Fall World 2013

Conference & Exhibit

Attend The #1 BC/DR Event!

Spring Journal

Volume 26, Issue 2

Full Contents Now Available!

You are here: Home Winter 2012 - Volume 25, Issue 1 Summer 2004 Apologetic Anemia in the Business Continuity Industry

Apologetic Anemia in the Business Continuity Industry

Written by  Damian Walch Thursday, 22 November 2007 02:50

The business continuity industry today suffers from apologetic anemia. An apologist in its literal sense is a person who argues in defense or justification of something, such as a doctrine, policy, or institution. Despite the fact that Sept. 11, 2001, had given all emergency and business continuity professionals a reason to be evangelical about their profession, we still sadly lack a voice in the boardroom.

The apologetic anemia refers to a general lack of professionals actively trying to articulate the compelling need for our corporations to build some type of business continuity and disaster recovery program. This does not mean recovery planners running around like Chicken Little filling executives with fear, uncertainty, and doubt (i.e. FUD). Our industry has more than enough of those. Instead, corporate executives around the globe expect business professionals to provide a cogent argument for why our companies should have a policy and commitment behind recovering key business processes in the event of an outage or disruption.

The reasons for this anemia are multidimensional and complex. The objective in this article is to describe the reasons for this anemia and to provide a couple of ideas on how to break down these issues. If these barriers are removed, business continuity awareness may grow into what it should be – a key component in the corporate governance and risk management programs of our companies.
Even in this day when the media clouds much of the public’s perception, most people have difficulty putting faith in something in the absence of evidence and argument. In this sense, Sept. 11 may have hurt our collective cause. Many professionals have used the tragic events of that day as evidence of the risks in order to put fear into executives. To which most executives – especially those in places such as Omaha, Peoria, and Kansas City respond with “our country’s preparedness has increased and targets are likely to continue to be large metropolitan cities.” In other words, the executives are saying what they’ve said for years – “The probability is very low that it won’t happen to us” – and they are willing to take the risk.

This last statement about probability is very true. I conducted a probability study for a large telecommunications firm approximately eight years ago. They had more than 50 facilities around the country, some on faults and in tornado allies. We did an exhaustive study of factors, risks and threats. We determined that the probability of a catastrophic disruption occurring at one of their central office switching centers was less than 1 percent. This only served to reinforce their ambivalence.

Since I conducted that study, hundreds of companies have been impacted by disasters that have caused them to recover at commercial recovery providers. Many more have been forced to declare bankruptcy because of major catastrophic outages. This is not isolated to small companies! Just ask the plant managers at the General Motors plant in Oklahoma City that suffered what plant managers called “substantial damage from the devastating tornado” – a May 2003 tornado leveled a significant portion of the plant that produces SUVs.

The bottom line is that we must clearly explain at least three things to our executives: the risk exposures at our companies, the options that are available to mitigate those risks, and a simple plan to implement the appropriate controls and disciplines.
While this sounds appropriate, I’ve witnessed way too many situations in which a disaster recovery coordinator or the data center managers that they report to present grandiose plans for implementing disaster recovery programs. These presentations typically result in an executive or group of them explaining a decrease in IT spending, poor representation of the return-on-investment in the initiative, and a general lack of creativity in designing the strategies and programs for success. Ultimately those executives turn down the request for improving the company risk coverage.

While this scenario is all too true, I have worked with companies that have been very successful in their ability to evangelize the need for higher level of assurance. There are some common characteristics among those companies where I’ve seen a BC professional be successful in building their case:

  • Keep it short: executives want business cases in four-page presentations or 1,000 words.
  • Make it simple: don’t try to educate people on terminology and technical solutions.
  • Relate it to the business: describe it in business terms that the executives understand.
  • Don’t recommend analysis: they don’t want paralysis; they want action and quick results.
  • Evolve: explain how a program will evolve after initial results are achieved and validated.


Another thing that contributes to this anemia is corporate culture. There is a “don’t rock the boat” culture in many companies that has only been magnified with the poorly performing economy and the resulting layoffs. Most of our companies have been less than diligent in ensuring that their one or two most important business processes can continue if there is an outage or disruption.

This “business continuity capability” includes making employees aware of their responsibilities in a crisis, creating a recovery strategy for supporting technology applications, and identifying space for people to work if the facilities are unavailable.
Very few people are willing to point out these inadequacies in our companies past practices. That is especially true if it reflects badly on someone we work with. This social pressure tends to drain our convictions to business continuity principles.

In order for us to get over this apologetic anemia we must combine the thoughts that have been espoused in this article. We must take a pragmatic look at our companies and determine what business processes, not applications or technologies, are critical to customer satisfaction and revenue generation. Only focus on one or two so that we can make it addressable and manageable to build our business case. Attempt to put in business terms what would happen to the business if a weak link in that process were to be broken. What would the financial and long-term impacts be to the company? Then look at a few reasonable solutions to reduce, maybe not eliminate, the risks. Finally, you must clearly show the return-on-investment and results of that effort. If this is accomplished and done clearly, simply and briefly you will get and keep the ear of your management team.

By doing these things we will educate executives about how business continuity fits in the big picture of corporate governance and risk management. Our senior executives will then and only then be able to say they are comfortable with their ability to restore and recovery business processes in the event of a major disruption or outage. Ultimately isn’t that what we and the customers of a company are asking for – executives’ confidence in recoverability?

 



Damian Walch is the business resilience, national practice executive for IBM. He is a 13-year veteran of the business continuity industry. Walch is also a member of the Disaster Recovery Journal EAB.

Login to post comments
back to top