|
|
|
Business Continuity... Reflections on the Past and Predictions
for the Future Back in 1985 I was living in Amsterdam and working as European Business Systems Manager for a large US multinational. One day in late summer, I took a routine phone call and found myself talking to a fellow English ex-pat who had a "great business idea". His enthusiasm was palpable, he was going to change the way people thought about business, he was going to launch a concept called "Continuity Planning" on an unsuspecting world. His name was Ronald Ginn, a former IBM marketing man, and I was skeptical - as you might imagine. It must have been a quiet day because I stayed on the line. I listened and I thought about what he had told me. That decision to listen changed my life in more ways than I could have possibly imagined, and in ways well beyond business. Without this call, I suppose it is fair to say I would not be writing this article or working in BCM at all. Last month, I had very similar thoughts. I was delighted to be given The Lifetime Achievement Award at The BCM Awards ceremony held at a top London hotel. The event was organised by a major Insurance & Risk magazine, supported by The Business Continuity Institute and The Corporation of London. There were around 500 people packed into the Park Lane venue and the evening was hosted by one of the UK's foremost television celebrities. I couldn't help reflecting that in less than 20 years, business continuity has moved from an idea (or even a dream) held by a few individuals to a full-fledged business discipline. It is now a genuine industry sector, a respectable academic discipline and a vital issue for businesses, governments and regulators worldwide. Ron Ginn is now retired but still living in The Netherlands and is amazed at how his vision has been justified over the past two decades. Charting how and why this has happened is a fascinating journey. There have been many frustrations and disappointments along the way, but no one can doubt the progress and successes achieved from such unpromising beginnings. In 1985 there was only an embryonic Disaster Recovery industry in Europe and few had heard of Disaster Recovery Planning. No one had heard of Business Continuity Planning. We had to look across the Atlantic to see what was happening. Comdisco and SunGard were well established, other specialist vendors were offering niche services, high security data storage was available, specialist DR consultancies were being launched and specialist DR planning tools were coming to market for the burgeoning PC market. By early 1986 I had taken the plunge and together with Ron Ginn and two other "believers" started what we believed to be the first exclusively BC consultancy in Europe. Our company "Continuity Planning Associates" still exists today, successfully helping a wide range of organisations with their BCM needs in a variety of ways. However, when we started we were eager to learn from the US pioneers. We met with and were helped by many people such as Ed Devlin and Norm Harris who are still known in BCM circles today. I remember visiting many hot-sites, storage facilities (some under mountains), DR service suppliers, DR planners and managers. We came across new terminology such as Business Impact Analysis (BIA), Element Failure Impact Analysis (EFIA) and much more. Back home in Europe, we agreed there were many lessons for us to build on but the European approach had to be slightly different. We realised that our offer had to be wider than Computer Disaster Recovery. There was limited Computer Backup/Recovery capacity available and that which existed was almost entirely in the UK. Holland had one IBM facility; France, Germany, Italy and Spain had none. Even as recently as 1996 there was no DR capability in Greece and we had to build plans for the leading bank in Greece using a UK "hot-site" as it's primary IT recovery strategy. Recommending traditional "hot-site" recovery solutions was sometimes pointless, as suitable services often did not exist. We had to think laterally and be more imaginative in our solutions. Continuity, not Recovery, had to be the key word. We had to look at continuation of primary business processes (by various means) not simply the recovery of prioritised computer applications. We actively promoted the discontinuation of the negative term Disaster Recovery and replaced it with the positive idea of Business Continuity. We asked if you needed a plan for loss of IT, why not have a similar plan for loss of distribution, warehouses or factories, key personnel, telecommunications and so on. The list of potential exposures was vast and concentrating only on system interruption was important but insufficient to ensure business continuity. In 1988 I wrote an article for a major UK IT publication in which I believe the term "Business Continuity" was used for the first time on my side of the Atlantic. In that article I argued that: "Simplistic standard recovery solutions such as those proposed for traditional data centres are irrelevant to most major global corporations. The next five years should see Business Continuity Planning replace Disaster Recovery Planning and become a strategic management issue discussed at the highest levels." I believe that I got the prediction right but my timing was way out. In fact, it took until the Y2K hype hit the headlines for Directors to get involved in any significant manner, and for 9/11 before they really believed it was important. My 5 years has become 15 years and top management awareness is still not where I had hoped it would be. I am often asked about the major changes to BCM during my years of direct involvement. Although the scale of the industry has grown enormously, many of the fundamentals remain the same. In particular, I think the BCM world has a great strength in the quality, commitment and belief of its key practitioners. Although we live in a commercial world, most BCM experts really do believe in what they are doing and have a code of ethics I have not experienced in any other business. The amount of unpaid time leading figures in our industry spend on supporting industry bodies, education programs and community activities is commendable. This appears to be a function of our business "raison d'etre" and how we interpret our responsibilities. This sense of value in what we are doing seems to me to be almost identical wherever in the world I speak to BCM professionals. However, we cannot deny that large changes have occurred, mainly as a result of the context in which we now need to operate. I have collated these changes in 5 groups. Some of these changes are in-train but not fully completed, but I think they are all now probably inevitable. 1. Rapid
