Business continuity in an uncertain economy: lessons from the past, ideas for the future
Looking back on over 30 years of Business Continuity (BC), I sometimes wonder if we will still be working tomorrow, given the issues that we face today. However, surprising to many, we've been here before. Way back in the mid-70s our economy was so uncertain that the UK government felt compelled to introduce a three-day week. In those days, inflation was over 20% and the Provisional IRA was making physical security a specific concern. But, somehow, we’ve forgotten how we coped then because things were not the same. To quote LP Hartley, the past is a foreign country: they do things differently there.
When BC was first getting a foothold, there was no internet, social media didn't really exist, cyber attacks were unheard of and in that foreign country there was often enough slack in the business system to absorb many shocks. Now, with 'Just in Time' processes across all operations, instant global communication, fragile supply routes and a deluge of cyber attacks, the threat landscape has developed considerably, albeit some issues remain the same. This is one reason why we've only sometimes been here before. So, let's look at just one of those historical constants and the numerous online guidance and standards available to BC managers in 2017.
Why has a book that focuses on a dystopian drama set in 1984 suddenly rocketed to become the sixth bestselling book on Amazon? The answer refers to the attitudes of world leaders who wage wars, set up economic barriers or highways and dilute or escalate international risks. Kellyanne Conway, advisor to the reality-TV-star-turned-president, Donald Trump, used the phrase ‘alternative facts’ not long ago, which relates directly to George Orwell's famous book '1984'. Comparisons have also been made with the term ‘newspeak’, used in the same novel written in 1949, when we consider the current utterances of the new leader of the free world based in Washington DC as we enter another new age. Mr Trump might be the first US President to broadcast his constant anger and frustrations on Twitter, but he is not the first dystopian narcissist in history.
Add to that the economic uncertainty over Brexit and it soon becomes apparent that BC managers today require a crystal ball as much as a radar screen – and a good read supplied by George Orwell.
Someone once pointed out that we are the only species that follows unstable pack leaders, so for me an historical constant will always be people in senior positions who make bad decisions with the ultimate consequence often ending up at the door of the BC manager.
Surveys can also give us a clue about what's on most BC risk radars nowadays. Physical security is seen as a growing concern for all BC managers, according to the fifth annual Horizon Scan Report published by the BC Institute (BCI) in association with BSI. Whilst cyber threats remain at number one, acts of terrorism gained six places from tenth in 2015 to fourth in 2016 and security incidents moved from sixth to fifth place.
The present and future risks and threats that BC managers must acknowledge are therefore a mixture of the old and new. As ever, the need to actually exercise BC arrangements at board level is vital, whilst 'Situational Awareness' nowadays demands far more focus on risk perception, rather than solely on recovery.
On the subject of exercises and the need to organise them properly by applying due diligence, plus how the past can sometimes be truly alarming, we might reflect on ten days way back in November 1983 when the United States and the Soviet Union nearly started a global nuclear war. Newly declassified documents from the CIA, NSA, KGB and senior officials in both countries reveal just how close we came to mutually assured destruction — over a misunderstood military exercise called Able Archer 83. For once, a situation out of scope for BC mangers.
But what is certainly in scope when it comes to enacting BCM is that all BC decisions still carry with them flaws due to our inability to know everything. This is especially true in a world with an ever-growing volume of half-truths, post truths, alternative facts and fake news.
So, in 2017 we should expand our vision of potential threats today, yet strive to remember how we coped in the past as very soon today will also be a foreign country.
Adding this all up, here are some useful global standards, noting that the BCI Good Practice Guidelines continue to offer practical advice:
- International – ISO 22301 Societal security – BC Management systems – Requirements, specifies a management system to manage an organisation's BC arrangements. It is formal in style in order to facilitate compliance auditing and certification and is supported by ISO 22313:2012 Societal security – Business continuity management systems – Guidance, which provides more pragmatic advice concerning BC.
- United Kingdom – British Standard BS 25999 was a two-part business continuity management standard. BS 25999-1:2006 Business Continuity Management Code of Practice offered pragmatic implementation guidance, but was withdrawn in 2012 when ISO 22313 effectively superseded it. BS 25999-2:2007 Specification for Business Continuity Management formally specified a set of requirements for a business continuity management system. It too was withdrawn in 2012 when it was (in effect) replaced by ISO 22301, but still worth noting, especially for UK readers.
- North America – Published by the National Fire Protection Association NFPA 1600: Standard on Disaster / Emergency Management and Business Continuity Programs. Also, North America – ASIS/BSI BCM.01:2010 published December 2010.ANSI/ASIS SPC.1-2009 Organizational Resilience: The ANSI/ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems—Requirements with Guidance for Use American National Standard is under consideration for inclusion in the DHS PS-Prep, a voluntary program designed to enhance national resilience in an all hazards environment by improving private sector preparedness.
- Australia – Published by Standards Australia, HB 292-2006: A practitioner’s guide to business continuity management, HB 293-2006: Executive guide to business continuity management. In 2010, Standards Australia introduced their Standard AS/NZS 5050 that connects far more closely with traditional risk management practices. This interpretation is designed to be used in conjunction with AS/NZS 31000 covering risk management.
Peter Power has been Managing Director of Visor Consultants (www.visorconsultants.com) since 1995 and he is also Chairman of the World Conference on Disaster Management (www.wcdm.org). He is an author of several BC and Crisis Management guides and is a past member of the UK National Security Commission (IPPR). Peter has also spoken at a UN conference (WTO) on these topics and has run interactive workshops over the past 30 years at venues ranging from the Alps to Sydney Opera House in 15 different countries.