Business Continuity: Global Challenge

Lack of Standards Hampers Organizations' Response
Business Continuity: Global Challenge
The natural disasters in Japan showed that organizations need to review their business continuity plans and be prepared when crises erupt.

Yet, despite improvement in organizations' abilities to plan for and predict disasters, they still lack an effective response. In fact, the biggest gap in business continuity today is understanding, says Lyndon Bird, director at the Business Continuity Institute.

With a lack of international standards, Bird says, there is "confusion amongst the professionals about what they should be following and being consistent to the terminology differences between different parts of the world.

"One of the worst things during a major crisis is actually taking different parts of the world and identifying what you are saying in a slightly different way," he says.

With 25 years in the field, Bird was a founding member of Continuity Planning Associates VB in The Netherlands. He was voted BCM Consultant of the year in 2002.

One of the ongoing difficulties with business continuity, he says, has been the name itself. "It's been hit or miss from where you come from in an organization," Bird says. "Traditionally people started from the IT field, but then there are people who see business continuity as responding to a major natural disaster and crisis. You've got a lot of people with emergency, military or police backgrounds involved. Then you've got some theoretical approaches to it."

What the role needs is clarity, Bird says, and that is his institute's goal. "The clarity of the message is very important," he says. "That is what we are actually working on trying to develop - business continuity as an understood and accepted management discipline."

In an exclusive interview, Bird discusses:

  • The origin and mission of The Business Continuity Institute;
  • Today's biggest business continuity challenges to global organizations;
  • Advice for professionals wanting to enter the field today.

Bird is a director of The Business Continuity Institute. He has an honours degree in Chemistry and a Masters in Management from the University of Manchester. He helped found the BCI in 1994, and was awarded the Institute's highest grade of FBCI. Prior to taking his current executive role with the BCI, he has served as a voluntary member of the elected BCI Board for six years including three years as chairman. Lyndon was also a founding member of Continuity Planning Associates BV in The Netherlands. He has worked exclusively in the Business Continuity world for over 25 years as a consultant, presenter, author and business manager. He was voted BCM Consultant of the year in 2002 and given the prestigious Lifetime Award in 2004 by Continuity, Insurance & Risk Magazine.

The Business Continuity Institute

TOM FIELD: Could you tell us a little bit about yourself, just to start off our conversation please?

LYNDON BIRD: I've been in the business continuity world now for 25 years and I started back in the 1980s as a consultant. During those many years, I've continued in the consultant role. I've done quite a lot of education. I've presented a lot. I've written many articles and books, and back in 1994 I was a founding fellow of the Business Continuity Institute (BCI). Since then, I've had a number of roles with the institute including the institute chairman, and currently my role is to head up the technical development side. I'm a member of the main board of the institute in that capacity.

FIELD: For those who aren't familiar with the institute, tell us a little about Business Continuity Institute and its mission.

BIRD: The Business Continuity Institute is a not-for-profit professional institute and its primary focus is to represent and work for business continuity professionals and practitioners. These are people who actually qualify for our professional membership grade through our education certification programs. We also encourage corporate partnerships and corporate memberships, and we have many wide-range affiliations with similar and complementing not-for-profit bodies. We have around 6000 members in over 100 countries. Although we did start in the UK and it is still our headquarters, we now have chapters and regional boards in the US, Australia, Canada, Japan, Southeast Asia, and in fact some individual European countries. So we are quite widespread now. And our mission is the same as it was when we started, and that is the development of the science that we like to call Business Continuity Management (BCM) throughout the world, particularly through the use of developing thought leadership programs and enhancing their professional practices.

Top Business Continuity & Disaster Recovery Issues

FIELD: Lyndon, given the global scope of the institute now, I'd be curious on your perspective as to what the biggest business continuity and disaster recovery issues are for organizations today, and then specifically for banking institutions, that you see.

BIRD: I think I'll start noticing that when there is general comment about the business world and what has happened over the last few years and why that is having some serious impacts on business continuity management. If you look at the downstream of the financial crisis, looking at where organizations particularly in Europe have come from and where they are trying to get to, we've seen a vast amount of need to be more competitive, to reduce costs, and to find ways of getting more value at the same level of cost.

This whole phenomenon has in a way taken out of the equation a lot of inherent resilience that particularly large, well-distributed organizations have. What we are noticing is considered more dependent on long supply lines, fewer suppliers of goods and services, perhaps less emphasis on the quality of those services and more on the cost of those services. And we are seeing quite a lot of increased disruption and loss of profit and operating times in lots of businesses. This is not only the financial sector, because in many ways the financial sector is technically an operation and they are still very resilient, more so than other factors. Even within the financial sector and the banking sector, it's still prone to outsourced operations and offshore operations, and in our view you can't outsource the risks. The risk remains with you when you can only outsource the operational activities.

The issues are really with things in banking as well. With the term banking traditionally being considered strong in business continuity, what that has resulted in is a silo mentality where business continuity management's been putting a particular silo within the banking world. It's concentrated on loss of buildings, technology and people, all of which are extremely important. But what it's not actually doing is looking more at the overall business risks we're facing and the techniques and such that would help.

