For Business Continuity, Accept the Unexpected
It is one thing to expect the unexpected. It is quite another to accept the unexpected. Denial is a powerful thing, and even the best of us can be convinced that our plans are comprehensive and our preparedness complete.
The key ways to overcome this sort of complacency are to link crisis management and business continuity meaningfully, and to incorporate Adaptive Business Continuity principles that enable an organization to react quickly to the unexpected.
Consider that the past few years alone have seen increasingly active Atlantic hurricane seasons, major cyberattacks against global corporations, and secondary losses of key infrastructure following major disasters. Organizations in the public and private sectors are asking their teams to do more with less while also performing to higher standards. The need to recover quickly from losses is as important as ever, while in many cases the resources are thinner than they used to be. These realities require new and innovative approaches.
In addition, as our society grows increasingly interconnected, businesses, organizations, and governments will depend upon one another’s services to tighter and tighter tolerances. Utility and communications regulators, for example, are demanding that companies meet stricter reliability standards. This trend will continue for the foreseeable future.
Meanwhile, the costs and consequences of large-scale incidents will grow. Disaster events claimed more than 11,000 victims globally in 2018. The estimated losses from natural and manmade disasters in 2018 are estimated to be $155 billion, with global insured losses estimated to be around $79 billion, according to data from the Swiss Re Group.
These conditions paint a frightening picture, but therein lies the opportunity. A well-crafted business continuity program, clearly linked to crisis management activities, can be a source of value for an organization—not only in response to disaster, but on “blue sky days” too. The business continuity (BC) program and its practitioners can become meaningful business partners with the organization.
A Tall Order?
Great organizations confronted with crisis can choose to accept the unexpected, adopt a new normal, and bring out the best in themselves and their people. In doing so, they take a position of strength that recognizes crisis as a form of change and redefines it for a better future.
To do this, the organization needs to be poised in its response—not just when a crisis or business interruption occurs, but ahead of it. Done skillfully, a business continuity program can not only enable a better response, but also foster continuous improvement and identify areas of operational improvement along the way.
Security managers are in a key position to influence their organizations if they adopt practical notions in their BC approach. And, in some cases, it is the security manager who is tasked with creating a new BC program where none existed, or worse—with reviving one that has languished.
How does one proceed? By connecting BC to the delivery of continuous improvement and operational value and by linking crisis management and BC in a meaningful way.
To achieve the best outcome, business continuity depends on the planning and preparation effort that comes along with response and recovery. This is where the true blocking and tackling of BC work takes place.
Some industries and regulators are decidedly prescriptive about the required activities of BC programs under their purview. They mandate activities such as assessing risk, completing a business impact analysis, obtaining buy-in from senior leadership, training, validation, testing and exercising, documentation, and communication. This is especially true in the financial sector and in the healthcare industry.
Good Practice Guidelines from the Business Continuity Institute and the standard ISO 22301 are good starting points where such accredited certification is needed or preferred. However, such traditional practices are not the only route to a meaningful BC program.
Pitfalls of Tradition
In some cases, the activities and approaches traditionally associated with continuity planning can pose an obstacle to implementing a program. While these may have their appropriate place within many BC contexts, they can also present challenges.
This is especially true in cases where an organization may have greater latitude in designing a new program or revising an existing one, or in organizations with a culture that favors iterative, agile processes over linear, sequential ones. In these cases, it may be preferable to place the primary focus on quickly delivering value.
For example, a core concept of much BC planning activity is the focus on recovery time objectives (RTOs). The use of RTOs is intended to help quantify recovery needs, prioritize response activity, and drive planning activity.
However, employing time as a target, instead of simply a restriction, can be problematic. In practice, many times RTOs and recovery point objectives (RPOs) are subjective or even arbitrary. They are best applied where truly static, precise, and predetermined time restrictions exist, such as regulatory time limits, violations, or specific matters of health and safety. Otherwise, the effort undertaken to arrive at and assure an RTO may not return value. In other words, if it is clear that failing to meet a six-hour time frame for service restoration will result in a regulatory fine of a specific dollar amount, the decision making process becomes quite straightforward because investment in meeting the RTO can be clearly weighed against the risk of penalties.
