Educating Continuity Professionals to Work in a Global and Connected World

Anyone new to the world of business continuity might be excused for being totally confused about what they need to know and how they might acquire that knowledge.

Certainly there is no shortage of organizations that claim to be authorities on the subject, many of them commercial ventures in the training world. There are also the professional organizations who provide certification programs for qualified practitioners. They are now being joined in this space by somewhat more academic bodies.

There have always been information exchange and networking groups eager to share views and experiences, and one of the first of these was the UK organization Survive (now ironically no longer in existence). In the US many such groups, like the Association of Contingency Planners (ACP), Contingency Planning Exchange (CPE) and NEDRIX have existed for many years.

In less mature BCM territories we are seeing national groups of professionals emerging such as the BCMNet in Switzerland and the BCAO in Japan. It is no coincidence that both DRI International and the BCI have clearly upped their game in recent months with greater emphasis on their global message and increased cooperation with local groups, forums or chapters. Both these two major institutes have recognised the need for a local focus on regional-specific issues, while maintaining a global consistency in a shrinking business world.

Global concerns are of high importance to the International Association of Emergency Managers (IAEM). In recent years, IAEM has recognized and is working to address difficulties emergency managers around the globe face in getting education and training. The International Consortium for Organizational Resilience (ICOR) is working to bring together numerous silos, professions, or separate bodies of knowledge that together support resiliency into one profession entitled “Organizational Resilience.”

Universities and colleges are incorporating BCM topics into their curricula – a sure sign of the growth of business continuity as a key discipline. DRI International has begun partnering with schools such as Champlain College and Western Washington University to strengthen their BCM programs. Although BCM is still heavily outnumbered by courses in Emergency Management, Risk Management or Homeland Security, it is steadily gaining ground. This trend is not only in North America but also in Europe and Asia.

Global Issues
Business Continuity Management is now a much wider issue than purely disaster recovery or emergency response. In large organizations, whether in the private or government sector, we are rarely looking at just local problems. We live in a connected world in which many risks are shared by all.

There are both more risks and an increased perception of risk, some of which is real and some created by the media. However, it is certain the threats are more global. Businesses have far more economic interdependency between regions than ever before. They rely on longer and global supply chains for physical production of the goods, and often rely on offshore and outsourced operations for much of the service delivery and back office administration.

Virtually all major European and US corporations have some outsourced activities, mainly in India and Southeast Asia. The simplistic approach adopted by some companies towards BCM in their outsourced operations will just not work. Contracts and SLA’s are important, but partnership and strategic cooperation is equally vital in dealing with a major incident.

Probably the most global industry of all is the financial sector, where regulation, legislation and standards have started to take hold. Compliance with a myriad of different requirements in different countries is making the role of the compliance professional both challenging and risky. In the financial world, BCM is now seen as a compliance issue rather than a risk, security or emergency planning issue.

In this context, yet another piece of the BCM puzzle is rapidly fitting into place: the role of the national and international standards organizations and the regulators. This is the basis upon which future organizations are going to be measured and where C-Level executives are likely to focus their attention.

In the words of the world’s best investor, Warren Buffet, “It can take 20 years to build a business and 15 minutes to destroy it.” Directors and officers are becoming acutely aware of this reality following the corporate governance scandals of the early part of this century.

BCM Related Disciplines
Because the scale and scope of BCM is very broad, it has already been incorporated into many related disciplines. Typically these are Risk Management, Emergency Planning, Physical Security, Information Availability & Security, and Quality Management Audit. In these fields you will find professional bodies including aspects of BCM in their own training and certification programs. Although this is reasonable to do so, the aspiring BCM professional must realize these views of BCM are from a specific perspective rather than from a holistic approach. A good example of this is the ISO 17799 Code of Practice, now offered under the ISO 27001 banner as a full Information Security standard. The much-quoted BCM portions in this standard refer, at best, to system availability and recoverability, not at all to the business view of the subject. Likewise the ASIS Guidelines that are excellent in themselves, concentrate on physical incident response which is only part of wide-scale BCM. Certainly you will also be able to find a lot of information about BCM in the ISACA, CISSP, ITIL, and CoBIT programs. A key player in North America, IAEM reflects the high degree of integration and overlap between Emergency Management and BCM in the US and Canada. This is reflected in the US standard NPFA1600 that combines both BCM and Emergency Management. This is also a feature of DRI International philosophy, which emphasizes the overlap very strongly.

