Business Continuity: Chaos and Quantum assisted solutions
Business Continuity: Chaos and Quantum assisted solutions
Business Continuity is about keeping things going. It is also about disarming, or at least reducing, the hiccups, pitfalls and disasters that form interrupts and make things stop.
In this context, “Business” can be taken to mean any administrative process that depends on something outside itself. Running a Bank, a Hospital Trust, an Army or a Transport System is Business. Being a Poet probably isn’t.
To be clear there are two types of “Business”; those that exist to carry out a function, such as those above, and those that exist solely to limit the loss to, or to resurrect, a failed or failing function. A Fire Brigade is an example of this other type. Nobody is going to contact them to say there is not a fire. Disaster Recovery Plan execution is another example. A unique characteristic of this other type is its exclusivity. Nobody is going to try and run a Business while its building is on fire.
This paper is about how some current thinking casts light on potential solutions for challenges within Business Continuity. The challenges are the essential randomness of process interrupts and the need to see the impact of those interrupts from alternate perspectives. The thinking concerned is based on Chaos Theory and Quantum Theory.
The Author makes no claim to understand in any depth either Theory. The Author walks past a bakery and thinks “mmm I really fancy that cake in the window”. That does not mean the Author can relate to the whole bakery stock or even knows how to bake that particular cake. The Author just cherry picks it because something about it rings a bell. In that example it is probably the greed bell.
So what is it about those Theories that is so yummy from a Business Continuity viewpoint ? Simply this.
With Chaos, the Theory shows how a seemingly insignificant incident can appear to trigger a chain reaction that results in a massive event. Related to Business Continuity, here are some incidents that could trigger a reaction chain. Remember the “For the want of a Nail” lyric ? Same idea, although in this case the event chain might be triggered by the lack of a specific small thing or by its presence. Here are three cases in point.
1. A single fire door has been blocked shut. In a fire the small disruption to the evacuation flow eventually backs up that flow into a people jam causing widespread panic.
2. A home worker working on their own laptop clicks on an innocent looking link that seems related to their field. The downloaded document is indeed relevant to their work so the homeworker uses their approved access to the Company site to upload the file for review by their colleagues. In fact the file also contains a hidden and new IT virus that replicates and causes huge damage to the Company IT service.
3. The employee of a Firm wakes up one day feeling ill, but it is a very busy time at work so they go into the office regardless. Two days later the employee is so ill they cannot continue. Ten days later many of their colleagues are in the same state.
So, for Business Continuity, this is how that might work.
Business Continuity operates in two linked modes, Reactive and Proactive. In Reactive Mode an unexpected event disrupts service and Business Continuity reacts using pre-prepared logic, such as a Disaster Recovery Plan. In Proactive Mode likely disruptive events and their resolutions are jointly developed by all parties (business, technical, 3rd party, audit) in advance of any event, and consequent plans drawn up and tested, to affirm and maintain their usefulness. The testing of a Disaster Recovery Plan is an example of the link between the two modes. Here are those cases from a Business Continuity viewpoint.
Case 1 : The blocked fire door
Reactive : Release the door if it is safe to do so
Afterwards check evacuation routes
Proactive : Regular inspection and test of evacuation routes
Regular fire safety review by accredited Officer
All areas to have alternative evacuation routes
All staff to have regular fire awareness training
Case 2 : The logical Virus
Reactive : On detection isolate and close down all IT Operations
Execute best available cyber detection / kill measures
Recover back to latest clean state
Forward recover
Proactive : Regular review of security policy and staff adherence
Rehearse cyber attack and countermeasures
Ensure security plans current and distributed
Try to maintain a low and uncontroversial profile
Case 3 : The physical Virus
Reactive : Isolate and lock down all staff
Seek and follow medical advice on lockdown duration
Proactive : Match skills inventory minimum staffing need
Include 3rd party and customer interfaces in Match
Practise lockdown and working at home capabilities
Prepare for stress and grief counselling and support
Include in Disaster Recovery planning and test
Now there is no need to sit in a heap and try to figure out all the possible small events that could somehow have big consequences. Business Continuity Risk Assessment will highlight all the assets that make up the business and the ways they need to interact in the operation of that Business. Later the Business Impact Analysis element of Business Continuity will show which assets need to be recovered and in what sequence (interaction recovery) and the Disaster Recovery Plan will show how to do all that. So, think big and top down about each asset. How should it be protected and does current protection meet that specification? Have a care here, this is not a blame game. If you go in heavy you will alienate the very people who could make the protection better. And if there is no Risk Assessment statement at all, then guess where you are going to start !
With Quantum, the Theory shows amongst various other weird things, how just about anything can simultaneously be in more than one state. It seems that a cat in a box can be both alive and dead. Really ? Yes just look it up. If you are any the wiser after that you are already miles ahead of me. Never-the-less the concept of simultaneously differing perceptions of the same event, to which the Theory is obliquely related, is a useful guide within Business Continuity Management.
So, for Business Continuity, this is how that might work
The Event : An office burns down.
· View 1 :.
o Walking along a street Person 1 notices that an office is on fire. They think that, as a passer-by, the fire is nothing to do with them and in any case no doubt the event is being dealt with. They walk on unconcerned
· View 2:
o Person 2 notices the same thing but regards themselves as being involved. They call the Fire Brigade and wait till they arrive.
· View 3:
o The Brigade manage to determine that no one is at risk and contain the fire stopping it spreading. Their view is of a normal job well done. They also contact the key holder.
· View 4
o The key holder, who is also the business owner, arrives and views the smoking rubble. They see this as a disaster.
This translates simultaneously as (1) No Cause For Concern, and (2) A Need For Urgent Action and (3) Business As Usual and (4) Catastrophe. But there is only one fire. Like there was only one cat.
That means multiple implications of single events. In Business Continuity terms the event triggers (1) risk assessment, (2) escalation management (3) 3rd party controlled recovery (4) business impact analysis and disaster recovery.
What do you think ?
Roger Jarvis MBCI
London May 2020 [email protected]