Technical Review: A Critique of Adaptive BC’s Apologia

0
148

Last week, I posted an article on Adaptive BC in which I analysed the ten principles of their Manifesto’. My conclusions were that I do not consider this ‘alternative approach to traditional continuity planning’ to be either an innovation or a ‘(r)evolution’, and that I find it to be very questionable.

An interesting and lively debate has arisen, with many contributions from several practitioners / industry leaders and Adaptive BC proponents further reinforcing my confidence in the conclusions I reached on the validity of this different (?) kind of continuity planning.

As anticipated, I now want to focus my attention on their ‘Apologia’, which is a section of their website that is meant to serve ‘as a curated gateway collection of additional publications relevant to the Adaptive BC Manifesto’. It is a fundamental step towards my goal of providing a comprehensive review of this ‘approach’ and to comment on the degree of professionalism its proponents are using to disseminate their principles and supporting arguments in the global continuity arena.

Before I start, I would like to clarify that:

  • I do not know any of the Adaptive BC proponents personally.
  • I believe, to the best of my knowledge, that I have never met any of them, though it is possible we have attended the same conferences somewhere in the world recently.
  • I have nothing personal against either them or their approach. In fact, as I had a chance to write in my previous article, when I first heard of Adaptive BC I was very curious and genuinely keen to learn more about it.

However, as soon as I approached the topic, I was immediately surprised by the resentment their proponents display towards the international standards and best practices, as well as towards practitioners who use them as a guidance in their everyday job. I am definitely not the first one who notices and highlights this unfortunate attitude.

Furthermore, the significant amount of questionable, inaccurate, and misleading information they are propagating on ‘traditional’ business continuity methodology requires a determined contradictory. In fact, while differences of opinion are not and never will be cause for contention among professionals, fabrications supporting the vilification of widely accepted industry standards and best practices cannot be accepted.

PROFESSIONALISM MUST BE OUR NORTH STAR

I am a proud member of the Business Continuity Institute. I believe adherence to professional bodies (not only the BCI, of course) is important to improve your technical skills by sharing knowledge, experiences, and issues with peers, and also to commit to certain principles related to professionalism and professional conduct.

The ‘BCI Code of Conduct has a whole section dedicated to the ‘Duty to the Profession and the Institute’. I take it very seriously, and I expect the same from all members. Here are some key principles displayed in this part of the ‘Code’:

  • ‘You shall uphold the reputation and good standing of the BCI in particular, and the profession in general’.
  • ‘As a member of the BCI you also have a wider responsibility to promote public understanding of Business Continuity and, whenever practical, to counter misinformation that brings or could bring the profession into disrepute’.
  • ‘You shall not make any public statement in your professional capacity unless you are properly qualified and, where appropriate, authorised to do so’.

Of course, there is no obligation for non-BCI members to adhere to this ‘Code of Conduct’; nonetheless, I think these are good principles which are based on common sense and can be shared by anyone who works with professionalism in any industry.

In my previous article I not only pointed out the inconsistencies within the Adaptive BC principles, but also the inaccuracies regarding ‘traditional’ business continuity methodology as proposed in their ‘Manifesto’. Irrespective of whether these are deliberate falsehoods or just the consequence of poor knowledge and/or understanding of international standards and best practices, all inaccurate statements must be retracted. It is an ethical matter at this point, not a technical dispute.

That said, it is the ‘Apologia’ section of their website, along with their promoters’ activities on professional social media (e.g.: Linkedin) that represent the heart of the problem.

(PSEUDO-)APOLOGIA

First of all, it must be noted that, as of the time of writing, the webpage’s header has been modified following my first article and its comments. According to Google’s cache, the website’s maintainers have modified the introductory message with these additional sentences:

  • ‘The citations below link to public content that we believe evinces further justification for the adoption of Adaptive BC principles’.
  • ‘Note that the linked source materials themselves do not necessarily reflect any affiliation with, or support of, the Adaptive BC Manifesto’.

While I appreciate this clarification, though late, I do not think it solves the issue raised by Adaptive BC’s selection of the source material with a lack of fair and professional criteria. I will provide details to support this claim in the course of this article, but let’s now look at the website.

