For years I thought I was a business continuity planner.
I knew from the beginning I was more than a disaster recovery planner, despite my certifications.
In fact, looking back on some vintage (circa 1998) promotional material I did for my then employer, I can honestly write that I was waving flags for enterprise, holistic, all-inclusive plans.
Aside from refining my thoughts a bit and having more items on my checklist of things to consider, little changed until a couple of months ago.
I was chatting with a fellow planner, and I was mentioning that planners must consider all the risks to an organization. Operative word is “all.”
Then the planner has to prioritize the identified risks.
After that, the planner must find ways to avoid or mitigate the risks.
Finally, the planner needs to develop methods to respond to the risks if, despite the planner’s best efforts, the risks stubbornly insist of occurring.
Keep those four sentences in mind for a moment.
When I create an enterprise plan – I also, reluctantly, create “focused” business unit and IT-specific plans – I try to cover all the bases. That means I consider insurance coverage in all its forms – property, liability, personal injury, business interruption, etc. – and the potential return on investments.
Does it meet the Goldilocks test? Is it too much, too little, or “just right?”
I also consider financial backing – is it strong, will it continue or leave my organization stranded in mid-project? How good is the bond rating? Are the stocks consistently moving up or down and is the movement expected (vs. “wished for”)?
Insurance and financial support are serious risks all planners should consider.
OK, now back to the first four sentences under the “definitions” heading.
All have one word in common.
Not once in those four sentences do the words “business continuity” or even “disaster recovery” appear.
“Risks,” on the other hand, appears five times. Count ’em.
I have been telling people since the late 1990s that I am a business continuity planner.
Most of the time I get a blank stare. If I’m lucky, I am queried with, “What’s that?”
Finally, talking with that other planner, the light came on.
What I create are, in truth, risk management plans.
Identifying a Business Risk
Turns out I may have been a lousy risk manager since I failed to see that calling myself a “business continuity planner” was a risk to my income.
Many people don’t understand “business continuity,” especially if they think they understand “disaster recovery” which, to most non-planners, means “restore IT.”
What am I, actually?
I’m a risk manager.
True, I am not a CPA, CFP, or AICPCU, CLU/CRIS/LOMA, but then I also lack SANS, CISSP, Microsoft MCSE, PHR/SHRM, and other professional certifications.
For all that, a planner should be expected to include accounting, financial planning, insurance, IT, and HR in the plan.
While some plan sponsors may feel it necessary for the planner to have an IT background, sponsors who truly understand what the program is all about understand that the planner needs to be a subject matter expert (SME) in only one area: risk management (in this case also known as business continuity).
Most organizations have SMEs for accounting, financial planning, insurance, IT, and HR as well as the product or service the organization provides.
The planner must understand his or her limitations and know how to engage and utilize the brain power of both internal and external SMEs.
Bottom line: While I won’t claim to be a “risk manager” in a narrow sense (i.e. accounting, insurance), what I do is in the final analysis risk management.
Risk management has the benefits of being more generally understood and, for most people, a broader term than “business continuity.”
People understand the word “risk.”
According to the Merriam-Webster Online dictionary risk is defined as:
- possibility of loss or injury: peril
- someone or something that creates or suggests a hazard
- a: the chance of loss or the perils to the subject matter of an insurance contract; also : the degree of probability of such loss
b: a person or thing that is a specified hazard to an insurer <a poor risk for insurance>
c: an insurance hazard from a specified cause or source <war risk>4: the chance that an investment (as a stock or commodity) will lose value
Management, from the same source, is given as:
- the act or art of managing : the conducting or supervising of something (as a business)
- judicious use of means to accomplish an end
- the collective body of those who manage or direct an enterprise
Conversely, the two words which make up “business continuity” are less associated with what planners are paid to accomplish. There is no suggestion of what a business continuity plan is all about; go back to those first four sentences under the “definitions” heading and recall the one word that appears in each sentence.
Risk management, as with business continuity, may be a focused function. It may follow the business continuity attributes of “enterprise,” “business unit,” and “IT”; it also may have the more commonly associated attributes of “financial” and “insurance” in front of the two words.
The bottom line remains the same:
- Identify the reason the organization exists
look for risks
prioritize the risks
find ways to avoid or mitigate the risks
develop means to respond to the risks if/ when they occur
- Create a process to maintain the plan and a methodology to train the responders.
Organizations work diligently to create names for themselves which, if not a founder’s name, reflect what the organization is all about. With names like General Motors, General Electric, Delta Airlines, Jewish Federation, Ft. Lauderdale Chamber of Commerce, and Palm Beach Gardens Medical Center, the organization’s core interest is obvious.
“Business continuity” may seem obvious to those in the know, but unless it is equally obvious to those outside the fold, planners’ efforts to preach to the populace are being thwarted by a lack of “customer” understanding.
I have been, and I will continue to be, a business continuity planner.
But I think I will identify myself first as a risk manager.
That is, at least as I see it, is what business continuity is really all about.
John Glenn, MBCI (http://JohnGlennMBCI.com) is an enterprise risk management - business continuity practitioner with more than 13 years experience seeking staff or staff consulting work in, or from, southeast Florida.