The April/2012 Continuity Insights Conference in Scottsdale, Arizona was a great mix of foundational and advanced topics in business continuity management (BCM). PS-Prep even had its own track! I couldn’t be at all sessions, so this post is about the ones I attended – it might give you some insight as to what our clients are asking.
There was much discussion around the integration of BCM with risk management, with GRC or with operational resilience, and what to call all of this “stuff”. A very good piece of advice was given in the session GRC, ERM and BCM: A Risk Map to Tie It All Together: “You’re likely doing it anyway. The name is irrelevant.” It reminded me of the Louis Armstrong lyric – “Potato, Potahto, Tomato, Tomahto! Let’s call the whole thing off”. Well – let’s NOT call the whole risk thing off – we are the gatekeepers for many organizations in doing the right thing, or at least doing “some thing” for the right reasons.
There was a lot of envy of BCM professionals who had senior management buy-in: the question kept being asked over and over: “How do we get their attention?” Having been an IT risk professional in two of the largest global financial institutions before starting my career with Gartner, I have to agree with the statement that the best way to get management’s attention is to build BCM program performance into the annual performance appraisal – typically through the annual audit report grade. Another way is to build the business case for BCM: Check out my note on key performance and risk indicators to make the business case for BCM: http://www.gartner.com/resId=1202114.
Regarding PS-Prep, the jury is still out as to the need/benefit of organizational certification (orgcert). Many attendees with whom I spoke regarding their own firm’s interest in obtaining orgcert were not convinced it is a path they plan to take. Even the plenary session’s What You Need To Know About PS-Prep panel of experts was not able to articulate the business case for orgcert – ‘staying in business’ is not good enough. Our 2009 strategic planning assumption (SPA) is still on target mainly due to the delay in the rollout of the program as well as the unstated business benefit across multiple industry sectors: “By 2012, less than 10% of organizations will have received external certification of their business continuity management and IT disaster recovery programs. Those that do are regulated to do so or will be mandated to do so by their supply chain partners.” (See my note later about the term supply chain.) I frankly don’t see this percentage changing much over the next three years. However, where orgcert is clearly focused is in certain critical infrastructure sectors such as the electric utility sector.
Two interesting contrary points were made during the plenary PS-Prep session:
- Mention was made that having the first firm to obtain orgcert under PS-Prep be a large multi-national telecommunications firm – AT&T to be exact – was not the best type of organization to spur on others to do the same given that AT&T have a lot of resources to apply to the process. I can see their point – it would have been more interesting to have a small or mid-size enterprise be the first one in that it shows that someone other than a huge firm that is regulated to do so to begin with can demonstrate strong BCM performance.
- Concern was expressed that since the program is one of voluntary compliance, why was it spearheaded by the Department of Homeland Security instead of from a business/commerce –oriented association. I can see this point too but not just from the voluntary/homeland security angle: my concern is that with a limited appetite for government funding, will PS-Prep be just a memory within the next five years? We cannot expect to make the business case for orgcert in any viable way if the only voices promoting it are the consultants with a vested interest in its success.
If you are considering orgcert, one key advice point I took away from the session PS-Prep Auditing: Engage your law firm when deciding on your choice of certification standard. This AHA moment occurred when one attendee mentioned that their legal department had limited the scope of “vital records” for the certification process to include only BCM program records such as recovery plans, BIA results, availability risk assessments and so forth. All auditors in the room felt that certification would not be given with this limited definition of vital records.
Another very important piece of information I gained from the conference was in the session Worlds are Colliding: PS-Prep and The Area of Records Management: true records management is only addressed in the NFPA 1600 standard, which by the way is implemented not just in the U.S.
There were many sessions that addressed how to ensure your firm has visibility into the continuity of operations capability of your suppliers. What was interesting was that few of the programs presented do not go into depth such as reviewing continuity of operations of the suppliers of their suppliers. Gartner defines this process as supplier availability management. We do not call it supply chain availability because the term “supply chain” is tightly aligned with the manufacturing process; therefore the term is not inclusive of all industries. Flashback to Ps-Prep: One of the key marketing drivers for orgcert is to ensure your firm covers supplier availability management in its BCM program. Do you need orgcert to ensure you have that supplier visibility? No you don’t; therefore, don’t conflate orgcert and supplier availability management. I’m not saying to not pursue orgcert; what I am saying is that you need to know the business value of obtaining orgcert, and more importantly, maintaining it year over year.
With our expanding coverage of crisis/incident management – both from a BCM and EH&S perspective – I wanted to hear how NIMS/ICS can be used in the private sector. Therefore, I attended the session A Practical Application of ICS. It was clear from the attendees that many private sector organizations are using ICS as part of their BCM program. Two key pieces of advice:
- Use ICS as a model but modify it to fit your own business operations.
- The assigned incident commander will vary based on the type of incident that occurred. For example, if the incident is an IT outage, then someone from the IT department should be in charge. If we have another volcanic ash event, then Human Resources might be a good incident commander.
There were many sessions on doing a risk assessment, presenting BIA results, redefining the BIA. The key take-away from the session Performing the Risk Assessment: Get management buy in first – any loss under $50 million is chump change for some firms.
Finally, I wish I had attended the sessions on exercising best practices and the state of the BCM profession. Maybe next year….