From my narrow perspective as a practitioner, manager and consultant in the field, some 20-30 years ago, Business Continuity Planning revolved around IT
Disaster Recovery which generally involved (at the time) either powering up an
alternative data centre or hiring a few servers on the back of a truck and
plugging them in to restore services taken out when the data centre was flooded/burnt. It was almost entirely IT focused, expensive,
and could cope with very few disaster scenarios (there still had to be somewhere
for the truck to park up and plug in, while the backups to be restored had to
have survived miraculously, plus of course the rest of the organization -
including the alternative data centre plus the people and associated essential services).
From that primitive origin, BCP started to get better
organised, with scenario planning and tabletop exercises, and actual 'management'
instead of just 'planning' - leading to Business Continuity Management. The scenarios
expanded, and before long organisations realised that they couldn't reasonably plan
and prepare playbooks for every possible situation, every single risk. Also, the process linkages with incident
management grew stronger, including the shortcuts necessary to escalate serious
incidents, authorise and initiate significant responses quickly etc. Oh and warm-site and hot-site concepts
appeared, along with Recovery Time Objective, Recovery Point Objective and a few other basic metrics.
Then, about 10 to 15 years ago, resilience popped out of
the ether as a supplement for IT DR and other recovery approaches, the idea being to do whatever it takes
to maintain essential services supporting essential business processes. Even today, some organisations struggle with
this concept, and yet "high availability" systems and networks, dual-live/distributed systems, load-sharing, multi-sourced supplies, customer diversity etc. are reasonably straightforward
and generally-accepted concepts. I guess
they have trouble joining the dots - particularly in the area of workforce
resilience, and the cultural aspects of "We WILL get through this: now,
what can I do to help? Here, hold my
beer ..."
During the past 10 years or so, true contingency approaches have appeared, in some organizations at least, partly in recognition of/reaction
to the limitations of scenario planning and playbooks. There are all sorts of scenarios that cannot be foreseen or predicted, hence no specific plans can be pre-laid ... but the resources needed to evaluate the situation and do whatever is necessary contingent (depending) on the situation - to cope with it - can be prepared.
In our security awareness materials, we've often used duct tape as an
example of something worth having in the cupboard just-in-case, with the Apollo
13 story illustrating the points very graphically - including the management
foresight to allow all those extra extremely costly grams of weight to be flown into space just-in-case
such a situation arose. This takes the
resilient culture up a notch, with HR departments talent-spotting people who
are good in crisis, capable, quick-thinking, resourceful, energetic and
motivational leaders etc. - creative risk takers, too, willing to go off-piste, ignore
the now redundant playbook and cobble together an effective response from the remaining
resources at hand, given the contemporaneous priorities and constraints, and dynamic objectives. Not just individuals, but whole teams of them, working through the initial scared-stiffness and pulling things together.
That's a rather different set of skills and competencies to
the traditional compliant "company man".
During the past 5 years or so, in line with cloud,
we've seen the whole BCM thing gradually extend to take in entire supply chains or rather
supply networks: the organization doesn't exist in a vacuum but relies on several
others, and in turn others rely on it, so the resilience of the whole means identifying
and strengthening/working around/cutting out/replacing the weakest links. We've also seen the Business Continuity
Management System approach find its feet, with ISO 22301 promoting a more
structured approach to managing the whole shebang, with documentation, stability
and measurement of the processes and activities allowing management control and
systematic improvement - in other words, proper governance. This is a modern take on the
"co-opetition" theme in the business world: there are business
situations where it is in the organization's best long term interests to
support or enable its competitors. Winner-takes-all cutthroat business strategies are not the only way, nor
necessarily the most appropriate. The keiretsu and other industrial
conglomerates and diversified groups demonstrate the power of collaboration
that extends beyond each of the individual players ... and in awareness terms, sports
leagues are a classic illustration: members of any league are not just competing
with each other, but actively collaborating to promote the entire league. A bank is not just a cash-store, but is an integral component part of the global financial industry ... which is in turn an integral component part of the global economy and human civilisation.
Most intriguingly,
will well-prepared organizations, leaders, politicians, industries and nations arise
triumphant from this mess, seizing the opportunities that inevitably arise as
their less-well-prepared competitors fall gasping in a heap?
And from the awareness and management perspective, what will we learn this time around that will help us post-COVID-19? Key to that is watching and thinking about what's going on around us right now, and considering its appropriateness for future/impending disasters (such as climate change). Hard to do when survival is at stake but that's the point really.
Fascinating times!
No comments:
Post a Comment