The biggest problem of business continuity in general is to make that step from looking at operational failures and how you recover from them to looking more at the processes in your business and how you protect them, as well as the brand reputation of your business. In some ways banking needs all the help it can get in some areas in terms of supporting its image. It's not necessarily the most popular sector and we believe that it needs to move forward. It needs to integrate its thinking on crisis management and risk management, together with its continuity programs to move forward and reduce its risks. Look more at business risks. We've introduced a concept called Enterprise BCM, which looks at a much wider set of risks than traditionally what the financial sector has looked at. That's the biggest issue. How do you actually use the skills and techniques that we've developed over the years in business continuity and disaster recovery and start looking at a wide range of areas that could go wrong in business?

Addressing Business Continuity Issues

FIELD: You laid out a good series of issues there. I'd be curious to here your take on how financial institutions are addressing some of these issues, if indeed they are.

BIRD: I think that they're starting to focus on it. Perhaps there is a problem with the silo mentality, where you perhaps go into one silo business continuity area, along with security, crisis management, risk and possibly even emergency response, and it was clear learning from one sector to the other.

Larger institutions are starting to look at how they can build a resilience model for their organization which brings in the strengths of all these particular techniques and philosophies that have business protection. Most of the larger financial institutions in recent times have decided that business continuity management and crisis response need to be managed the same way. Many of them have put much of this under an enterprise with management approach, which I think is a reasonable step. But what we would prefer is a wider perception of starting to look at your organization not just in terms of the internal resilience, but what you have to actually incorporate. There are a lot of problems with saying the banking system is systemic. They aren't specific to just one individual, unlike operational resilience in the sense of loss with IT. Then clearly they like to be an individual firm.

A lot of the major problems with systemic, community and society issues, and the operational areas that you are functioning in, need to be brought into the planning process. I have detected in the last few months with most of the people I talk to a feeling that there is a need to bring these subject areas together. I think many are looking to bring them together into some banner, which may or may not be called resilience. That seems to be the working name, but people are calling it governance with risk and compliance. I think a neater word is resilience. That is where many of the larger institutions are moving towards. Usually what happens, particularly in the financial industry, is the big boys move into a particular approach and that then tends to get picked up by the smaller ones. There is recognition that this is an integrated subject and it all needs to be brought together.

FIELD: When you look across organizations today, where do you see the biggest business continuity gaps and how is the institute helping to fill those gaps?

BIRD: The biggest gap is in understanding, and I think that's a problem because one of the difficulties with business continuity has been term. It's been hit and miss from where you come from in an organization. Traditionally people started from the IT field, but then there are people who see business continuity as responding to a major natural disaster and crisis. You've got a lot of people with emergency, military or police backgrounds involved. Then you've got some theoretical approaches to it. And then you get all the people that see it just appealing to external communications. The problem with business continuity gaps in a way is not specifically the technical aspects. Most of the technical issues can be resolved. The problem is with understanding the other issues, such as international standards, different national standards, and confusion amongst the professionals about what they should be following and being consistent to the terminology differences between different parts of the world.

We don't necessarily have a global agreement about what we mean regarding many things. The general lack of clarity which still exists around most of the business continuity issues is certainly an area that my institute is acutely aware of. In reality that is part of what we are here for - to try and work to establish common understanding. Because one of the worst things when you have a major crisis, if it's a global problem such as a banking crisis, is actually taking different parts of the world and identifying what you are saying in a slightly different way. The clarity of the message is very important. That is what we are actually working on trying to develop - business continuity as an understood and accepted management discipline.

Business Continuity: A Holistic Process

FIELD: At the top of this conversation you mentioned you have been in the business now for twenty-five years. For someone that wants to get into the business continuity field today, what advice would you give to them?

BIRD: It's very encouraging that people actually do want to get into it. In my day, when I started, and probably for ten years after that, people tended to end up in it in some way or another almost from something else. So the fact that people actually see it as a career and see it as an area that they would like to get into is an encouraging thing.

One of the positive things that you can say to people is that it's not something where it's good just to be saying, "I'm a BCM person. I've got a degree in business continuity management. I have a diploma with courses in it, and therefore that is what I do." In fact, in business continuity management it's what we like to call a holistic process or what we like to now call enterprise business continuity management.

You can get into it starting from a whole range of different schedules, whether your background is IT, emergency management or business analysis. You understand the process and you understand the dependencies of your business. Even if you're into something like HR, you understand communication. If you are interested in business continuity as a topic, then the skills that you have in those other areas are actually quite useful. Sometimes you would have to move into a BCM role, and your role would probably be more like a BCM analyst, looking at things like business impact analysis. That may not be too exciting to people but what it does do is give you an opportunity where you could get across the organization, understand it, and learn very quickly about how that organization fits together, how things work and how they don't work on occasions.

I like to say to people that it's a great learning position. Then, if you don't want to spend your whole life as a specialist business continuity manager, what you learn from doing this sort of business impact analysis will enhance your value to your organization and give you the opportunity to progress within it. It's always good to get education. It's always good to take courses and get trained. If you have skills that come from another area that easily transfers into business continuity management, and vice versa, if you've worked in business continuity management, then it gives you a good foundation for progression in the organization.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.