Reading Time: 5 minutes
There is something that bothers many Management Consultants in the Business Continuity and Information Technology field.
Have you tried to search for the terms “Business Continuity” or “Business Continuity Planning” on Google or Bing search engines recently? Please do, and the results may surprise you. Once you skip over a few Google ads and relevant, but not local, articles (e.g. Wikipedia), you will find link after link to articles written by local Managed Service Providers (MSPs).
If you are wondering what an MSP is, TechTarget defines it as “a company that remotely manages a customer's IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model.”, but we digress.
If you are brave enough and decide to click on any of those searched links, you will be met with a carefully designed and written corporate landing page. They will all have some very high-level, but somewhat relevant business continuity related jargon, but in the first few sentences, the narrative will change from Business Continuity to IT Disaster Recovery.
Furthermore, if you care to continue reading, these MSP’s will start to pitch whatever product or vendor they are licensed to sell and distribute. The web-page message, tone, and the focus are ultimately geared around the capabilities of that product, and not necessarily anyhow related to the Business Continuity Planning process or methodology itself.
On top of that, MSPs will also suggest helping your organization develop Business Continuity or IT Disaster Recovery plans, which we are sure will be centred around the products they try to sell you. As a result, these plans will be developed without genuinely understanding the ins-and-outs and the complexity of your business.
And that is precisely where the problem is. Our wild guess is that either, these MSPs found a way to use Search Engine Optimization (SEO) techniques to their benefits, or the industry professionals don’t write much about Business Continuity at all.
All of this is making things very difficult for businesses that are trying to address their organizational resilience challenges and increase their business continuity maturity levels.
Business Continuity is not a backup
So, let us address at least one of the problems these articles are trying to promote. Business Continuity is not a data backup. Let us repeat. Business Continuity is not a data backup.
It is a strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions to continue business operations at an acceptable predefined level. An ISO 22301:2019 standard similarly defines it as “the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.”
Business Continuity, and more broadly, Organizational Resilience, are much more than IT systems backup or recovery capability, which usually happens after the disruption. The new ISO 22316:2017 standard defines Organizational Resilience as the “ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.”
Business Continuity Planning process will uncover your critical business processes and functions. It will define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). It will outline your recovery strategies so your business can continue operating when disaster strikes.
Organizational resilience is a discipline, and there is no single approach to improve it or enhance it. Many business management disciplines, including Business Continuity Management (BCM) and Operational Risk Management (ORM), contribute to continuous improvement and safeguards of the organization’s resources and strategic goals.
The end goal is all about changing the organization’s culture to “live and breathe” the resilience and implement sound business practices to manage risks effectively.
Start with a Business Continuity Management (BCM) Program
An excellent first step your organization can take to address organizational resilience is the implementation of a BCM Program. One of the approaches which can be followed is the Disaster Recovery Institute International (DRII) methodology, which introduces the following disciplines:
- Risk Assessment and Business Impact Analysis
- Business Continuity Strategies and Business Continuity Planning
- Incident Response (Crisis, Emergency, etc.)
- Training, Awareness and Exercises
- Crisis Communication and External Agencies Coordination
And only then, after the BCM Program implementation is started, business risks and threats are evaluated, and recovery strategies are developed, organizations should begin addressing their IT Disaster Recovery backup and systems recovery requirements.
Most smaller to medium-sized MSPs might not be capable of meeting all the business continuity requirements outlined in this article, but for sure they will help you implement the cloud-based product of their choice (read: with the highest margin) and develop a subpar business continuity plan.
We are not against MSPs
And please don’t get us wrong. We are not against MSPs. They provide invaluable services for organizations with limited Information Technology resources. They are the guys who can provide you with the cloud-based infrastructure required for your business, and whom you call when you have problems with your applications or desktop issues.
They are also the ones who will ultimately help you recover your IT systems and applications past disruption. However, because many of them sell products and run IT fulfillment business lines, they will usually not equipped to provide objective and vendor-agnostic Business Continuity or IT advisory related services.
Over the years, we have worked with and assessed quite a few MSPs, and we see a pattern that is somewhat concerning. Once the cloud-based IT Disaster Recovery platform of their choice is implemented, few MSPs develop a written Business Continuity or IT Disaster Recovery Plan, which are based on outcomes of the Business Continuity Planning activities.
Moreover, once plans are implemented, they are not at the table when new products or services are discussed and introduced across the organization.
What could go wrong?
Over time, this approach creates a capability gap and problems are usually only discovered once something goes seriously wrong. The usual chain of events during a business disruption is a failure of the business to recover, finger-pointing with an MSP, loss of business and revenue, and possibly a loss of employment for the few individuals deemed responsible. Only after this process will organizations reach out for help and seek an independent and objective business continuity professional.
We, the Business Continuity professionals, must educate our clients about what organizational resilience is, and how they should implement it. Also, small and mid-sized organizations must assess their MSP's capabilities and ensure that their recommended IT Disaster Recovery solutions are in line with their business requirements.
This usually means a full assessment by an objective third party, and not somebody who’s revenue entirely depends on their clients buying more products or services.
What should the organization do?
And what are the organization’s business continuity requirements? Well, the organization can start with a BCM Program assessment, which will provide a capability gap and recommendations for addressing program deficiencies.
The result could be the full-blown implementation of a BCM Program across the organization or a series of program component updates that will ensure alignment with industry standards and the organization’s strategic vision.
And as you know from reading this article, this is not something your organization should ask an MSP to execute.
This article was originally published on LinkedIn and modified for this platform.
StratoGrid Advisory is a Business Continuity Management (BCM) Advisory firm in the Ottawa/Gatineau region that can provide you with the experience and knowledge needed to sucsesfully implement a BCM Program in your organization.