March 17 - COVID-19 BCM


From my narrow perspective as a practitioner, manager and consultant in the field, some 20-30 years ago, Business Continuity Planning revolved around IT Disaster Recovery which generally involved (at the time) either powering up an alternative data centre or hiring a few servers on the back of a truck and plugging them in to restore services taken out when the data centre was flooded/burnt. It was almost entirely IT focused, expensive, and could cope with very few disaster scenarios (there still had to be somewhere for the truck to park up and plug in, while the backups to be restored had to have survived miraculously, plus of course the rest of the organization - including the alternative data centre plus the people and associated essential services).

From that primitive origin, BCP started to get better organised, with scenario planning and tabletop exercises, and actual 'management' instead of just 'planning' - leading to Business Continuity Management. The scenarios expanded, and before long organisations realised that they couldn't reasonably plan and prepare playbooks for every possible situation, every single risk. Also, the process linkages with incident management grew stronger, including the shortcuts necessary to escalate serious incidents, authorise and initiate significant responses quickly etc. Oh and warm-site and hot-site concepts appeared, along with Recovery Time Objective, Recovery Point Objective and a few other basic metrics.

Then, about 10 to 15 years ago, resilience popped out of the ether as a supplement for IT DR and other recovery approaches, the idea being to do whatever it takes to maintain essential services supporting essential business processes. Even today, some organisations struggle with this concept, and yet "high availability" systems and networks, dual-live/distributed systems, load-sharing, multi-sourced supplies, customer diversity etc. are reasonably straightforward and generally-accepted concepts. I guess they have trouble joining the dots - particularly in the area of workforce resilience, and the cultural aspects of "We WILL get through this: now, what can I do to help? Here, hold my beer ..." 

During the past 10 years or so, true contingency approaches have appeared, in some organizations at least, partly in recognition of/reaction to the limitations of scenario planning and playbooks. There are all sorts of scenarios that cannot be foreseen or predicted, hence no specific plans can be pre-laid ... but the resources needed to evaluate the situation and do whatever is necessary contingent (depending) on the situation - to cope with it - can be prepared.

In our security awareness materials, we've often used duct tape as an example of something worth having in the cupboard just-in-case, with the Apollo 13 story illustrating the points very graphically - including the management foresight to allow all those extra extremely costly grams of weight to be flown into space just-in-case such a situation arose. This takes the resilient culture up a notch, with HR departments talent-spotting people who are good in crisis, capable, quick-thinking, resourceful, energetic and motivational leaders etc. - creative risk takers, too, willing to go off-piste, ignore the now redundant playbook and cobble together an effective response from the remaining resources at hand, given the contemporaneous priorities and constraints, and dynamic objectives. Not just individuals, but whole teams of them, working through the initial scared-stiffness and pulling things together.

That's a rather different set of skills and competencies to the traditional compliant "company man".

During the past 5 years or so, in line with cloud, we've seen the whole BCM thing gradually extend to take in entire supply chains or rather supply networks: the organization doesn't exist in a vacuum but relies on several others, and in turn others rely on it, so the resilience of the whole means identifying and strengthening/working around/cutting out/replacing the weakest links. We've also seen the Business Continuity Management System approach find its feet, with ISO 22301 promoting a more structured approach to managing the whole shebang, with documentation, stability and measurement of the processes and activities allowing management control and systematic improvement - in other words, proper governance. This is a modern take on the "co-opetition" theme in the business world: there are business situations where it is in the organization's best long term interests to support or enable its competitors. Winner-takes-all cutthroat business strategies are not the only way, nor necessarily the most appropriate. The keiretsu and other industrial conglomerates and diversified groups demonstrate the power of collaboration that extends beyond each of the individual players ... and in awareness terms, sports leagues are a classic illustration: members of any league are not just competing with each other, but actively collaborating to promote the entire league. A bank is not just a cash-store, but is an integral component part of the global financial industry ... which is in turn an integral component part of the global economy and human civilisation.

Whereas we have had numerous more isolated disasters (mostly natural e.g. earthquakes, tsunamis and eruptions), COVID-19 is a fascinating global case study: we shall see how individuals, organizations, industries and nations fare. It already appears as if the airline, tourist and sports industries are having a hard time, plus of course healthcare. Our governments are scrambling to respond, and the financial industry is facing yet another global meltdown: will they need to be baled out, again? Will weaker players and insurers go to the wall? Or will the response this time be sufficient to prevent disaster? 

Most intriguingly, will well-prepared organizations, leaders, politicians, industries and nations arise triumphant from this mess, seizing the opportunities that inevitably arise as their less-well-prepared competitors fall gasping in a heap?

And from the awareness and management perspective, what will we learn this time around that will help us post-COVID-19? Key to that is watching and thinking about what's going on around us right now, and considering its appropriateness for future/impending disasters (such as climate change). Hard to do when survival is at stake but that's the point really.

Fascinating times! 

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Two dozen information risks that ISO forgot

Philosophical phriday - compliance risk

ISMS internal audit priorities

Reading between the lines of ISO27001 [L O N G]

Passionate dispassion

45 ISO Management Systems Standards

Philosophical phriday - a noncompliance ramble

Adaptive SME security Crowdstrike special