Tagged in: Untagged
There has been some puzzled faces questioning our BC prediction number 4 – “Contingency Planning will become fashionable again as a part of a broader understanding of Business Continuity which includes Continuity Capability and Crisis Response”.
Without stealing the thunder of my colleague Lee Glendon who is researching this proposition and will issue a discussion paper on the topic later during BCAW 2013, I think it is becoming obvious that conventional BCM as defined by a management system does not cover the full range of BC thinking. British Standards are working on a Crisis Management Standard (BS11200) and an Organizational Resilience Standard (BS45000) so we can only assume that they agree with us.
If you reflect on many of the issues that we habitually discuss as BC professionals, many are more akin to the BSi view of Organizational Resilience or Crisis Management than the detailed planning envisaged by conventional BCM methodologies. The limitations imposed by conventional approaches have led to the assertion: “risks which concern BCM lend themselves to a pre-planned response whereas crises are often produced by risks that have not been identified” (PAS 200:2011).
This naturally leads to the question of why such a distinction needs to be made and reminds me of the old “known/unknown, knowns/unknows” debate. To me I have always felt that the natural home of BCM is in the “known,unknown” category – that is we know a type of incident could happen (e.g. fire) but we have no real idea of how, where, when or its likely severity. Therefore we must plan for the worst case and train people accordingly. Actually it can be argued that what is really important is having the capability in place, a plan is fine but without the resources it is largely ineffective.
The promoters of Crisis Management (CM) might argue that it is about dealing with “unknown, unknowns” – the things that we haven’t thought about yet. However that is probably not really true as most of the things that result in a crisis (media attack, inappropriate PR, legal, regulatory or safety breaches) are known about – it’s just you don’t know the how, where, when or severity. To me that sounds very familiar to BCM and I can really only conclude the difference between BCM and CM is just the type of incident (perhaps operational failure for BCM rather than reputational damage for CM).
In fact, organizational resilience lends itself to both topics; PAS200 states that BCM and CM must “operate at the same time in a coherent, integrated and complementary way”. So perhaps the old-fashioned word contingency might not be so bad after all. In a resilient organization we would have contingency for regular failures (holding inventory and duplication of resources are really contingency measures), contracted extra resources and capability to handle continuity problems and a management philosophy able to deal with the issues arbitrarily defined under Crisis Management.