In the UK and central Europe, where large-scale natural disasters have been much less prevalent than in North America, there is less drive to combine the topics. BCM is more closely aligned to operational risk, business strategy or supply chain management. In Japan the main emphasis tends to be on earthquake resilience, and in India the priority is audit and compliance for their outsourcing operations. Israel’s view is understandable – almost entirely security focused. Australia has a strong risk management approach while Singapore and Hong Kong are IT-centric in their perception of BCM.

With such divergent drivers it makes a globally accepted concept of BCM difficult to achieve and adds even more confusion to the aspiring BCM newcomer.

The rest of this review attempts to bring some clarity to the plethora of competing claims and guidelines. It is important to recognize there are really three separate but related questions to consider.

1. What does an individual need to know to become accepted as a BCM or Emergency Management professional? (This issue is addressed separately on page 12 of this publication.)
2. What do organizations need to do for their BCM programs to become accredited by qualified external bodies?
3. How does the BCM practitioner facilitate this process within his or her own organization?

Becoming a BCM Accredited Company
More and more organizations want to demonstrate their commitment to resiliency to current and potential stakeholders. There is a growing awareness of what business continuity really is and why it is so important to corporate survival.

This can be manifested in different ways. For example a disaster in Asia might mean a break in a key part of a US or European supply chain. This might mean loss of business and cash, it may mean loss of market share or reputation, and of course one company’s disaster can be a competitor’s opportunity. Service delivery failure might well be picked up by the media, leading to loss of confidence from customers, suppliers or investors. In relation to most events there will be key people issues which need managing.

We need common standards for BCM that can be applied across all business sectors and geographical areas. This is a complex task but one that is getting much attention.

Many people look to ISO for a commonly accepted BCM standard, and this is starting to emerge. However, various national BCM standards are also wrestling for prime position. The two main contenders have been ANSI/NFPA1600 and the BS25999 standard

Other countries, such as Australia and Singapore, are actively moving on standards that differ from both BS25999 and NFPA1600. Australia has produced their Business Continuity handbook, HB 221:2003. Although it is not a formal standard, it is informally treated as one in Australasian territories. The Australian Prudential Authority (APRA) has also implemented regulation for the finance sector via their standard APS-232-BCM. The Singapore directive TR19:2005 on BCM is mainly related to IT recovery standards and has replaced the earlier and somewhat wider SPRING directive of 2003, which was based mainly on the early standard PAS56.

ISO is pulling together a number of national standards bodies and has recently released ISO PAS 22399, designed at incorporating the best from the US, UK, Australia, Japan and Israel standards. A PAS is not a full standard and it might take a number of years before it becomes one. It is currently called “A Specification for Incident Preparedness and Operational Continuity,” which adds unnecessary confusion when all the source standards it has consolidated have used the “Business Continuity” nomenclature.

In Japan and Korea, firms are already starting to get a preliminary assessment against BS25999. In the UK, all of the certification bodies are putting their programs in place to start accrediting firms against the standard. It appears the US is still ambivalent about the value of this approach, but the rapid international acceptance will probably result in US global firms being involved for their overseas operations at least.

The drive towards standards is not only through ISO and its national member organizations. Legislation has also taken quite an active (if often badly understood) role in BCM in recent years. The most obvious example was Sarbannes- Oxley, which forced firms to re-think their entire internal controls and corporate governance.

However, more directly related to BCM is the new law (August, 2007) titled “Implementing Recommendations of the 9/11 Commission Act of 2007”. It is also called HR1 and Public Law 110- 53, and is likely to have much impact in the North American business continuity community. Whether this law (which aims to create a certification program for all-hazards business emergency preparedness) will have any impact beyond the US and Canada is questionable, as the ISO and other national standards will be well established before any results of this initiative become available. See page 20 in this issue for a discussion of this law.

