Technical Review: Adaptive BC Reinvents the Wheel

0
123

From Alberto Mattia, CEO and General Manager at PANTA RAY.

As a business continuity practitioner and consultant, I have always felt it is my duty to: (i) invest a significant amount of time (and money!) in professional development; (ii) be open to any innovation that can bring benefits to my clients’ business. This is why I am very much involved with the Business Continuity Institute, and why I strongly support the update and distribution of ISO standards.

As such, I have been hearing about Adaptive BC on Linkedin for a few months now so – since its proponents present it as a ‘(r)evolution’ – I was very curious to learn more about this ‘alternative approach to traditional continuity planning’.

The very first thing you see when you visit the Adaptive BC website is the claim that ‘the practices of traditional business continuity planning have become increasingly ineffectual’. Since there is no further explanation on the homepage, I immediately asked myself: what makes them think so?

I therefore read their whole website, their ManifestoApologia and many (many!) of their articles. I also watched a few videos. And now I think I have a clearer picture.

WHAT DOES TRADITIONAL MEAN?

I am sorry if I become philosophical on this, but in my opinion the key to understanding their skepticism towards ‘traditional continuity planning’ lies in the meaning of the word ‘traditional’. It means ‘following or conforming to tradition: adhering to past practices or established conventions’ [Source: Merriam-Webster].

In business continuity – like in all other subjects – we have to admit that practitioners have ‘traditionally’ made many mistakes. Indeed, several theoretical and practical misunderstandings persist among the global community of continuity professionals. That is why, though, experts dedicate their time and resources to developing international standards and best practices: they hope these will eventually become the new ‘tradition’. This is exactly what Adaptive BC proponents think are trying to do.

However, both in general and for this article, ‘traditional’ business continuity methodology must reflect the tenets proposed by international standards (e.g.: ISO) and best practices (e.g.: guidelines issued by globally recognized continuity and resilience professional bodies).

IS THE ADAPTIVE BC MANIFESTO (R)EVOLUTIONARY?

The document starts with a definition of Adaptive BC that shows no significant differences from the ones of ‘traditional’ business continuity. And while I definitely prefer the definitions of the ISO 22300, as I think these are more effective and purposeful, there is no disputing linguistic style. Onward.

It then highlights the drivers that led to the need for Adaptive BC and the Manifesto itself. Adaptive BC proponents claim BC methodology ‘has made only small, incremental adjustments, focusing increasingly on compliance and regulations over improvements to organizational readiness’. Even if it is definitely true that many Authorities all over the world have developed regulations that do not support effectiveness and encourage the production of huge quantities of paper for mere regulatory reporting purposes, this observation has nothing to do with the methodology itself.

In fact, all relevant standards and best practices focus on:

  • The development of an organizational capability to deliver products/services following disruptive incidents;
  • Providing a framework for building organizational resilience, with the capability of an effective response;
  • The continuous improvement of business continuity, according to the Deming Cycle (Plan-Do-Check-Act).

The purpose of the Manifesto appears to be misleading as well. They state ‘Adaptive BC transforms or eliminates the majority of traditional activities in the continuity planning industry’ and also that ‘it focuses the discipline and its practitioners on proven practices’; however, as I will explain in details soon, I can neither see evidence of innovative transformations nor do I think the practices they propose as alternatives can ever be proven.

REVIEW OF THE TEN PRINCIPLES

1. Deliver continuous value; this is a key principle of ‘traditional’ business continuity as well, which is fully accepted and recognized by all international standards and best practices. There is really nothing new about this. ‘The programme is flexible to changes in the internal and external operating environment and delivers measurable value to the organization’ [Source: BCI Good Practice Guidelines]. The main criticisms Adaptive BC moves towards ‘traditional’ business continuity are:

  • The inability to deliver frequent / short-term value, yet there is plenty of evidence that business continuity methodology improves organizational effectiveness in any stage of its lifecycle, even when no disruptions occur.
  • And the fact that the delivery of value is dictated by the methodology, not by the situation. But ‘traditional’ business continuity does not even need a ‘situation’ to deliver value.

2. Document only for mnemonics; once again, this is widely suggested by all industry standards and best practices. They state ‘evidence clearly demonstrates that most people cannot pick up an unfamiliar and complicated plan at time of disaster and use it for an effective and efficient response’ and I could not agree more. But ‘traditional’ business continuity methodology already provides for this reality, by saying that ‘Plans are intended to be used in high pressure, time limited situations. A user-friendly plan should be concise and easy to read. Plans are not reports and should not contain unnecessary information that is not needed during an incident’ [Source: BCI Good Practice Guidelines].

