Whilst Charlie was on holiday last week, he read a recently published book about Adaptive Business Continuity. In this bulletin, he presents his thoughts on the new methodology developed by David Lindstedt and Mark Armour.
The poor BIA is getting a hard time at the moment, with a number of practitioners questioning its usefulness and there is some debate among business continuity practitioners about whether it can be dispensed with. In the newly published book ‘Adaptive Business Continuity: A New Approach’, by David Lindstedt and Mark Armour, doing away with the BIA is one of the key elements in their business continuity manifesto.
If you look at the manifesto consisting of nine ‘principles’, and hope to save lots of time by not doing a BIA, you are going to be disappointed! Although they do propose that the BIA should be dispensed with, they replace it with something that it is suspiciously similar. Many of the data collection requirements resemble those in the ‘traditional’ BIA. There is also a requisite for additional analyses of a department’s activities, which are not in the ‘traditional’ requirements of developing a BIA. Additionally, there is a strong demand (‘Principle 5’) outlined in the book, for those carrying out business continuity to understand the organisation, its culture and how it operates. So, if you are looking for a shortcut to achieving business continuity by not doing a BIA, then this book is not for you.
The benefit of this book for me, as a business continuity practitioner, is within the tactical and operational insights and ideas it gives, rather than the strategic change I suspect the authors would like. I will discuss my thoughts on the strategic ideas laid out in the book later in this review.
I liked a number of the ideas developed in the book and will adopt some of them into my existing methodologies. Although it is refreshing to see new ways of rolling out business continuity, several of the ideas laid out in this book are already being used by many within the industry.
I particularly liked the idea that you could begin anywhere in the business continuity lifecycle. Instead of slavishly following the lifecycle, you could start by carrying out the actions which provide the greatest benefit to the organisation. For example, carry out an exercise at the beginning of the process, rather than at the end.
Business continuity can lend itself to just being a checkbox exercise, focusing on achieving compliance. Within the book, there was an emphasis on providing value and improvement to the organisation’s resilience, by carrying out business continuity, instead of making it all about compliance. To me, if you just follow compliance and don’t have a workable solution, you will be caught out sooner or later. I am sure the emergency planners of Kensington and Chelsea had a compliant emergency plan, but when it was used in the response to the Grenfell fire, it failed.
I like the idea of making business continuity more measurable (‘Principle 6’) and having a ‘no-fault baseline’ when rolling it out, building improvements from there. There have been many attempts at providing a measurement of BC, such as the Visual Corp ‘maturity model’. However, at least within the UK, they don’t seem to have caught on. The danger of measurement is always having meaningful numbers. If you present a senior executive with a figure of 54.74, they may look at such a precise number with skepticism. The book comes up with three matrices of measuring preparedness; compliance (how prepared the department is to manage an incident), procedures (how you are going to recover), and resources (whether you have the required resources needed to recover your activity at a predefined level). The matrices are put in a triangle, each corner representing 100%, with the level of preparedness defined as a smaller triangle inside. As long as they have a robust definition of how to measure each criterion, this would be a useful addition to any business continuity dashboard.
Within the fourth chapter, titled ‘Finishing’, there are a number of mini case studies about how Adaptive Business Continuity could be implemented. These could be useful for less experienced practitioners to understand some different ways of implementing business continuity. For me, the examples demonstrated that Adaptive BC is not very different to the BCI Good Practice Guidelines 2013, which many of us work to. The order of the activities that the new business continuity managers carried out were, perhaps, slightly different, but together there were no activities I didn’t recognise, or might have carried out myself.
There were a number of elements in this book which I disagreed with. The first chapter, ‘Demolition’, outlines a number of practices which the authors would like us to eliminate, known as ‘traditional BC’. These varied from ‘Eliminate the Business Impact Analysis’ to ‘Testing drives participants to meet the objectives. Not to improve recoverability’. Many of the practices which the authors are trying to eliminate, are not being practised anymore, or are dying out.