In some ways the most powerful drivers are the standards being imposed by separate industry regulatory bodies. There are strong guidelines from the financial regulators in the US and the UK and effectively mandatory rules on BCM in Singapore and Malaysia. Australia’s regulator APRA has issued a draft standard they expect to make fully mandatory. The international nature of this sector of business and the economic power such global firms possess make worldwide consistency for financial markets very important. There is clear evidence of a coming together of BCM thinking among the various financial regulators, which is likely to be a strong driver for more standardization. The Basel Committee on Banking Supervision, Joint Forum has issued a ‘7 high-level principles’ document for BCM that individual country regulators will look to enforce. The countries represented were: USA, UK, Canada, France, Netherlands, Hong Kong, and Japan, so although not universal, it represents most of the major players in financial markets. These countries have agreed to adopt these principles in their inspection and accreditation regimes, although the precise details of individual country schemes will vary.

How to Facilitate the Process
Given that the BCM practitioner has an excellent understanding of BCM, he or she could be considered the primary focal point for BCM activities in their organization. Historically, that would be sufficient to successfully discharge the duties of the BC manager role. However, now that we are seeing a trend of measuring the effectiveness of BCM in an organization using one or more of the standards discussed in the previous section, the role of the BC manager is becoming more complex. More than creating a good BCM capability for his or her company, they will need to demonstrate compliance to a growing set of external metrics. For many years the role of the BC manager was essentially a practical one; now it requires knowledge of auditing and compliance in addition to the subject matter expertise.

Paradoxically this might benefit those BC managers with an IT and/or information security background. Although BCM was brought into mainstream business and out of the technology space in the 1990’s, the people in an organization most familiar with formal standards are from these technical disciplines.

ISO certainly views “Continuity” as part of the suite of standards called Management Systems. They have, in fact, classified it as a requirement for setting up and managing an effective Continuity Management System.

This includes:

• Understanding business continuity needs and the necessity for establishing policy and objectives for business continuity
• Implementing and operating controls and measures for managing an organization’s overall business continuity risks
• Monitoring and reviewing the performance and effectiveness of the system
• Improving based on objective measurement.

Those people familiar with other ISO standards will see the consistent approach. The main links are to ISO 9001:2000 (Quality Management Systems), ISO 14001:2004 (Environmental Management Systems), IEC 27001:2005 (Information Security Management Systems) and ISO/IEC 20000-2:2005 (IT Service Management). The general model called Plan, Do, Check, Act (PDCA) applies throughout. This cycle is aimed at establishing, implementing, operating, monitoring, exercising, maintaining and improving the effectiveness of an organization’s Continuity Management System.

Clearly one of the areas that a BC Manager needs to concentrate on his/ her new compliance role is the provision and currency of documentation. Although demands from different standard bodies might vary, all will require most of the following to be kept and made available for audit:

1. Results of reviews of key suppliers and outsourcing partners
2. Feedback from previous audits, tests or peer reviews
3. Techniques, products or procedures, which are used in managing the system
4. Preventative and remedial actions taken and planned
5. Risk analysis, assessment and definition of acceptable risk
6. Internal and external changes that might affect the BCM process
7. History of previous tests, results, feedback and actions taken.
8. Proof of good practice being encouraged throughout organization
9. Descriptions of and lessons learned from any incidents
10. Descriptions and schedules for awareness and training programs

Conclusion
For those people who are now choosing a career in Business Continuity, the opportunities could not be better. Not only are the existing professional institutes promoting it, so are governments, regulators and national standards bodies. There is a wide range of education available of variable quality, so it is critical to work with a respected and expert organization for your training. Joining a professional institute will help your career development, but again only join those with international reputation and credibility. University and college courses are also a good source of learning with the additional kudos of an academic qualification.

The adoption of more formal standards and compliance in the BCM field is aimed at improving both quality and consistency of organization programs. This cannot be achieved without highly skilled BCM professionals, but those professionals will need to adapt to the changing demands. The need to understand global business trends and the implications on BCM will be vital in the future. The ability to empathise and work with synergistic disciplines will be crucial to success. The day when we start to see a C-level executive role for continuity is perhaps closer than many realize.