Spring World 2015

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 27, Issue 4

Full Contents Now Available!

A rose by any other name

Written by  John Glenn August 15, 2012

We are called by many names, most of them polite.

Alphabetically, we are

  • Business continuity practitioners
  • Disaster recovery practitioners
  • Resiliency planners
  • Risk managers

Over the course of my 15-plus years' career I've also been called a business analyst and a process engineer.

Does ANY title reflect what I really do?

Since my primary language is English and since most of my clients' primacy language is English, let's see what Merriam-Webster Online has to say about the four primary titles.

Business + Continuity


Business
http://www.merriam-webster.com/dictionary/business
1 archaic: purposeful activity : busyness
2
a: role, function <how the human mind went about its business of learning — H. A. Overstreet>
b: an immediate task or objective : mission <what is your business here>
c: a particular field of endeavor <the best in the business>
3
a: a usually commercial or mercantile activity engaged in as a means of livelihood : trade, line <in the restaurant business>
b: a commercial or sometimes an industrial enterprise; also: such enterprises <the business district>
c: dealings or transactions especially of an economic nature : patronage <took their business elsewhere>

Continuity
http://www.merriam-webster.com/dictionary/continuity?show=0&t=1338907354
1
a: uninterrupted connection, succession, or union
b: uninterrupted duration or continuation especially without essential change
2: something that has, exhibits, or provides continuity: as a: a script or scenario in the performing arts b: transitional spoken or musical matter especially for a radio or television program c: the story and dialogue of a comic strip
3: the property of being mathematically continuous

Disaster + Recovery


Disaster
http://www.merriam-webster.com/dictionary/disaster
1 obsolete: an unfavorable aspect of a planet or star
2: a sudden calamitous event bringing great damage, loss, or destruction; broadly: a sudden or great misfortune or failure <the party was a disaster>

Recovery
http://www.merriam-webster.com/dictionary/recovery
1: the act, process, or an instance of recovering; especially: an economic upturn (as after a depression)
2: the process of combating a disorder (as alcoholism) or a real or perceived problem


Resilience


Resilience
http://www.merriam-webster.com/dictionary/resilience
1: the capability of a strained body to recover its size and shape after deformation caused especially by compressive stress
2: an ability to recover from or adjust easily to misfortune or change

Risk + Management


Risk
http://www.merriam-webster.com/dictionary/risk
1: possibility of loss or injury : peril
2: someone or something that creates or suggests a hazard
3
a: the chance of loss or the perils to the subject matter of an insurance contract; also: the degree of probability of such loss
b: a person or thing that is a specified hazard to an insurer c: an insurance hazard from a specified cause or source <war risk>
4: the chance that an investment (as a stock or commodity) will lose value

Management
http://www.merriam-webster.com/dictionary/management
1: the act or art of managing : the conducting or supervising of something (as a business)
2: judicious use of means to accomplish an end
3: the collective body of those who manage or direct an enterprise

In plain English
What is it that we do; what is the process?

By the numbers

  • Create a statement of work and project plan
  • Create a business impact and risk analysis that consists of
  • List of critical processes
  • List of process dependencies, both internal and external
  • List risks/threats to the critical processes
  • List ways to avoid or mitigate - to manage - the risks
  • Create response plans to manage the risks
  • Create a training and exercise program to respond (manage) the risks
  • Create a process to maintain the program

Where's "business" in the process?

Is "business" mentioned anywhere in the list?

Perhaps its absence is because risk management applies not only to what we typically consider a "business" but to charities, government, industry, and non-profits.

"Continuity" is suggested albeit never stated.

What is absent from the dictionary definitions is risk avoidance and mitigation. Experienced business continuity practitioners understand that risk avoidance and mitigation is a key concern of the plan, but this is not reflected in the name.

Disaster recovery = Pick up the pieces

Disaster recovery is the forefather of business continuity and risk management.

By and large it did, and continues to, ignore

  • Risk identification
  • Risk avoidance and mitigation options

Moreover, disaster recovery almost always focuses solely on information technology. While most planners understand, IT usually is not an organization's profit center/raison d'etre; most often it is a resource, albeit a critical one.
In an "enlightened" IT environment someone visits with the profit centers and asks the profit centers what IT services are needed according to the profit center's priorities. These priorities are "subject to change" based on many factors, including time of day, day or week, time of month, quarter, or year.

Resiliency
Unlike business continuity, there is no hint of avoidance or mitigation. Resiliency as practiced by most organizations is simply another name for disaster recovery.

  • Figure out what needs to be available
  • Figure out how to recover if the resources fails
  • Plan to move IT to another location if the current site is damaged.

Rarely does a resiliency plan include restoring IT back to its original home or to a new facility.

Even more rarely does a resiliency plan include consideration of the profit centers that pay for IT.

Risk + Management
Go back to the heading "In plain English" and reread the text immediately below.

That defines "risk management."

Management of all risks/threats.

Not just IT.

Not just the internal "usual suspects" of AR/AP, facilities, HR, production, QA/QC, shipping and receiving, but ability to meet current and future customer requirements, communications, executive management, insurance, legal, licensing, sales, and everything else within the organization.

External risks beyond just vendors also must be considered and addressed. Risks such as clients/customers, competition, environment, financing, government changes and fiats, market fluctuations, transportation to and from the organization, and a host of other threats that only can be identified by open communications with all personnel -- not just a selected few.

Business continuity, while it looks at most internal and a few external threats, often fails to expand beyond those "usual suspects."

What we need to be

Risk management practitioners have, over time graduated from "pick-up-the-pieces" disaster recovery and its pseudonym du jour, "resiliency," to a process that focuses on preventing an event or at least mitigating its impact on the organization.
Business continuity practitioners (should) depend upon functional unit subject matter experts (SMEs) to identify threats and means to avoid or mitigate them.

Risk managers do the same thing, except their list of SMEs is far more substantial and expands outward. Where the business continuity practitioner might have had dealings with local government, the risk management practitioner interacts with trade groups and lobbyists at the state and federal levels; the practitioner works with in-house and external lawyers and insurance experts.

In order to ensure continuity of operations - this time the government did "get it right" with COOP -- practitioners must "graduate" into the enterprise risk management function.

As with business continuity, the practitioner need not be an SME in all things; the practitioner need only be an congenial SME in risk management -- with a little sales and marketing to convince senior management that having an umbrella manager of all risks is good business.