Guest Post by Geary Sikich (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
If you want senior management to pay attention give them something that challenges their focus – and understand that their focus is not on how many computers you have or RTO, RPO stats. It is on business survivability – will we be in business tomorrow given the issues that we face today.
What is more important to your organization’s continuity of operations – how many computers you have or where your competition will be coming from in the next five years?
Can you identify the risks, threats and vulnerabilities that affect your organization’s continuity? Or, are you just deluding yourself into a series of ill-fated false assumptions that leave your organization with meaningless plans, misguided efforts and lack of buy-in for the value of continuity planning?
Paradigm Shift
It is time for a paradigm shift in business continuity thinking, in the manner that business continuity planning is taught in schools and in the value we think that we bring to the table. The reality is, that in spite your best efforts; based on today’s planning paradigms, you will always be a step behind and viewed as an adjunct to the business rather that an asset to the business. Sounds harsh? Take a look at reality. Organizations have survived hurricanes, tornadoes, manmade catastrophes, technology threats and a whole host of “hot button” issues over the course of time. The reality, businesses do not necessarily survive competitive forces in the markets that they serve. They do not necessarily survive changes in consumption, trends in the marketplace or resource constraints.
Retrenchment
Let’s start with the Business Impact Analysis (BIA). First, one has to recognize that the BIA is merely a slice in time; a snapshot of what is considered a business impact. And, let’s face it; it is an out of focus, blurry and off target snapshot. Second, if the BIA takes months to complete; in some cases years, what value does it have? It tells you what was not what is or what can be. And, “worst case” scenario? This is always interesting, “worst case” scenarios are almost always based on assumptions that range from the sublime to borderline incredulous. It is almost like watching one of the History Channel Armageddon programs. Yes, an asteroid could hit the earth (history proves that) and destroy all life; the ice caps could melt (it would have to get quite warm to get them to completely melt) causing flooding and a plague could devastate humanity, etc. But, if you rethink “worst case” in a sensible way you can see that there are far less and fewer farfetched scenarios that will cause significant damage sufficient to put the survivability of the organization into question.
Now let us turn to planning. I wrote an article entitled “Is Your Organization’s Planning Brittle”. In the article I posited five questions that indicate brittleness in planning:
- Do the organization’s plans stand in silos of excellence?Are activation and implementation of plans independent and uncoordinated?
- Are activation and implementation of plans independent and uncoordinated?
- Does the organization face critical junctures of survival every time an event or certain shocks affect it?
- Does analysis of “worst case” scenarios underlay the basis for planning?
- Do the plans reflect the strategy, goals and objectives of the organization?Below I summarize the points made in the article:
Below I summarize the points made in the article:
- “Do the organization’s plans stand in siloes of excellence?” begets the aspects of accountability, threat identification, business impact analysis and much more. Isolated plans that are not linked to a single accountable entity will result in fragmented response, confusion and missed opportunities.“Are activation and implementation of plans independent and uncoordinated?” the effects of nonlinearity come into play as the unintended consequences resulting from fragmented implementation can further exacerbate the impact of an event.
- “Are activation and implementation of plans independent and uncoordinated?” the effects of nonlinearity come into play as the unintended consequences resulting from fragmented implementation can further exacerbate the impact of an event.“Does the organization face critical junctures of survival every time an event or certain shocks affect it?” This is in part due to transparent vulnerabilities, unseen and unforeseen risks. The enterprise may not have the capacity to withstand the extra stresses of an event.
- “Does the organization face critical junctures of survival every time an event or certain shocks affect it?” This is in part due to transparent vulnerabilities, unseen and unforeseen risks. The enterprise may not have the capacity to withstand the extra stresses of an event.“Does
- “Does analysis of “worst case” scenarios underlay the basis for planning?” Business impact analysis, SWOT analysis, risk matrices, risk heat maps, etc. all fall into the trap of historical analysis. The occurrence of extreme events cannot be predicted from a review of past history. Selection bias comes into play when we develop worst case scenario based plans.“Do the plans reflect the strategy,
- “Do the plans reflect the strategy, goals and objectives of the organization?” Most planners most often fail to consider the goals and objectives of the organization. Errors and the subsequent consequences are almost always fatal for the planners, plans and in many instances, the organization.Planning does not go far enough either – we rarely make a credible attempt to plan the post-incident period in any significant detail. So, re-entry, recovery, restoration and resumption of operations are step-children that are skimmed over in the planning process.