Another cornerstone of the BC world is the business impact analysis (BIA). While the BIA can be an invaluable tool for the BC practitioner, it can also be a subject fraught with confusion.
In actuality, the proper sequence of service restoration will always depend on the exact nature of the post-disaster situation. As such, responses need to be flexible and adaptive. This is especially true in today’s environment where the cause of a service outage might not be immediately obvious—as in the case of a deliberate cyberattack.
As a consequence of all this activity, an overwhelming amount of documentation can be generated which needs to be guarded, maintained, and updated. But rarely is it used in actual response activities. In some cases, BC and response plans are so voluminous that they could not possibly serve a practical purpose in a real emergency. They become the proverbial shelfware.
Lastly, traditional methods emphasize obtaining exclusive senior-level executive support and doing so at the outset. While important, it can be more meaningful to engage at many levels in the organization.
The real danger here is slipping into a trap where the organization is carrying out extensive business continuity activity for business continuity’s sake, which only delivers value on an arbitrary or periodic basis and could create a false sense of preparedness in departments where little actually exists. The goal, instead, should be to explicitly link to the organization’s objectives and to deliver value incrementally and continuously.
A Practical Approach
Consider some of the following practical approaches in connecting BC to the delivery of continuous improvement and operational value. These are notions borrowed directly from the approach called Adaptive Business Continuity. Five of Adaptive BC’s core principles, outlined here, are essential for better partnership between crisis management and business continuity.
Exercise first. In the strictly sequential approach often favored by traditional BC practitioners, testing and exercising come during later stages of the cycle, after plans and assessments have been completed.
But discussion-based tabletop exercises are the single most powerful tool an organization can use to identify gaps in planning and address assumptions in both crisis management response and BC. Dollar-for-dollar, there is no better value. So why not start there? By walking through a scenario as a group, a team can quickly and easily spot gaps and identify solutions.
Such exercises can be lightweight and even informal. The key is to have a direct, focused approach driven by one or two clearly defined objectives.
For example, the objective of this exercise might be to assess the initial size up and response to an unplanned event; to evaluate the escalation protocol defined in the planning documents; or to review the organization’s ability to activate the crisis management plan.
By driving toward the objective, a planning team can steer away from overly complex exercise scenarios. Inevitably, the discussion will uncover lowhanging fruit of an operational nature; the exercise players will establish closer personal connections; and the collective team will identify gaps around the predetermined objectives.
Consequently, the results are both of immediate value and can be used to drive action planning over the medium and longer term. And, in doing so, the team has also established clear connections between BC and crisis management capabilities.
Simplify documentation. Elaborate crisis management and BC plans that are hundreds of pages long are a detriment in three critical ways. First, they require extensive—often labor intensive—maintenance and continuous updates. Second, they are not practical in an actual crisis. Lastly, these are not value-generating activities. BC activity and documentation for its own sake is a common pitfall.
Simplify plans so they can be internalized and recalled easily by the people that need to know them. Where appropriate, checklists are an excellent tool.
The exceptions, of course, are cases where such plans are mandated or regulatory requirements, such as in the finance and healthcare industries. Absent any compliance or other compelling need, voluminous documentation should be replaced by slim, user-oriented playbooks.
A practical example of this is an organization with a 75-page corporate incident response policy. Key leaders in the organization had acknowledged that because of the policy's length, it was universally ignored—posing a critical risk. The solution was to reduce the most significant end user elements of the policy—what the responder truly needed to know first—into a one-page infographic.
The infographic was introduced to the working teams through a series of short, focused tabletop exercises. Teams were asked to use—and break—key aspects of processes contained in the infographic.
In the course of the exercises the teams also uncovered critical communications gaps and assumptions and were able to address them. They formulated the catchphrase “Don’t Hesitate to Escalate” to drive home their solution to the communications problem. In doing so, they delivered immediate value to the organization, improved operational efficiency, and established a basis for continuous improvement of their BC and crisis management capabilities.
