We are called by many names, most of them polite.
Alphabetically, we are
- Business continuity practitioners
- Disaster recovery practitioners
- Resiliency planners
- Risk managers
Over the course of my 15-plus years' career I've also been called a business analyst and a process engineer.
Does ANY title reflect what I really do?
Since my primary language is English and since most of my clients' primacy language is English, let's see what Merriam-Webster Online has to say about the four primary titles.
Business + Continuity
1 archaic: purposeful activity : busyness
a: role, function <how the human mind went about its business of learning — H. A. Overstreet>
b: an immediate task or objective : mission <what is your business here>
c: a particular field of endeavor <the best in the business>
a: a usually commercial or mercantile activity engaged in as a means of livelihood : trade, line <in the restaurant business>
b: a commercial or sometimes an industrial enterprise; also: such enterprises <the business district>
c: dealings or transactions especially of an economic nature : patronage <took their business elsewhere>
Disaster + Recovery
1 obsolete: an unfavorable aspect of a planet or star
2: a sudden calamitous event bringing great damage, loss, or destruction; broadly: a sudden or great misfortune or failure <the party was a disaster>
1: the capability of a strained body to recover its size and shape after deformation caused especially by compressive stress
2: an ability to recover from or adjust easily to misfortune or change
Risk + Management
1: possibility of loss or injury : peril
2: someone or something that creates or suggests a hazard
a: the chance of loss or the perils to the subject matter of an insurance contract; also: the degree of probability of such loss
b: a person or thing that is a specified hazard to an insurer c: an insurance hazard from a specified cause or source <war risk>
4: the chance that an investment (as a stock or commodity) will lose value
In plain English
What is it that we do; what is the process?
By the numbers
- Create a statement of work and project plan
- Create a business impact and risk analysis that consists of
- List of critical processes
- List of process dependencies, both internal and external
- List risks/threats to the critical processes
- List ways to avoid or mitigate - to manage - the risks
- Create response plans to manage the risks
- Create a training and exercise program to respond (manage) the risks
- Create a process to maintain the program
Where's "business" in the process?
Is "business" mentioned anywhere in the list?
Perhaps its absence is because risk management applies not only to what we typically consider a "business" but to charities, government, industry, and non-profits.
"Continuity" is suggested albeit never stated.
What is absent from the dictionary definitions is risk avoidance and mitigation. Experienced business continuity practitioners understand that risk avoidance and mitigation is a key concern of the plan, but this is not reflected in the name.
Disaster recovery = Pick up the pieces
Disaster recovery is the forefather of business continuity and risk management.
By and large it did, and continues to, ignore
- Risk identification
- Risk avoidance and mitigation options
Moreover, disaster recovery almost always focuses solely on information technology. While most planners understand, IT usually is not an organization's profit center/raison d'etre; most often it is a resource, albeit a critical one.
In an "enlightened" IT environment someone visits with the profit centers and asks the profit centers what IT services are needed according to the profit center's priorities. These priorities are "subject to change" based on many factors, including time of day, day or week, time of month, quarter, or year.
Unlike business continuity, there is no hint of avoidance or mitigation. Resiliency as practiced by most organizations is simply another name for disaster recovery.
- Figure out what needs to be available
- Figure out how to recover if the resources fails
- Plan to move IT to another location if the current site is damaged.
Rarely does a resiliency plan include restoring IT back to its original home or to a new facility.
Even more rarely does a resiliency plan include consideration of the profit centers that pay for IT.
Risk + Management
Go back to the heading "In plain English" and reread the text immediately below.
That defines "risk management."
Management of all risks/threats.
Not just IT.
Not just the internal "usual suspects" of AR/AP, facilities, HR, production, QA/QC, shipping and receiving, but ability to meet current and future customer requirements, communications, executive management, insurance, legal, licensing, sales, and everything else within the organization.
External risks beyond just vendors also must be considered and addressed. Risks such as clients/customers, competition, environment, financing, government changes and fiats, market fluctuations, transportation to and from the organization, and a host of other threats that only can be identified by open communications with all personnel -- not just a selected few.
Business continuity, while it looks at most internal and a few external threats, often fails to expand beyond those "usual suspects."
What we need to be
Risk management practitioners have, over time graduated from "pick-up-the-pieces" disaster recovery and its pseudonym du jour, "resiliency," to a process that focuses on preventing an event or at least mitigating its impact on the organization.
Business continuity practitioners (should) depend upon functional unit subject matter experts (SMEs) to identify threats and means to avoid or mitigate them.
Risk managers do the same thing, except their list of SMEs is far more substantial and expands outward. Where the business continuity practitioner might have had dealings with local government, the risk management practitioner interacts with trade groups and lobbyists at the state and federal levels; the practitioner works with in-house and external lawyers and insurance experts.
In order to ensure continuity of operations - this time the government did "get it right" with COOP -- practitioners must "graduate" into the enterprise risk management function.
As with business continuity, the practitioner need not be an SME in all things; the practitioner need only be an congenial SME in risk management -- with a little sales and marketing to convince senior management that having an umbrella manager of all risks is good business.