and teaching but haven’t got the tools and knowledge to deal with it.
Writing plans and exercises I think are as important as ever. In our COVID-19 debriefing interviews, although nobody had plans in place for this exact scenario, they found the exercises they conducted and plans they had helped the response by giving them a framework in which to manage their response to the pandemic and the incident management skills learned through exercises helped.
I have long championed business continuity in the face of resilience, mainly because you know where you are with business continuity and there are tried and tested processes for carrying it out. Resilience was a nebulous concept which everybody talked about, nobody would deny it was a good thing to do, but nobody could agree what it was and there was no agreed framework of implementing it. I put out a challenge to the BCI with the next iteration of the Good Practice Guidelines, to embrace resilience, recognise that COVID-19 has hugely changed the landscape and to codify and produce a working model for its implementation.