Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Bonus Journal

Volume 29, Issue 5

Full Contents Now Available!

Jon Seals

Jon Seals

The Business Continuity Institute

2017 may be well underway, but I wanted to take the time to reflect on the past, and look ahead to predict the way in which our business continuity profession will continue to mature over the coming year and beyond. In many ways, this 'top five' list is aspirational – that being my hopes for our profession as we solve some entrenched challenges and work to add more value to the organizations we serve.

1. 'Simplicity is the ultimate sophistication'

It was Leonardo di Vinci who delivered this impressive quote.

I’ve seen a tremendous amount of energy around the idea that our approach as business continuity professionals needs to resonate better in our organizations, doing so in a manner that is easier to digest. In other words, pulling back on jargon, stale methodology, and unnecessary complexity. The goal should be to use approaches that are easier to connect to and participate in (from the perspective of the audience that we’re working to protect).

Some 'simplicity' opportunities include:

  • Business impact analysis processes that get to realistic business continuity requirements without endless analysis;
  • Actionable, 'skinny' plans that describe how to recover and clarify how to operate differently until a return to normal; and
  • Training and awareness activities that focus on how to respond to a disruption rather than how to participate in business continuity methodology.

We are going to become much more aware of how our organizations use our tools, processes, and outcomes, and we will become more open-minded and look for ways to make working with us easier and more effective.

2. Meaningful coordination across disciplines

Organizational resilience. Enterprise risk management. Governance, risk, and compliance. These umbrella efforts all involve a broad range of disciplines to enable the organization to manage risk and achieve its objectives. Involving ourselves in these efforts necessitates the needs to coordinate, share information, and prioritize where to spend limited resources.

But, what does this coordination look like – and with whom? Some of the most innovative companies are exploring this question and achieving success, which often involves a shared understanding of:

  • The most important products and services (today and into the future)
  • Organizational strategy and priorities (again, today and into the future)
  • Risk appetite (tolerance)
  • The organizational structure and resources necessary to deliver products and services
  • The best way to engage senior leadership in prioritizing and decision-making

Putting aside the topic of where business continuity does or should report to, different disciplines that can and should work together to solve organizational risk issues include physical security, information security, product/marketing, credit risk, legal/regulatory compliance, public relations/communications, information technology, operational risk, and business continuity.

As business continuity professionals, do we need information and engagement such as this? Absolutely! Would it be beneficial to work with others to develop such an understanding and an engagement model, sharing resources and knowledge? No doubt!

I see less of a focus on the disciplines that contribute to managing risk, and more of a focus on the realization of efficient, prioritized outcomes.

3. A focus on outcomes rather than methodology

The business impact analysis, risk assessment, plans, and exercises are all a means to an end. The actual end that we need to be laser-focused on achieving is helping our organizations become more resilient and prepared for a disruption.

“What would I do if…?”

“How would I do X if I lost Y?”

“Is it possible to meet Customer Z’s expectations when…?”

Having answers to these common questions that worry our senior leadership teams is the key to adding value. Whether a for-profit private sector company or a governmental entity, your organization provides something of value to a customer or citizen.

Protect the processes and resources that deliver value and do so in the most efficient manner possible.

I predict that a growing percentage of business continuity professionals will learn to focus more on outcomes than methodology and terminology.

4. Flexibly - include rather than exclude

That’s not what business continuity is, so no, we don’t do that.” I think we’re all guilty at times of saying something like this. Perhaps we should approach all requests for help with an open mind and determine how we can contribute to a solution. Even if the organization’s issue isn’t traditional business continuity – or maybe it’s not even close – why not reflect on what we can contribute? Is it a detailed understanding of the processes, activities, and resources and can our value be volunteering that information as part of a team to solve the issue?

I don’t see the need for business continuity profession going away, but I do believe we will see more flexible, nimble professionals that will be less focused on drawing boundaries around their responsibilities and more focused on solving organizational barriers to achieving objectives. This solutioning will take place by working with other disciplines to share knowledge and manage risk appropriately.

5. Affecting culture (versus focusing on plan documentation)

Building on number 3 above, here’s another quote that really tells a lot about an organization’s business continuity maturity:

Before we make this decision and go down this path, have we thought about the business continuity implications of this approach? Are we more or less at risk if we do this?

Imagine an organization that no longer focuses on bolting on business continuity solutions to high risk strategy but instead proactively takes into account disruption-related risk when making choices. That’s a mature organization and one that I predict will become more and more common in the years ahead.

Before concluding, I would be remiss if I didn’t offer a challenge to all business continuity professionals – mainly because, if successful, it will be an enabler of success. Get to know your customers and how the business intends to make them happy. Get to know your sales teams and the promises they’ve made to your customers. Get to know your leadership teams and what they think will make the organization successful today, tomorrow, next quarter, next year, and beyond. This knowledge will help you not only speak the language of your key stakeholders, but it will also offer you the focus needed to apply your limited time to what’s most important.

Brian Zawada FBCI is Director of Consulting Services at Avalution Consulting and President of the US Chapter of the BCI.

Michael Berkowitz is the president of 100 Resilient Cities, the Rockefeller Foundation program that facilitates the adoption and incorporation of resilience in cities to shocks, such as earthquakes, fires and floods, and stresses like poverty and other social issues. The 100 cities chosen include 23 in the U.S. and represent 48 countries across six continents.

Berkowitz was previously the global head of Operational Risk Management for Deutsche Bank, and from 1998 to 2005 was deputy commissioner for the New York City Office of Emergency Management.



Apparently for the past 30 years, government leaders in Washington have done the same thing over and over regarding the Seattle earthquake.  Order a big study, ignore the findings and then repeat.

That was the message of a recent special report by the Seattle Times which looked back on the past 30 years of arm flailing and chest pounding and yet no action. The government has created a subcabinet but it has no budget, staff or regulatory authority — and simply creating the entity took more than three years with nothing to show for it. Ouch!

The Seattle Times reported that state elected officials for the past three decades have repeatedly directed seismic-safety experts to produce reports, all of which have called for action to reduce threats to public safety and the state’s economy. And time and time again, state politicians have largely ignored recommendations that require money or legislation to see them through to completion.



In Risk Management, preparation and information are our best tools. One of my mantras is “Hope is not a strategy.” This mantra is particularly the case for security issues. Other than people, data is the most valuable asset for most organizations, and data thieves recognize that fact. In today’s blog, we will focus on data and network security. As a risk manager or business continuity professional, do you understand your organization’s data security strategy and how it integrates into your plans? You don’t need to be a certified network engineer or security analyst to understand that a proper approach and set of tools should be in place to protect your environment from unwanted attacks or access.

The following are items to review and consider as you work with your IT team.



For businesses, cloud-based backup and recovery has become common these days. If backup is fast enough to fit within a backup window, and if recovery times hit recovery time objective (RTO) and recovery point objective (RPO) service levels, you’re golden.

After that, it gets complicated. Backup and recovery are critical components of disaster recovery (DR), but alone they can’t assure that application processing continues uninterrupted. Many enterprises have built their DR plans around remote sites because they already own multiple data centers, or they have the budget for secondary hot sites. However, unless they have an extra data center hanging around — or can afford to lease a secondary hot site — midsized and small businesses were out of luck for remote DR.

In response, many cloud service providers and disaster recovery vendors took the cloud-based backup and recovery model to its logical next step: failing-over applications to the cloud.