Inside Track: A gold standard
10 November 2016 | 0
According to Conway, a key question for anyone attempting to square this circle is whether they think of BC and DR as being IT-related issues or business-process led issues.
“There is still a dilemma. But the ISO standard is all about organisational continuity. It looks at the resilience of the organisation and the ability of the total organisation to carry on its critical functions during and following a major unplanned incident or event,” he said.
“The recovery of systems is obviously core to that but the recovery of people, of processes and the ability to keep the show on the road is most important, regardless of what you do. What we are seeing is that more and more people are starting to embed business continuity into the organisation and that they’re starting to do education in this area.”
“A key question for anyone attempting to square this circle is whether they think of BC and DR as being IT-related issues or business-process led issues”
The Business Continuity Institute is the de facto professional authority for business continuity practitioners in Ireland, and according to Conway it has seen a major lift in the number of people who want to go through formal training and accreditation.
“If you want to evaluate an organisation you can look at the standards, but you’ll rarely find they’re achieving them. Because it’s an immature area for standards, you have to look and see what sort of practitioners they have or what sort of investments they’ve made in it and where they are in their programme,” he said.
Assessing business continuity practitioners in the absence of a recognised standard is difficult, but according to James Crask, senior manager for business resilience with PwC, professional associations are one place to start.
“If I was buying in business continuity services from an organisation, I would start by making sure the people I was bringing in were experts, and one way of doing that would be to check whether they’re fully paid up, registered member of an organisation like the Business Continuity Institute,” he said. “That would give me some level of confidence that they know what they’re doing.”
Crask has worked with PwC’s business resilience business since 2010 but is also chair of the ISO working group responsible for global continuity and resilience standards.
“In my experience of working with ISO and PwC, the link between business continuity planning and the IT recovery and resilience process is often the weakest part of the business continuity chain. Ideally the two should be absolutely intertwined, but often you find that there is a business continuity recovery plan written in isolation from what’s happening in the IT area of the organisation,” he said.
“Assumptions are made in the business that certain bits of critical IT will be back up and running in a certain period of time following disruption, but you have the IT department planning on a different set of assumptions. In my experience, the issue is quite easily fixed by bringing both together to share their planning assumptions. But often that doesn’t happen, particularly in large organisations where assumptions are a bit more siloed.”
Crask is unusually well suited to comment on business resilience given his dual roles in the standards industry and the world of consultancy. As a result of this, he has seen both sides of the transaction.
“Outside of my ISO role, I work for PwC so I’m one of the individuals that goes in and delivers consulting services. Looking at it from the other side of the transaction, this is a business that’s all about expertise and credibility and you build that through trust, by building relationships and by getting to know your clients,” he said
“Those standards we write in the ISO committee that I head up are aimed at people that are implementing business continuity or resilience capability into organisations. That could be people who are in-house resources like head of business continuity, or head of risk, or head of IT risk, or it could be a consultant who has been paid to come in and deliver that service on behalf of a client.”
ISO does not specifically target the consultant market, so Crask thinks there may be a gap in the market in giving guidance to users around choosing the right kind of consultant or professional services company to support them.
“Different markets around the world are better and worse at this. If you look at the UK and Ireland as an example, we’re quite mature at building plans and delivering exercises. Business continuity has been around for a long time, and the market is more about assuring whether your capability is working,” he said.
Elsewhere, according to Crask, such as in Latin America and the Middle East, the maturity of business continuity thinking is a little behind here.
“There’s much more emphasis on delivering plans and developing exercises. There’s actually many more opportunities there for consultants because companies are looking for help in developing their capabilities in this area.”
Ironically, the process of implementing business continuity and the creation of a plan itself represents something of a paradox. However, the process has value in and of itself.
“You put a lot of work into a BC plan but ideally hope to never actually have to invoke it. But the process you go through to arrive at that plan, the understanding it breeds of the organisation and the risk assessment process that you go through are enormously valuable,” said Crask.
“In fact, developing the recovery strategies for your resource dependencies and building lots of relationships internally within the organisation is actually often much more valuable than the plan itself. In a way, what you’re doing by going through that process is building resilience into the organisation which hopefully will reduce the requirement upon needing to invoke a plan later on.”