An Honest Look at Business Continuity Methodology
Mark Armour, cABCF
Changing how resilience, business continuity and organizational preparedness are practiced and perceived
Today we look at what I call traditional business continuity methodology. The evidence that exists to support it, its history and, maybe, a glimpse into our own perspective. Hang on to your hats, boys and girls. It might get bumpy.
Business continuity practitioners the world over follow a common methodology. This methodology is also known as the business continuity lifecycle and it is detailed in a number of standards and regulations, most notably, ISO 22301, the BCI’s Good Practice Guidelines and DRII’s Professional Practices. While these practices have been around for approximately 30 years[1] they weren’t formally bundled into the common standards we are familiar with until about 20 years ago[2]. In that time, no evidence has emerged to support the idea that commonly accepted business continuity practices result in better outcomes for the organizations which adopt them. Evidence does exist which suggests these practices make no difference at all:
“We would intuitively expect that good preparedness planning helps businesses to recover more rapidly and completely, but DRC’s [Disaster Research Center’s] research suggests that this is not the case. Extensive analyses of the data from Northridge, Loma Prieta and Hurricane Andrew show no relationship at all between preparedness measures and recovery outcomes.” [3]
“Previous disaster experience, level of disaster preparedness, and use of external sources of aid were not found to significantly affect the long-term economic viability of businesses in the two study communities.”[4]
The History (highly abridged version):
The Systems / Software Development Lifecycle (SDLC) begat Disaster Recovery methodology[5] which begat Business Continuity methodology[6]. This lineage is still apparent when comparing these lifecycles side-by-side today.
This is a fundamental problem for several reasons:
Perhaps even more concerning is the fact that even software and systems development methods have moved on and are predominantly performed following Agile principles now[7]. By contrast, business continuity methodology has remained stagnant with only tweaks and minor modifications to its defined processes[8].
What Next?
We should be very curious about this. We may be very confident in the value we are delivering through the methods we follow. We may even see the evidence in the benefits we deliver to our organizations and communities. But we should want to see objective evidence, nonetheless. Demonstrating the unequivocal benefits of our work would go a long way to making our jobs just a little bit easier. Not just for us directly but the entire discipline, to say nothing of making things significantly easier for new entrants to the field or for those tasked with building programs from the ground up.
We should be curious because, despite the confidence we have, the possibility may exist that we could be doing things better. We are all proponents of continuous improvement. In that spirit, measuring our work based on outcomes will not only demonstrate the value we deliver but also inform us of those things we can improve upon. Again, this promises to make our lives easier by identifying those tasks we should eliminate, add and reprioritize so we can deliver value more quickly and with less effort.
Our profession’s standards - and the methodology defined by those standards - make logical sense. When one sees what is accomplished at the end of the planning lifecycle, one cannot help but think it is the correct path to achieving the mission. When we look back at the effort we’ve put in over months and years, how it has benefited the teams and individuals we support, it stands to reason that there is little question that our methods are sound. Beyond reproach, even. But we should keep an open mind.
What if our confidence is based on our familiarity with the current path and the fact that we share it with so many others? What if there is another road to our destination that is much easier to walk and gets us there quicker? What if we cannot see this other path only because the one we’re on is so well worn and known to us, that we missed evidence of it? Perhaps we’ve seen faint markers indicating the existence of another route but we’ve chosen to ignore those indicators because going a different way might mean taking a risk by getting out of our comfort zone.
We owe it to ourselves and to others to take that risk. There may be a whole world of possibilities.
Do It
Take the red pill.