The Apologia’s technical section is opened by a webinar by David Lindstedt – Founder of Adaptive BC – entitled: ‘6 Drivers and 10 Principles: An Introduction to Adaptive BC’. The webinar was hosted by Continuity Insights. Since I have already commented on the ten principles in my previous article, here are my thoughts on the six drivers:

1. ‘The BC Discipline: A mere collection of “best” practices’; this driver is entirely based on the alleged lack of evidence demonstrating that business continuity capabilities improve as a consequence of the implementation of an industry standards (e.g.: ISO 22301) and best practices compliant programme. While it is definitely true that quantifying consistent improvements in recovery capabilities is hard in any case, it is fair to say that there is plenty of evidence showing the appreciation of the vast majority of BC practitioners towards ISO 22301. For instance, in 2015, the BCI, together with NQA, published the ISO 22301 Benchmarking Report – a survey involving 560 respondents in 69 countries – that provides interesting feedback on the benefits of this standard:

  • At that time, 317 out of 528 respondents to a specific question (60%) either complied or were aligned with ISO 22301.
  • Among the top surveyed motivations for ISO 22301 certification, we find: ‘Assurance of Continued Service, Protecting Reputation And Brand, Greater Resilience Against Disruption, Quicker Recovery From Interruption and Reduced Risk Of Business Interruption’‘Legal compliance’ is among the least relevant reasons.
  • Among the reasons for lack of ISO 22301 certification, the top one is ‘I plan to get certified in the near future’‘I can’t see the benefit of certification’ is the second to last option, but the last one is ‘I am not familiar with ISO 22301’.

2. ‘General agreement: Significant problems with core practices’; the arguments supporting this driver are some presumed failings of ‘traditional’ core practices that are divided into three different categories:

  • ‘Theoretical’, as ‘clear evidence of inefficiency’ of practices like business impact analyses and risk assessments ‘for those that have taken the time to be thoughtful, really taking a look at what we’re doing’; however, no evidence is ever provided for this supposed inefficiency. More importantly, those that have taken the time to contribute to industry standards and best practices have actually been extremely thoughtful in making sure BIAs and RAs were useful components of the methodology.
  • ‘Practical’, as ‘low-value deliverables’ and ‘output much higher than outcome’ like the BIA which ‘might take 6 to 12 to 24 months’. No doubt the BIA can be a struggle for inexperienced practitioners and organizations approaching business continuity for the first time. However, this is exactly why industry best practices strongly suggest – to make things easier – that certain principles be embedded into the corporate culture before conducting the analysis phase. This is not mentioned. In most cases, when the BIA is conducted by competent and experienced professionals in mature organizations, extremely fruitful outcomes can be collected in few weeks. And good BCM software can make it even easier and quicker.
  • ‘Psychological’, as ‘lead with wrong foot’. David Lindstedt here makes a list of common mistakes among inexperienced professionals: ‘we use a lot of jargon’‘we then make them decide whether the social media impact of a landslide would be a 2 or a 3’‘we put ourselves into an adversarial relationship with the people we need most to be able to get the work done’. This is exactly what the so reviled best practices, like the BCI Good Practices Guidelines, are for: ‘The terminology used in the BIA by an organization is not as important as understanding when the disruption will result in unacceptable consequences’; and again, ‘Successfully embedding business continuity requires a collaborative approach from top management and the business continuity professional’.

3. ‘New techniques: Effective but isolated’; this seems to be a cornerstone of the Adaptive BC proponents’ mindset. They often claim to be isolated or somehow ostracized. However, David Lindstedt had the chance to hold this very webinar we are discussing for Continuity Insight and be an invited panellist at the 2017 BCI World Conference. And this is only what I am aware of, but I imagine he and other Adaptive BC supporters have had many more opportunities to present their approach. My own comprehensive review as well as all the articles I have read online by other ‘traditional’ business continuity practitioners are further proof of the attention the community has given them. They seem to believe, wrongly, that since many industry thought leaders do not agree with their approach, this must be ‘(r)evolutionary’. Moreover, when I tried explaining why there is nothing innovative about their principles, with the support of many comments from experienced practitioners who contributed to the discussion, the comments we got from Adaptive BC proponents were:

  • ‘The BIA became a real business and people are earning so much of it … trainers, consultants, software vendors … I don’t blame them to disagree with what we are doing to their business’ [Timothé Graziani – Adaptive BC Advisor]. Aside from the fact that Adaptive BC has no impact whatsoever on my business, this comment is disrespectful to those practitioners who genuinely believe in the BIA. It clearly insinuates the existence of conflicts of interest at best and the presence of widespread dishonest behaviour at worst: this is unacceptable.
  • ‘Alberto has demonstrated that it is possible to pick out individual Adaptive Principles for critique. But that is disingenuous. Of course statements can be found throughout our collective standards that support each of our principles. But those statements are buried within pages of documentation making them effectively irrelevant’ [Mark Armour – Adaptive BC Advisor and Co-Author of the ‘Manifesto’]. It is not professional to arbitrarily decide what statements of an international standard or best practice are ‘effectively irrelevant’, and of course it is absolutely false that ‘those statements are buried within pages of documentation’. They are, in fact, key elements of any BCM programme worth of that name and are presented as such in the relevant documentation.

