You are in:
James Royds, InfoSec Associates aims to to provoke thought and discussion around two complementary and inter-dependent themes relevant to the onward development or “future-proofing” of this vital and often much-misunderstood discipline; in order that we collectively derive far greater strategic influence from the process and thereby create the conditions in which far reaching and clearly understood business benefits flow from the process...
As a discipline there is a striking irony about BCM which might unsettle those who lay claim to its genesis; and from which legions of loyal, passionate and capable disciples have evolved. If the truth be known there shouldn’t really be any need for it. That there is, and the industry which has fledged around it is enjoying a surge of interest after two or three tricky years, is indicative of wider grand-strategic forces at work. Put simply the industry is at a “tipping point”. Arguably the result of a shocking realization among commercial, political and ideological interest groups that the confluence of rising consumer expectations; increased technical exposure and dependency; the “death of distance” and the relentless march of globalization; is far from delivering us an assured, secure and sustainable future, whatever that may hold.
If the future really is less certain today than even our least optimistic “masters of risk” would have us believe then we have an urgent obligation to consider future trends in BCM and make bold predications about what is lurking, for good or bad, over the horizon. That part is easy. The difficult part is knowing today if those predications will be right tomorrow, since the future, by definition, is unknowable. Anyone foolish enough to rise to this challenge will doubtless be hoping that the odds of any predication being right will be favorable since predicting the future, and by inference, taking advantage of it, is already emerging as a significant development for BCM. My first thought therefore is that it will not be long before BCM and enterprise risk management are seamlessly entwined. The process has already begun. It is only the application of language which separates their fundamental characteristics today.
Language is important. As an aside the word “risk” is Italian in origin. Taken from riscare, which means “to dare”. Risk is therefore a choice rather than a fate. And those of you who have read Peter Bernstein’s Against the Odds will be familiar with his assertion that “the actions we dare to take, which depend on how free we are to make choices, are what the story of risk is all about.” It will soon become, if it isn’t already explicit, the story of what BCM is all about.
Explicitly making the link between enterprise-wide risk management and business continuity is timely. It resonates with the integration and convergence community and presents us with three refreshing possibilities. Firstly the justification for monitoring threats across a much wider spectrum than has hitherto been traditional in conventional continuity planning (fire; flood, terror etc). Secondly we are offered the prospect of a tempting two-for-the-price-of-one value proposition giving us a “joined-up” management discipline and thirdly, perhaps most importantly, it offers the continuity community a means of influencing the strategic agenda, across the “normal” business operations, long before anything goes wrong.
For too long, it seems to me, BCM has been caught on the twins horns of a dilemma – sometimes frustratingly so - between tactical and operational afterthoughts, thus denying itself of its highest levels of influence and strategic effect. By restricting responsibility for risk management and specifically business continuity, to operational and tactical areas of responsibility – the lament of IT departments “but business continuity is not my responsibility” – we are limiting the scope of its strategic significance and confusing decision makers about risk taking and risk mitigation priorities, and the balance of investment between them.
Investment in compliance for example – my second thought - in response to regulation and legislation currently sweeping across industries and international boundaries is in danger of choking choice and dampening the desire to dare. There is already evidence that companies affected by Sarbanes Oxley, for example, are questioning just how much they really need do in order to comply. In a business climate in which the increasing demands and expectations of the regulatory and compliance community currently hold sway; there is a danger that BCM is considered “sorted” when the compliance auditor’s report is favorable. Is there not a danger therefore of institutionalising compliance complacency: that the feel-good factor generated by a glowing report will represent the limit of exploitation for BCM?
Achieving compliance is a laudable, if somewhat uninspiring, aspiration and yes, it is important in establishing a benchmark (among many) against which further progress can be measured. But at what cost? And what happens when compliance and controls fail? Will BS 25999 for example, recover your organization if the worst happens and everything goes “the way of the pear”? If compliance for its own ends is driving important risk management priorities and the risk decision-making process, is this not a case of “the tail wagging the dog” thus limiting the freedom of choice we enjoy in business as a direct consequence of effective business management decision-making under normal circumstances?
The ability and capacity to manage risk, and with it the appetite for embracing it are key elements of the business of business and underpin the economic model upon which so much of our lives depend. Put simply taking risk drives the capitalism system. What separates past success from the future in terms of economic prosperity is mastery of risk rather than being enslaved to it in what is increasingly becoming a risk-averse culture. It is incumbent on us therefore as practitioners in this art (and yes I believe BCM is in every way as much an art as it is a science) to highlight the difference between being risk averse and risk aware. As our friend Peter Bernstein stresses: “the ability to define what may happen in the future and to choose between alternatives lies at the heart of contemporary societies”. For context we could perhaps replace his use of “contemporary societies” with contemporary businesses or at least those which deliver consistent economic prosperity since mastery of risk lies at the core of their collective achievement, in which success is often measured in profits. Since “profits are, in part, the reward for successful risk-taking, the purpose of internal control (according to Turnbull ), is to help manage and control risk appropriately rather than to eliminate it”.
This is a timely reminder and is instructive because it acknowledges the relationship between risk and reward implying that the purpose of control is just that and not an exhaustive means by which risk is eliminated altogether. A risk free world (or risk-averse world) is wholly undesirable yet it sometimes seems that the output from the good work risk management professionals do is in danger of furthering the aims and objectives of those who would have us live in a risk-averse world. The point surely is that organisational resilience, the result of being thoroughly risk aware and prepared for the consequences of a major incident is, and should continue to be, the vital strategic outcome of BCM and not a neatly bound copy of a compliance report.
If the aims and objectives of those managing business risk, enterprise risk management and BCM are articulated as complementary in pursuit of the protection and sustainability of business and shareholder value then there are reasonable grounds for optimism. No one, I hope, would disagree with the contention that today’s risk landscape is complex: uncertainty flourishes, asymmetry is increasingly the order of the day and rising expectations are fueling great change at great speed. Threats are on the increase and the spectrum of possibilities to inflict damage to business and information resources is widening. Normal business needs to be appraised of, and tuned to, this development and so do BCM professionals. Tuned so collectively, BCM can influence the right decisions, thus enabling businesses to act decisively when events conspire against the status quo. What is required is to elevate the art and science of this discipline to the strategic arena and encourage far more strategic thought among its practitioners. BCM must seize this space and above all keep alive the desire, ability and flare to dare.