Your Risk Management Magazine
Has BCM lost its way?

Font size : + -

email print

While the mechanics of companies’ business continuity plans are often fine in theory, management often overlooks the basic fact as to whether or not they would work in practice, according to Ernst & Young.

On one level, senior management has a better appreciation now than ever before of what business continuity management (BCM) is, why planning is necessary for disruptions and some key elements of such planning.

“They have experienced Y2K, and enhanced IT disaster recovery and service continuity plans,” said Alex Serrano, senior manager, advisory, Ernst & Young.

“They have experienced the terror threat surrounding 9/11, and understood the importance of crisis communications and remote disaster recovery sites. They have confronted pandemic influenza and SARS, and implemented people security measures and embraced societal resilience. These are all good things.”

Yet within boardrooms and senior management teams, Serrano said the more familiarity that management has with BCM and its terms and concepts, the more complacency tends to take hold in some quarters.

“Do we have a crisis plan? Check. Have we done a BIA? Check. Are the continuity plans in order? Check. And yet something is lost in this mechanistic focus on procedure,” he said.

“Somewhere along the way management has forgotten to ask ‘do all these plans actually work?’”

In some cases, Serrano said hard decisions about investing in BCM capability have been dodged, and BCM managers have at times become complicit in this process.

“Being knocked back for necessary investment in risk-based mitigation decisions one too many times, some have stopped being ‘outrageous’ and demanding attention to core risks. When this happens I think it’s regrettable,” he said.

Well-publicised recent natural disaster events in the Asia Pacific region, however, may be starting to refocus a number of boards and senior management teams on this key issue.

“BCM is no fig leaf. Unlike some things an organisation chooses to pursue, BCM must carry its weight – it must be proven to work. Thankfully some corporates and leaders have never lost sight of that,” said Serrano.

However, he noted that some things show little signs of changing. “For example, the main drivers for BCM remain the same – regulatory compliance and the boards of corporate organisations. For regulated industries (such as the banking sector) compliance requirements mean that Australian banks must be able to demonstrate capability according to the prudential standard APS 232,” said Serrano, who noted that listed entities and government organisations similarly need to address ongoing, stringent BCM compliance requirements.

One of the key attributes of the BCM profession is that it is all about asking questions and challenging the status quo, he added.

“Therefore, there is no contradiction between BCM achieving a level of process maturity while at the same time continuing to ‘reinvent’ itself with uncommon zeal and vigour. The emerging BCM global standard is just one example,” said,” said Serrano.

“There is no standing still in this industry, partly because the risks that BCM addresses are constantly evolving and altering, and partly because the tools we have available to meet resilience challenges are changing (and in many cases improving) all the time.”

BCM is being challenged to “pay its way” more than ever before, said Serrano. “Senior management and boards are, frankly, fed up with silo-based approaches to operational risk, and are demanding that BCM ‘up-periscopes’ better to work out how its approaches enmesh properly with the fundamental risk management processes within an organisation,” he said.

Business Impact Analyses (BIA) must not be allowed to wither and die on the vine as they remain core to the practice of BCM, but Serrano asserted that executives must not be confronted by multiple BIAs being performed in the same team/area/division as sometimes happens now, with BIAs according to BS25999 covering the same territory as application BIAs performed as part of ISMF rollouts.

“It’s a recipe for confusion and it needs to stop,” he said. “The Australian Standard AU/NZS 5050:2010, although maligned in some quarters, is at least a legitimate attempt to ‘decrypt’ the practice of BCM and meaningfully interlink it with the wider corporate management of risk.”

As a profession, he said BCM needs to focus on reinventing not only resilience solutions (such as Web 2.0 technology), but by educating itself around a streamlined set of global better practices that meet corporate governance and compliance demands while still positioning organisations as risk aware, agile and resilient.

Advancing the business continuity profession

Business continuity professionals need to avoid the “middle-age” fatigue that can set in once a profession has carved out a niche for itself within a crowded risk solution landscape, according to Alex Serrano, senior manager, advisory, Ernst & Young.

“I suggest we keep the passion, and foremost in our thinking should be the fire in the belly that activated us to the possibilities and importance of BCM in those early, heady days of first encounter,” he said.

“At the same time we should continue on that never-ending quest for knowledge and professional clarity that will help us remain relevant within the overall context of proliferating corporate risks and ever-increasing push for risk management convergence. This process of self-education helps us continue to legitimately point out when the emperor is not wearing any clothes, and to notice if (or when) we aren’t wearing any ourselves.”

If business continuity professionals can get these two focus points roughly right, they will be able to be effective change makers – treading a fine line between the ‘evangelist’ and the ‘fanatic’. “My suggestion – we work out our lines, stay on message, and rely on the best principles that underpin BCM – using a framework of useful knowledge to convince corporate and community leaders to take resilience seriously and invest accordingly,” said Serrano.

Alex Serrano will be speaking at the Australasian Business Continuity Summit 2011, held from 8 to 10 June 2011 at the Sofitel Sydney Wentworth Hotel.

  • Bookmark & Share
go back
Your comment
Risk management is the place for positive industry interaction and welcomes your professional and informed opinion.
eNewsletter

Breaking news, video interviews, opinion and analysis delivered straight to your inbox. Subscribe now
Categories

Home   |    Terms & Conditions   |   Advertising   |    About Us   |    Contact Us   |    Privacy Policy  

© 2012 Key Media Pty Ltd.