explosion in the BCM technical services and solutions available 1. Technical options for disaster prevention, recovery and restoration have expanded rapidly in the past few years. Traditional fixed "hot-sites" still have an important role but they are now integrated with a plethora of other related services. Dealer Room/Desk Recovery, Work Area Recovery, Desktop Service Recovery, telecoms switching, voice recovery capability, hosting, mirroring, shadowing, vaulting, self-healing technology and the like all compete with each other for budgetary dollars. The choice is endless and the cost can be high. Not as high as potential business loss claim the solution salesmen but are they correct? Fortunately, the BCM professional usually has a good balanced view - weighing the perfect technical solution against the real business risk and need. 2. No organisations can entirely ignore Business Continuity anymore. The strong business drivers have forced organisations to consider BCM - albeit less seriously than some of us might wish to see. Large publicly quoted firms will be more than encouraged to do so by their auditors, insurers, regulators and to meet Corporate Governance rules. In the UK, however, a joint study between the Business Continuity Institute and the Chartered Institute of Management (CIM) demonstrated that the most efficient driver is when actual or potential customers demand BCM. For companies at the start or middle of a supply chain, BCM is not only good practice, it is essential to keep or acquire new business. The carrot has replaced the stick for them. BCM is not just an overhead, it might actually add to the revenue stream. 3. In both the UK and the US, the financial regulatory agencies have taken steps to ensure their regulated firms are properly protected. They are looking for evidence that appropriate measures have been taken to protect client funds and national critical financial infrastructures. Although the demands are not always stated as mandatory Business Continuity requirements, the effective result is the same. Organisations have to adopt BCM principles to comply. We are also seeing regulators in Australia, Singapore, Hong Kong and the European Union starting to follow the same pattern. In the UK, the government has set a requirement on all central departments and agencies to establish effective risk management by the end of this year. They have also introduced the Civil Contingencies Bill, which will require BCM to be in place as part of a national emergency response capability. 4. Business Continuity was for too many years an island of specialisation sitting relatively low down organisations with no obvious focus. It might be considered part of IT, it might be owned by Facilities Management or Security. Sometimes it fell under Health and Safety, or Insurance, or even HR. Events since 9/11 have shown the need for an integrated Risk Management and Business Continuity policy. The value of expert Business Continuity professionals has been demonstrated, as has the danger of not integrating related disciplines in a business protection culture. The excellent work done by both the Business Continuity Institute (BCI) and the Disaster Recovery Institute International (DRII) in developing standards and best practices is the key element in this move towards greater acceptance of BCM as a profession. 5. For many years, the question I most asked was: Do you have a plan at all? If the answer was yes, then questions about testing and maintenance would follow. I believe we are now in a different era; the questions are more about the value and suitability of the plan. It is no coincidence that various attempts to provide BCM benchmarking and audit tools have emerged. I have personally had some involvement with both the Virtual Corporation's Maturity Model and the Business Continuity Institute Good Practice Guidelines. In the UK the British Standards Institute (BSI) have also published a publicly available specification for BCM called PAS56. The attempt to put metrics into evaluation of Business Continuity practice is inevitable, if the subject is important then it is equally important that its quality can be assessed. As for the future, I can do little better than continue with my 1988 prediction - we are well on our way but are not there yet. My Lifetime Achievement does not mean I plan to retire, I intend to stay around until what I hoped to see when I started in BCM really happens. There is still much to be done . About the Author Lyndon Bird, FBCI MSC BSC (Hons), is Managing Director of Continuity Planning Associates Limited, a leading European Business Continuity consultancy. He has a degree in Chemistry and a Masters in Management. He is a Fellow of the Business Continuity Institute, a Director and immediate past Chairman of the Institute. He has previously served as Chair of the Education Committee and as a Member of the Audit and Executive Committees. He was voted "Business Continuity Consultant of The Year" at the Continuity, Insurance and Risk Magazine Awards in May 2002. He was also presented with the "Lifetime Achievement Award" in May 2004 .
|