Planning does not go far enough either – we rarely make a credible attempt to plan the post-incident period in any significant detail. So, re-entry, recovery, restoration and resumption of operations are step-children that are skimmed over in the planning process.
Exercising plans is the next area we should be concerned over. Most plans are exercised in the void of the internal world. That is, we rarely take into consideration what the reaction to an event will be by other organizations that respond to, or are impacted by the event. And, we come up with some exercise protocols that are, at best entertaining, at worst, gloss over significant failure points and irregularities that may surface.
If you are going to exercise – know and understand the organization’s goals and objectives. Then develop scenarios that evaluate the ability to meet those goals and objectives under situations of duress and disruption. Take a lesson from business war gaming and develop scenarios that incorporate business/operational issues – new product offerings, where will our competition come from in the next five years and how will this shape our business continuity needs. Move away from problem – solution linear thinking and begin to seek to understand complexity, opacity and non-readily linked issues – i.e., sovereign debt. Also, you want to look for failure points, issues and assumptions regarding availability of infrastructure that you have no control over – i.e., electrical grid, telecoms, etc.
Most exercises reflect a “happy face smile”. We start with something bad happening activate the organization and are deluged with exercise messages that require response, consisting of everything from demonstrating proficiency (rolling out the fire hose) to mock press briefings with amateur reporters who have no experience in asking the kinds of questions posited by the actual press (although the actual media can be pretty lame in their questions too). We get stuck in linearity – problem/solution episodic exercises that fail to raise the significant issues, questions and analysis required to determine the survivability of the organization. When was the last time you posited an exercise question like this:
“Who will be our competition within the next five years as the result of (this event, this new market we have created, etc.)”.
Exercises are a form of entertainment; the result, our exercises fail to touch on the real issues that have significant impact to the organization, its products/services. Exercises also create false positives with regard to capabilities and capacities.
Lastly the area of maintenance needs to be revamped and rethought. Annual maintenance and review is simply ludicrous as a concept and practice. Change occurs throughout the cycle and therefore maintenance programs should be in constant motion tweaking information, instead of collecting information for the annual review. Intelligence services are constantly collecting and analyzing information in order to turn it into a viable “decisionable” product. In order for business continuity to provide value it must stay abreast of the organization’s scope of operations.
Conclusion
I am sure that many will think my remarks blasphemous, scathing and unjust. However, just do some research into the popular literature of the past decade and you will see that certain constant questions and statements arise over and over. “How can we get senior management buy-in?” “XX% of companies that failed did not have a business continuity plan.” “We have a comprehensive planning process.” “I can’t get management to listen to me.” I am sure that you can think of many more. The reality is that we need to embrace a new paradigm. A paradigm that is broader in its focus, deeper and more constant in its analysis and more vibrant in the resultant plans, etc.; what Nassim Taleb refers to as “Antifragile”.
About the Author
Geary Sikich – Entrepreneur, consultant, author and business lecturer
Contact Information:
E-mail: G.Sikich@att.net or gsikich@logicalmanagement.com.
Telephone: 1- 219-922-7718.
Geary Sikich is a seasoned risk management professional who advises private and public sector executives to develop risk buffering strategies to protect their asset base. With a M.Ed. in Counseling and Guidance, Geary’s focus is human capital: what people think, who they are, what they need and how they communicate. With over 25 years in management consulting as a trusted advisor, crisis manager, senior executive and educator, Geary brings unprecedented value to clients worldwide.
Geary is well-versed in contingency planning, risk management, human resource development, “war gaming,” as well as competitive intelligence, issues analysis, global strategy and identification of transparent vulnerabilities. Geary began his career as an officer in the U.S. Army after completing his BS in Criminology. As a thought leader, Geary leverages his skills in client attraction and the tools of LinkedIn, social media and publishing to help executives in decision analysis, strategy development and risk buffering.
Geary has a passion for helping executives, risk managers, and contingency planning professionals leverage their brand and leadership skills by enhancing decision making skills, changing behaviors, communication styles and risk management efforts. A well-known author, his books and articles are readily available on Amazon, Barnes & Noble and the Internet.
Leave a Reply