4. ‘BC Field: Related fields have grown and we have stagnated’; David Lindstedt explains this driver with a lot of references to ‘Lean, Agile / Scrum Project Management, Six Sigma’‘Growth Mindset’‘Management 3.0’, etc. ‘There is a ton of related improvements in related disciplines to business continuity, and we are not taking advantage of them’. The problem here is that there is no competition among these disciplines and ‘traditional’ business continuity methodology. The subliminal message they keep instilling is that international standards and best practices are all about paper, compliance, complexity of implementation and inefficacy, when in fact the opposite is true (as I pointed out in my previous article). For instance, the reality that ‘a policy is a big deal’‘it involves a great deal of time and effort to come up with’, ‘we have to get human resources, legal is going to spend a lot of time on this and this is going to open up a lot of questions’‘we end up spending a lot of time… 3 months? 2 months?… coming up and moving this policy document through and get it approved’ [Source: A Story: BC Standards in the US – Video by David Lindstedt] is not at all an issue specific to the ‘traditional’ business continuity methodology. It would be true for any policy, in organizations that approach the approval process in this way. Even further, it is exactly the best practices which suggest that ‘the policy acts as a statement to communicate the organization’s principles to interested parties. As its primary purpose is communication, it should be shortclear, precise and to the point [Source: BCI Good Practice Guidelines, my emphasis].

5. ‘Executives: Show me the money!’; the ultimate justification for this driver is ‘what DO executives get for their money?’, whose answer seems to be ‘you know that executives are not valuing what we do’. No evidence or further explanation is provided, so this is hard to comment. The only relevant reference is strictly connected to the following driver, which entails the purported lack of value proposition in ‘traditional’ business continuity methodology.

6. ‘Value Proposition: Lacking and unmeasured’; but this driver as well is not explained or supported in any way. It seems to be passed off as an unquestionable truth we are all aware of, and which does not need any further argument.

Especially for these last two drivers, my concern is that an inexperienced practitioner who is exposed to such information may think that it is true and discard international standards and best practices without really reading or understanding them.

A professional approach to the matter would require thorough reasoning in support of its assertions; instead, this webinar offers them peremptorily. It may be that the author considers the ten principles of Adaptive BC to already be a sufficient response to my doubts. Should that be the case, I would refer them to my previous article.

ANALYSIS BY PRINCIPLE

The ‘Apologia’ section provides the ‘collection of additional publications relevant to the Adaptive BC Manifesto’. It is basically a selection of articles, papers, interviews and a ‘free tool’ that is a trademark (‘The Readiness TestTM’) and links to an external page where only ‘three “EZ” tests are free for basic results; others require a subscription’. Interestingly, however, the footer of the Adaptive BC ‘Apologia’ webpage states: ‘This is a non-commercial website dedicated to the presentation and discussion of materials associated with Adaptive Business Continuity’.

These contents are supposed to support the ten principles of Adaptive BC. However, I can tell some of them:

  • Have absolutely nothing to do with this approach.
  • Have been written by thought leaders who publicly endorse ‘traditional’ business continuity methodology.
  • Have been used in this context – most likely – without any consent of their authors. ‘I administer the website. All articles are in the public space: I provide links to the original content’ [David Lindstedt – Adaptive BC Founder in a comment to my previous article].

I have provided a broad review of the Adaptive BC principles already, therefore I will not provide further comments on the technical flaws of the contents that are displayed in this section. Still, please let me briefly analyse the most relevant inconsistencies in the professional method they are using to support their principles:

1. Deliver continuous value

  • The article The Top Five Ways to Fail At Business Continuity by Ryan Hutton and Jacque Rupert is a perfect compendium of suggestions for business continuity practitioners. To use the words of its authors: ‘This article discusses five of the most common reasons why business continuity planning initiatives fail, their consequences and what can be done to avoid them’. The problem is that Adaptive BC is not even mentioned nor indirectly endorsed, and the article itself offers no criticism to international standards and best practices.

2. Document only for mnemonics

  • The article Why Disaster Recovery Plans Fail by Richard Muniz identifies four basic reasons, all of which are very reasonable. But, once again, there is no reference to Adaptive BC, and no criticism to ‘traditional’ business continuity methodology.