[1] https://drii.org/public/images/timeline-new.jpg shows the precursor to DRII’s Professional Practices, the Common Body of Knowledge, was first published in 1993. In 1994, the BCI “defined a set of practices” (Good Practice Guidelines, 2018 Edition) and the U.S. Financial Authority, the FFIEC, first issued its Corporate Contingency Planning Handbook in 1996 (https://www.ffiec.gov/handbook.htm)
[2] 2018 Edition states that the first publication of the BCI’s Good Practice Guidelines was issued in 2001. DRII’s Professional Practices were first published in 2003 (https://drii.org/public/images/timeline-new.jpg)
[3] Businesses and Disasters: Empirical Patterns and Unanswered Questions, Gary R. Webb, Kathleen J. Tierney, James M. Dahlhamer; University of Delaware Disaster Research Center, 1999 (https://bit.ly/2A5KXB9)
[4] Predicting long-term business recovery from disaster: a comparison of Loma Prieta earthquake and Hurricane Andrew, Gary R. Webb, Kathleen J. Tierney, James M. Dahlhamer; University of Delaware Disaster Research Center, Jan 2002 (https://www.tandfonline.com/doi/abs/10.3763/ehaz.2002.0405?src=recsys)
[5] Mainframe Disaster Recovery Planning, Jon William Toigo https://bit.ly/2A5IVkv
[6] The evolution of business continuity management: a historical review of practices and drivers. Herbane, B. Business History, 52 (6), 2010
[7] “At least 71% of companies are now using Agile” https://www.zippia.com/advice/agile-statistics/
[8] ISO 22301 was updated in 2019, after 7 years, “A quick comparison of the 2012 and the 2019 version reveals that there have been no structural changes, so that the focus of the review was on improving the clarity and readability of the norm.” https://www.dhirubhai.net/pulse/brief-review-iso-223012019-carlos-santos-afbci/
Shorerep
2 个月???? Mark and if there was more complexity thinking applied we’d be getting somewhere, we need to stop linear solutions to complex problems
I reduce financial loss, increase value & improve efficiency through the remediation of risk in the IT environment. I achieve this through risk management & operational resilience & governance best practices.
5 个月Frameworks and standards are useful for providing a foundation and direction for programs. Ultimately though, it is imperative that the program deliver something that meets the needs of the specific organization. In order to accomplish that, a degree of flexibility or adaptability is necessary. To Bruce McIndoe's point, one approach my not be suitable for each part of an organization. The end result must be that the resiliency capabilities achieved must meet the requirements & objectives of the sponsoring organization.
Business Continuity and Organizational Resilience Leader
6 个月I should write a book. lol. Can’t give away my entire heterodoxy but I’ll start with a premise we should ALL be able to agree on. We should be results oriented. Period. Whatever methodology gets the best result is the “right” one. Work backwards from the result you want and determine the best way to achieve it. That’s why I preach getting peripheral training in things like PMP, Lean, Agile etc. because I tell people I have a virtual Batman utility belt full of skills to fix people, process, or product. Chapter One: Work backwards from your desired result.
Director at Continuity Shop Hon FBCI
6 个月Mark just a small point the current BCI Good Practice Guidelines Version 7 issued last November, does not contain a BCI Business Continuity Lifecycle but utilises the Business Continuity Management System (BCMS) aligned to ISO22301 2019. I am not seeking to disagree here but to clarify the facts. The current guidance also supports that there is not a specific cyclic order, but states that the BCMS is undertaken in a way that is bespoke to each organisation. It also states that overall delivery of the BCMS may be delivered in any appropriate order. It does however emphasise the need for a system of management. Given this extra knowledge, does that have an influence on your article?
Operational Resilience at GoCardless.
6 个月Interesting article Mark. I have similar concerns that rigid adherence to a particular standard or lifecycle approach does not always build resilience and that a certain degree of flexibility is needed, but how do you suggest that organisations who work in heavily regulated sectors, whose regulation sets certain expectations that tend to align with these ‘best practices’, build resilience in the ways you advocate - whilst still remaining ‘compliant’? Also, can you point to the evidence that suggests that your methods in Adaptive BC, or other approachs, are more successful in building the resilience we are all striving for, and how you would measure that? This would be helpful in conversations with organisations who have tunnel vision and believe gaining certification or ticking boxes to comply are the only way to go.