There is something which bothers many Management Consultants in the Business Continuity and Information Technology field.
Have you tried to search for the terms “Business Continuity” or “Business Continuity Planning” on Google or Bing search engines recently? Please do and the results may surprise you. Once you skip over a few Google ads and relevant, but not local, articles (e.g. Wikipedia), you will find link after link to articles written by local Managed Service Providers (MSP’s).
If you are wondering what an MSP is, TechTarget defines it as “a company that remotely manages a customer's IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model.”, but we digress.
If you are brave enough and decide to click on any of those searched links, you will be met with a carefully designed and written corporate landing page. They will all have some very high-level, but somewhat relevant business continuity related jargon, but in the first few sentences, the narrative will change from Business Continuity to IT Disaster Recovery. Furthermore, if you care to continue reading, these MSP’s will start to pitch whatever product or vendor they are licensed to sell and distribute. The web-page message, tone, and the focus are ultimately geared around the capabilities of that product, and not necessarily anyhow related to the Business Continuity Planning process or methodology itself. On top of that, MSP’s will also suggest helping your organization develop Business Continuity or IT Disaster Recovery plans, which we are sure will be centred around the products they try to sell you, and will be developed without truly understanding the ins-and-outs and the complexity of your business.
And that is exactly where the problem is. Our wild guess is that either, these MSP’s found a way to use Search Engine Optimization (SEO) techniques to their benefits, or the industry professionals don’t write much about Business Continuity at all.
All of this is making things very difficult for businesses which are trying to address their organizational resilience challenges and increase their business continuity maturity levels.
Business Continuity is not a backup
So, let us address at least one of the problems these articles are trying to promote. Business Continuity is not a data backup. Let us repeat. Business Continuity is not a data backup. It is a strategic and tactical capability of the organization to plan for, and respond to, incidents and business disruptions in order to continue business operations at an acceptable predefined level. An ISO 22301:2012 standard similarly defines it as “the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident”.
Business Continuity, and more broadly Organizational Resilience, are much more than IT systems backup, or recovery capability which usually happen after the disruption. The new ISO 22316:2017 standard defines Organizational Resilience as the “ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper”.
Organizational Resilience is a discipline, and there is no single approach to improve it or enhance it. Many business management disciplines, including Business Continuity Management (BCM) and Operational Risk Management (ORM) contribute to continuous improvement and safeguards of the organization’s resources and strategic goals. The end goal is all about changing the organization’s culture to “live and breathe” the resilience and implement good business practices to effectively manage risks.
Start with a Business Continuity Management (BCM) Program
A good first step your organization can take to address organizational resilience is the implementation of a BCM Program. One of the approaches which can be followed is the Disaster Recovery Institute International (DRII) methodology, which introduces the following disciplines:
- Risk Assessment and Business Impact Analysis
- Business Continuity Strategies and Business Continuity Planning
- Incident Response (Crisis, Emergency, etc.)
- Training, Awareness and Exercises
- Crisis Communication and External Agencies Coordination
And only then, after the BCM Program implementation is started, business risks and threats are evaluated, and recovery strategies are developed, organizations should start addressing their IT Disaster Recovery backup and systems recovery requirements. Most smaller to mid-size MSP’s might not be capable of meeting all the business continuity requirements outlined in this article, but for sure they will help you implement the cloud-based product of their choice (read: with the highest margin) and develop a subpar business continuity plan.
And please don’t get us wrong. We are not against MSP’s. They provide invaluable services for organizations with limited Information Technology resources. They are the guys who can provide you with the cloud-based infrastructure required for your business, and whom you call when you have problems with your applications or desktop issues. They are also the ones who will ultimately help you recover your IT systems and applications past disruption. However, because many of them sell products and run IT fulfillment business lines, they will usually not equipped to provide objective and vendor-agnostic Business Continuity or IT advisory related services.
Over the years we have worked with and assessed quite a few MSP’s, and we see a pattern which is somewhat concerning. Once the cloud-based IT Disaster Recovery platform of their choice is implemented, few MSP’s develop a written Business Continuity or IT Disaster Recovery Plan which are based on outcomes of the Business Continuity Planning activities. Moreover, once plans are implemented, they are not at the table when new products or services are discussed and introduced across the organization.
What could go wrong?
Over time, this approach creates a capability gap and problems are usually only discovered once something goes seriously wrong. The usual chain of events during a business disruption is a failure of the business to recover, finger-pointing with an MSP, loss of business and revenue, and possibly a loss of employment for the few individuals deemed responsible. Only after this process will organizations reach out for help and seek an independent and objective business continuity professional.
Bottom line. We, the Business Continuity professionals, must educate our clients about what organizational resilience is, and how they should implement it. In addition, small and mid-sized organization’s must assess their MSP’s capabilities and ensure that their recommended IT Disaster Recovery solutions are in line with their business requirements. This usually means a full assessment by an objective third party, and not somebody who’s revenue fully depends on their clients buying more products or services.
What should the organization's do?
And what are the organization’s business continuity requirements? Well, the organization can start with a BCM Program assessment, which will provide a capability gap and recommendations for addressing program deficiencies. The result could be the full-blown implementation of a BCM Program across the organization or a series of program component updates which will ensure alignment with industry standards and the organization’s strategic vision.
And as you know from reading this article, this is not something your organization should ask an MSP to execute.
This article was originally published on LinkedIn and modified for this platform.
StratoGrid Advisory is a Business Continuity Management BCM Program Advisory and IT Advisory firm in Ottawa that can provide you with the experience and knowledge needed to successfully implement BCM Program in your organization.