Tuesday, December 2, 2008

ERM-BC-COOP: Passionate practitioner

The other day someone asked me if I was "passionate" about business continuity.

Most people who know me would have replied for me "That's an understatement."

I only half-jokingly tell people that when I was a consultant regularly traveling between Tampa and Tallahassee, the flight attendants, if they lingered too long near my seat, became at least semi-expert in the field.

I am fortunate to do what I enjoy doing. That isn't to say flatly that every business continuity opportunity is enjoyable; there is a difference. I enjoy helping organizations protect all their resources, starting with people. I am frustrated by organizations that limit business continuity to little more than Info Tech disaster recovery.

An aside. An Info Tech ops manager told me that the "business continuity" plan for his operation was more than disaster recovery. Oh, I replied, then you have risk avoidance and mitigation, key components of business continuity. Certainly, he replied, we have back-up sites in case the primary goes down.

No, I countered, that's not avoidance or mitigation. Avoidance or mitigation work against the risk. What you have is a response plan. It isn't a bad response plan, but it is not "avoidance or mitigation."

Mind, I am in favor of Info Tech business continuity plans. I also am in favor of HR plans and Finance plans and Operations/Production plans, and Facilities plans. Providing they all roll up into an all-inclusive enterprise plan.

If something in a functional unit - that is any organization other than The Enterprise - goes "bump in the night" the folks in that functional unit need to quickly assess the impact of the "bump." Will it impact on that functional unit's Service Level Agreements (SLAs) with internal and external "clients?" Can the "bump" be smoothed out before any other clients feel the impact? If it can, the recovery is handled within the functional unit; if not, the issue is escalated as needed.

My contention remains that what an organization really needs is "Enterprise Risk Management."

Enterprise Risk Management, ERM, is not just another name for business continuity (which, let me be perfectly clear, is NOT another name for disaster recovery). As business continuity grew out of disaster recovery and in the process changed the focus from a resource (Info Tech) to the profit center, ERM expands business continuity to include all risks an organization faces.

For example, how many enterprise business continuity plans considered lenders as vendors prior to the current financial disaster? How many enterprise business continuity practitioners ask critical vendors - and exactly what determines "critical" - for their business continuity plans? How many practitioners consider the ripple effect of a work action against a vendor? That is a consideration a very famous international air carrier now considers as a "lesson learned."

How many practitioners include Legal in more than a plan review role? Crisis management is, to this scrivener, part of ERM. In many organizations, crisis management is "out of scope" for business continuity. Succession planning likewise often is "out of scope" for business continuity.

The above is not to suggest that the ERM practitioner - I dislike the term "planner" since it implies a project with identifiable beginning and end; business continuity and ERM must be, if they are to be successful, on-going programs - should manage everything. The ERM practitioner should be the person holding the umbrella under which all functional units are sheltered. The practitioner need be a Subject Matter Expert (SME) only in ERM and understand that the program depends on input from the SMEs of each functional unit. Let each of these SMEs act as an auditor not only for their particular functional unit, but the program as a whole.

Am I passionate about what I do? You bet.

Will I talk about, write about, and otherwise wave the ERM flag at every opportunity? Absolutely.

Do I recruit - sometimes con - non-practitioners into becoming, if not a practitioner at least a participant, in the program? By all means. That's why I have this blog. And a Web site. I'm a believer.

John Glenn, MBCI, SRP
Enterprise Risk Management/Business Continuity
Planner @ JohnGlennMBCI.com

No comments: