Charlie shares his notion of 'Third Generation Business Continuity' and the reasons why you shouldn't employ a BC contractor to develop your business continuity.
This week I travelled to London to attend a meeting with a new client who we are conducting a gap analysis for, based on their present level of business continuity. They felt what they had in the way of business continuity was too complex; they didn’t really understand what they had and wanted to simplify their documents and procedures. All of the documents were dutifully updated once a year, but the more technical parts of the BIA had not been touched. The individual responsible for them didn’t really understand the content and was therefore nervous about updating them.
Looking through all the documents, and there were lots of them, the contractor who had developed them had done an excellent job. All parts of the lifecycle were there, there were checklists galore, detailed analysis in the BIA and a good robust framework for the on-going management of BC. The organisation was very committed to business continuity, so it was not their appetite for business continuity that was the problem; it was just that the BCMS was too complex.
The point of this article is not a criticism of contractors or to win the contractor vs. consultant argument, but it is that if you employ someone in-house for a year to develop your business continuity management system, you are going to receive complexity. It would be a very brave contractor who produces 20-30 pages of BC documents to hand over to the client after a year’s work. For both sides to feel they have given and received value, they want to see lots of ‘stuff’. However, lots of ‘stuff’ makes BC worse rather than better and in the end less likely to be updated, understood and therefore to work on the day.
In the same way that David Lindstedt and Mark Armour have their adaptive business continuity manifesto (see my bulletin 'Adaptive Business Continuity: A New Approach' by David Lindstedt and Mark Armour), I have been thinking about developing my business continuity views into a similar ‘manifesto’. My thoughts on ‘Third Generation Business Continuity’ are still developing, so over the next few months I would like to share them with you and perhaps if you have time you can give your own comments.
The main point I would like ‘Third Generation Business Continuity’ to address is the problem of complexity in business continuity. Organisations are constantly trying to do more with less, trying to move forward faster, as well as trying to carry out a whole load of obligation, covering everything from modern slavery to staff well-being, health and safety to cyber awareness. It is recognised that all these things need to be done, but they have to be carried out in the most efficient way, whilst also providing the outputs or benefits they were implemented to deliver. Organisations want simplicity, but they also need an incentive to actually work.
What I want to look at is how to provide business continuity in an uncomplicated way that is still effective and usable. There is no point in producing an exceptionally detailed plan full of checklists and hints and tips for your client, if it is never used, even in exercises. In the same way, there is no point in carrying out lots of BIA analysis if nobody understands it and it doesn’t add value to the response.
On the other hand, I think business continuity produced under the ‘Third Generation Business Continuity’ banner must pass PWC’s test (and there are other auditors!!). If an auditor comes in and audits the business continuity produced under the banner, it must be able to pass a business continuity audit. PWC will audit you against the GPG and ISO 22301 and so ‘Third Generation Business Continuity’ must meet those requirements. I wouldn’t like my client to fail an audit because I had developed my own methodology, which was not compliant with those standards. The methodology may be better, but you will end up with a long technical argument with the auditor and the client wondering if it was such a good idea for you to implement your new methodology in their organisation.
So over the next few months I will be developing my ideas. If any of you out there in business continuity land have any good ideas or hints and tips for simplicity or would like to debate or join the thoughts on ‘Third Generation Business Continuity’ (could be called something else) please get in contact with me!