Friday, 31 October 2014

Resource-based contingency planning – an alternative approach to ISO22301 certification

Business continuity is, especially in the Anglo-American world, not that much a new concept. Being not new also means that it probably is due to be redesigned. Since the inception of Business Continuity Management in the late 80s and early 90s of the last century, the world has changed quite a bit. The main concepts, procedures and processes of BCM however have not changed that much in the past 25 or so years. We are still talking PDCA, we are still talking process-based business impact analysis, we are still trying to do the work of risk managers with our task in the fields of operational and reputation risks. We still have the BCM Lifecycle.

Those who are practitioners in the profession may have already realized that the theoretical strategies and tactics as outlined by the BCM Lifecycle approach may not always meet the needs and possibilities of an organization seeking to implement BCM. The business impact analysis for instance needs processes, since it aims to operationalize the damage because of failed process. But, which organization does have a complete and operationalized process document which allows it to just sum up losses and damages along process chains? And, how can the BCM organization define the so-called BCM-Strategies when they haven’t even asked the business what they think they need as workarounds to cover a resource which was lost or damaged because of some crisis situation?

Here we already have the word, what this presentation is about: Resources. What I do call resource-based contingency planning is actually not just contingency planning, but part of a new approach to business continuity, which offers an alternative to the BCM Lifecycle. In the first part of the presentation, I will briefly introduce this system, which covers all parts of what we know is demanded by the BCM Lifecycle, however in a quite different sequence and with partly completely different methods and tools, and which addresses all controls of the ISO22301 standard.

In the few minutes I have for the presentation, I cannot go through the complete methodology what I call resource-based business continuity. I only show a core part of it, one of the 15 deliverables and work objects of a business continuity management system – the business continuity plan, the probably most important one of five different plan types which need to be created for a complete BCMS (the others being the disaster recovery plans, the emergency and rescue plans, the crisis communication plan and the crisis management plan).

The most astonishing part of these BCPs may be the inclusion of a risk assessment as a part of this plan. The risk assessment, being a core element of ISO22301 requirements, is no longer a work package of its own, but an integral part of contingency planning. The reasons for this, and why this makes much more sense than to emulate the work of a risk manager prior to actually planning for catastrophes, will be given in my presentation. The same by the way, is true for the identification of critical suppliers and clients, which also is done in the course of discussing and deciding on a workaround in the case of the loss of a critical resource.

However, in the title of my presentation, you find the most important difference between the BCM Lifecycle approach to business continuity compared to what I am doing. Where the lifecycle’s objective and basis of action and contingency planning is the business process, in my world it is the resource. One does not need the availability of documented and operationalized business processes to implement a BCMS, but only knowledge about what resources an organization has. And, differently from processes, this bit of information is most often readily available, and if not, can be created without much work.

With the presentation, I will provide a view into a core part of an alternative approach to ISO22301 certification, which delivers some novel ideas how to structure a contingency plan, how to identify critical clients and suppliers, and how to identify and assess operational risks. And if you pay attention, you might get an idea, why this approach to implement business continuity allows for applying for certification some six months after start of the project already, and why this approach reduces the cost of BCM between 50% and 80%.

Rainer Hubert will be discussing ISO22301 further on day two of the BCI World Conference and Exhibition on Thursday 6th November. You will find him in seminar room 1 starting at 13.10.

1 comment:

  1. Well I have learnt Managing my business from Aloke Ghosh. He really taught me great techniques and given me some tools also which help in managing accounts of my business. He was my most favourite professor of my college.