Continually improve. The most compelling case a BC professional can make to a client or constituent is that the cost and effort required of proposed BC-related activities will offer some immediate payoff, as well as continuous, iterative improvement throughout the process.
Free from documentation for its own sake and a strictly sequential BC cycle, the BC professional discovers the opportunity to take more of a role as a partner in the business. Where performance measures like RTOs are needed, along with taking an inventory of key business processes, discussion around these topics should not focus on an arbitrary target.
Rather, an opportunity exists to engage stakeholders about their goals for the organization and to rationalize the findings of their assessments—challenge them to apply their own intuition to the targets and see if they pass the test of common sense. And by asking why the target is there, call into question how it may be reached on a “blue sky day” more efficiently.
The BC process can be a source of continuous improvement by providing a venue for these conversations among stakeholders. People are eager to share personal experiences of working through crises—with outcomes that were positive or negative for the organization—especially in a setting where that experience can add value.
For example, one organization recognized that its list of key business processes was extensively detailed and complicated. A very candid, common sense discussion reduced this list from dozens of items to six, only one of which was considered critical. Consequently, the BC management process was simplified, and the crisis management response framework was easier to internalize.
Plan for effects. The causes of catastrophe are innumerable. We cannot plan for every eventuality, and even if we could, our best laid plans often get overtaken by the events. Instead, we should focus on effects.
Generations of military leaders have understood that “No plan survives first contact with the enemy.” The notion is familiar and often repeated in more contemporary contexts, but perhaps best by Mike Tyson: “Everyone has a plan until they get punched in the mouth.”
Consider the extreme weather phenomena experienced by the U.S. Northeast in 2011 and 2012. In the fall of 2011, the area experienced a nor’easter and Hurricane Irene in rapid succession. The following fall in 2012, it experienced yet another nor’easter and Superstorm Sandy.
All four events can easily be described as storms, natural disasters, or extreme weather. The acute causes of the localized emergency were highly specific, however. Each storm had its own unique character: inland flooding, coastal flooding, a snow event, or a tree event. Some would argue that this calls for four unique types of plans—or that each cause needs a corresponding plan.
On the contrary, the effects of these catastrophes are much fewer. The effects will only be the unexpected unavailability of people (staff), places (facilities), or things (resources and critical suppliers).
Focusing on effects makes for much simpler, more meaningful and manageable planning.
Know the business. Above all, the people responsible for carrying out any BC or crisis management activity need to know the business. BC practitioners should align closely with operational teams at every level of the organization—not just at the senior leadership level. Having executive support is beneficial to driving outcomes, but the discovery of ground truth comes from frontline teams. The best BC professionals don’t just drive an arbitrary BC cycle. They understand the people, places, and things that make the business unit tick—and why.
If we consider crisis management an unexpected opportunity to change, then BC should serve as the practical, sense-making corollary. In other words, the lessons learned in acute responses to crises can be sharpened into operational improvements and ultimately greater resilience when incorporated by the BC process.
The BC professional’s biggest client in any organization is operations. Delivering value during crisis means having close integration between business continuity, crisis management, and the real needs of the business.
If we accept that organizations will continue to be challenged in unexpected ways by the external environment—and that this will result in losses—we have to look at how our BC efforts match with the demands placed upon them.
The organization that is in a position of strength is one that has truthfully inventoried itself, assessed its own assumptions, and made use of what it learns along the way—not just in the moment of crisis or business interruption.
The path to this outcome can follow a traditional, prescriptive route as defined in the ISO and the Good Practice Guidelines—but it can also take more innovative and ongoing forms by linking BC and crisis management to the goals and orientation of the organization. A more practical, agile, and lean approach like the one outlined by Adaptive Business Continuity is likely to provide more value—and at a faster pace—than traditional practices we currently have in place.
Brendan Monahan is the chair of the ASIS International Crisis Management and Business Continuity Council. He is an Associate director at Novartis, responsible for coordinating business continuity and for risk and crisis/emergency management in the U.S. country region.