The monolithic BIA, taking six to nine months to carry out, with its fifteen tab spreadsheets, capturing vast amounts of information which is out of date before it is signed off, is not ‘traditional BC’, but old-school business continuity that is dying out. In a similar way, huge plans covering every possible scenario, from fire, to flood, to bad weather, to loss of access to a site, with a series of checklists, every one being remarkably similar to the last, are also dying out and being replaced with short, sharp, relevant plans. The book’s criticism of exercises is also similar; most exercises I have seen are more than just about testing recovery. My own personal feeling is that much of what is designated as Adaptive BC, is already being carried out, or is at least becoming mainstream.
One of the parts of ‘Principle 8’ is to ‘omit the risk assessment’, which I believe is a major mistake. If you fail to carry out a risk assessment or threat analysis (as the BCI calls it), you are losing one of the major benefits of carrying out business continuity. When I have carried out a threat analysis, I have always identified some major risks or single point of failures, which could have had a major impact on the organisation. A number of senior management teams have been genuinely surprised when told that if they lost their data centre in their headquarters building, they would have no IT, no email, no website and no telephony, and restoring from back-up tapes or storage would take several weeks. Most have gone on to find solutions in third party data centres. Single points of failure can also be found in key persons, bespoke machinery, suppliers, buildings and, of course, in IT systems. Usually, someone within the organisation knew about the risk, but all risks had never before been consolidated together, their impact quantified and a number of solutions presented. I always say ‘it is a management risk position to decide to accept the risk and do nothing, but at least management has the risk on their radar’. To carry out threat analysis does not need any special risk management skills and if done at the same time as collation of the BIA information, some real business benefit can be gained by the carrying out of business continuity within the organisation.
As mentioned earlier, the book provides good ideas for the operation and tactical development of business continuity within an organisation, but the strategic concept of the book is flawed. The authors completely miss the point that business continuity is all about prioritisation.
“All activities are critical (otherwise why do they exist), but some are more time critical than others.” – Charlie Maclean-Bristol
We carry out a BIA to understand the priority of what we need to recover after an incident. We then use risk assessment/threat analysis to identify the most obvious threats to the resources, which are needed for the delivery of those activities. We can then look at taking mitigation measures to make the most time-critical activities more resilient.
Most organisations don’t have unlimited funds to spend on business continuity, which is why we must prioritise them. We also need to make sure we spend funding on the most time-critical activities.
For example, take an organisation in which two of its activities are ‘recruitment of new staff’ and ‘customer sales call centre’. Our BC manager has decided to use ‘Adaptive BC’ to implement business continuity within the organisation. When the customer sales call centre is busy taking calls, they don’t want to engage with the business continuity roll out. As a result, the BC manager, under the Adaptive BC method, goes and speaks to the recruitment department, who are extremely pleased to see him/her. They all have desktops, which are no good for recovery and therefore believe if they had laptops and VPN access to the organisation’s systems, they could recover quickly and work from home. The Adaptive BC manager, wanting to improve the organisation’s ability to recover, works with the manager to get them all laptops.
I would expect a more ‘traditional’ BC manager to see that customer call centre engagement and recovery should be prioritised, in spite of the staff not wanting to engage with business continuity. Loss of the call centre would have the biggest and most immediate impact on the organisation, because if customers could not get through to this call centre, they would order from a rival and the sale would be lost forever. When conducting the BIA, the BC manager would also realise that the recruitment department is not required for several days, if not weeks, after an incident. With this in mind, the laptops could be bought and configured with VPM access after the disaster had occurred. This initial purchase, as well as the ongoing maintenance of the laptops is ‘over-recovery’ and the money spent on this could be better spent on more time-critical activities. Without prioritisation, money, time and effort are wasted. The book denies that prioritisation is not possible, replacing it with ‘it depends’. You can change the prioritisation on the day, or bring forward the recovery of parts of the organisation with long RTOs, but prioritisation makes sure that the BC managers spend time and effort on the parts of the organisation which would have the biggest impact if lost.
The book ‘Adaptive Business Continuity: A New Approach’ is not describing a bright new possible future, but is actually describing the world as it is now, with many practitioners already using the agile and streamlined working the authors propose. It also outlines some new ideas for measurement and benchmarking business continuity, which should be considered as new ways to implement and measure business continuity. I think the greatest contribution of this book is convincing readers that business continuity is not monolithic and complex, but can be implemented flexibly, at the same time ensuring that it is constantly adding value to the organisation.
I would recommend that all those who are serious about understanding the profession and would like to be exposed to new ideas, should read this book!