3. Employ time as a restriction, not a target

  • This principle is not mentioned in the Apologia section.

4. Engage at many levels within the organization

  • ‘Suggestions Needed’. No links are provided to support this principle.

5. Exercise for improvement, not for testing

  • The only article to support this principle is by Mark Armour – Adaptive BC Advisor and Co-Author of the ‘Manifesto’. Therefore, there is no inconsistency.

6. Learn the business

  • There are two interviews conducted by David Lindstedt – Adaptive BC Founder to support this principle. Therefore, there is no inconsistency.

7. Measure and benchmark

  • The paper entitled ‘The Problem of Measuring Emergency Preparedness’ by Brian A. Jackson is not about business continuity, and it does not make any direct or indirect reference to Adaptive BC. Furthermore, it does not seem to criticize the ‘traditional’ business continuity methodology in any way.
  • I have commented already about the ‘The Readiness TestTM’, which sounds like surreptitious advertising for a commercial tool by Readiness Analytics, LLC which was founded by David Lindstedt and ‘is now Adaptive BC Solutions’ [Source: Readiness Analytics website] providing consulting, training and auditing services.

8. Obtain incremental direction from leadership

  • There are two interviews conducted by David Lindstedt – Adaptive BC Founder and an article by Mark Armour – Adaptive BC Advisor and Co-Author of the ‘Manifesto’ to support this principle. Therefore, there is no inconsistency.

9. Omit risk assessments and business impact analyses

  • The paper entitled Myth #2 — You Need a BIA by Sean Murphy does not suggest omitting BIAs. The title is clearly provocative, and the paper opens with some disappointing experiences the author had during BIA processes in earlier stages of his career. Soon after, though, he states: ‘What I learned later on is that a BIA can actually be very valuable, if done correctly with clear intention and a thoughtful approach’. And again ‘A BIA informs our planning efforts; specifically, the development of a company’s critical path, which defines time sensitivity, priority, and sequence of business processes. This helps leadership understand priorities during a disruptive event when we often have limited access to the resources we are used to working with, such as working space, equipment, applications, and team members. The critical path is crucial because it gives teams a way to define and analyze recovery time objectives (RTOs) across the company, and confirm recovery priorities and their sequence. From there, teams can develop resiliency strategies and integrate these into ongoing operations to recover the business’.
  • As well, the article ‘Lessons learned from 15 years of conducting BIAs’ by Samuel Shantan does not say anything about not performing BIAs. In fact, it provides a list of common problems and suggestions for a better BIA process. Within the conclusion, the author provides a positive comment on international standards and a tip for ‘novice’ organizations: ‘The new ISO/PRF TS 22317 technical guidance standard on BIA is a good initiative to complement ISO 22301 but in an organization with less maturity, challenges need to be addressed without spending too much time on the BIA, while the results of priorities of processes and resources need to be accurate to invest in the right business continuity setup’.
  • The article The minimum business continuity objective: the Cinderella of the BIA… by Charlie Maclean-Bristol is about the importance of the MBCO in the BIA process. How this relates to the Apologia’s ‘Omit risk assessments and business impact analyses’ principle is not clear. It does not contain any comment against the BIA itself, the international standards or the best practices. The MBCO is actually mentioned in the ISO 22301, in the ISO/TS 22317 and in the BCI Good Practice Guidelines.
  • The article The RTO reality check’ by Peter Godden is about the relationship between RTOs and disaster recovery testing. It has several reasonable observations on the complexity of IT disaster recovery and the struggles in defining / meeting realistic RTOs, but there is no direct or indirect reference to Adaptive BC and nowhere is omitting risk assessments and business impact analyses suggested.

10. Prepare for effects, not causes

CONCLUSIONS

If we all – including Adaptive BC proponents, of course – are passionate about our work and believe in the benefits of continuity planning for the organizations we manage, consult or train, we should definitely keep the discussion around the discipline’s technical aspects alive.

However, we all – including ‘traditional’ business continuity practitioners and myself in the first place, of course – must always remember that professional conduct is not limited to standards, best practices, methodology and principles; it is also about supporting our arguments with facts and considerations that are backed by evidence and purveying them with a fair attitude.

Professionalism also means stepping up if and when we see something wrong. We owe it to the newcomers of this industry, to our clients and stakeholders in general. After all, we all want our profession to grow and be recognized across business communities, industries, countries and regions. We can disagree and get passionate in our debates, but it has to be for the good of business continuity. This would be the true revolution.