3. Employ time as a restriction, not a target; this is gobbledygook. Also, within the following explanation they state:

  • ‘How long an organization can cope without a particular service will almost always depend on an integrated combination of factors too numerous to identify and too complex to quantify’, which leads me to think they are not familiar with the need for a ‘worst-case scenario’ assumption when determining the impacts of a disruption to set recovery objectives (or restrictions, as they prefer). ‘Traditional’ business continuity methodology has successfully addressed this specific issue already, and supports practitioners in prioritizing critical services or processes according to ‘time restrictions’.
  • ‘In this context, forcing a single answer for a recovery time target is often impossible, inaccurate, and ill-advised. Realistically, the best answer to, “How soon does service X need to be recovered?” is, “It depends.”’, but this is NOT a question you should ask when setting recovery targets. Actually, this kind of questions must be carefully avoided according to the ‘traditional’ business continuity methodology as they bias the analysis with subjective perception. Brian Zawada and Ian Charters delivered a fantastic presentation [What makes a great BIA interview?] on this matter at the BCI World Conference and Exhibition last year.

4. Engage at many levels within the organization; this is another recurring principle of ‘traditional’ business continuity methodology. However, within their explanation of this principle they claim, interestingly, that: ‘Traditional planning methodology focuses on gaining executive (and only executive) support’. I wonder what methodology they are referring to, because all international standards and best practices encourage business continuity planning at all levels of the organization. ‘Business continuity plans can be created to address the strategic, tactical, and operational requirements of an organization. The number and type of plans to be put in place should be determined by the response structure and the business continuity solutions agreed in the Design stage of the lifecycle. This should reflect the existing management structure as well as the size, complexity, and type of organization’ [Source: BCI Good Practice Guidelines]. And again ‘Top management shall ensure that business continuity objectives are established and communicated for relevant functions and levels within the organization’ [Source: ISO 22301:2012].

5. Exercise for improvement, not for testing; I totally agree with this principle, as every BC practitioner worth their salt should do. However, it certainly does not represent innovation. ‘The organization shall conduct exercises and tests that are reviewed within the context of promoting continual improvement’ [Source: ISO 22301:2012]. And again: ‘Exercising aims to achieve various outcomes, including: validating competency and building confidence in personnel with relevant roles and responsibilities; developing team work; raising awareness of business continuity throughout the organization’ [Source: BCI Good Practice Guidelines]. In the ‘traditional’ business continuity industry, we say that an exercise that shows no criticalities, gaps or areas for improvement is a failed opportunity, not a success. Tests are only a small part of the validation phase of the BCM lifecycle.

6. Learn the business; please allow me to say this is a truism passed off as a ‘(r)evolution’. They claim: ‘Traditional continuity planning focused practitioners more on strict methodology and prescribed compliance than on the genuine effectiveness of the work performed’, which is very far from being true. All international standards and best practices explicitly encourage the full alignment between the BCMS and organizational (business) objectives. ‘The organization shall establish BCMS requirements, considering the organization’s mission, goals, internal and external obligations (including those related to interested parties), and legal and regulatory responsibilities’ [Source: ISO 22301:2012]. And to give just one example, as a consultant, I always (always!) remind my clients that no-one can write a plan better than the service- or process-owner who knows every detail of the business, and that we (BC practitioners) wish to limit our activity to consultation and to supporting the coordination of the continuity planning process.

7. Measure and benchmark; while I recognize objective measurement and benchmarking of business continuity effectiveness can be very complex, it is absolutely incorrect that – as they state: ‘Traditional continuity planning relied on the accumulation of deliverables or conformity to defined standards as metrics without regard for the effectiveness of such materials or activities’. Once again, ‘traditional’ business continuity methodology supports performance evaluations that address the effectiveness issue. ‘The organization shall evaluate the BCMS performance and the effectiveness of the BCMS’ [Source: ISO 22301:2012]. And ‘The purpose of a review is to evaluate the business continuity policy and programme for continuing suitability, adequacy, and effectiveness’ [Source: BCI Good Practice Guidelines]. Therefore, this is another principle that entails no significant innovation.

8. Obtain incremental direction from leadership; I believe this principle is based on a misunderstanding of the ‘traditional’ BCM lifecycle, as proposed by different professional bodies. In fact, Adaptive BC supporters say:

  • ‘Traditional continuity methodology insisted that the practitioner obtain formal support from executive leadership before any work could begin. Standards dictated that all program objectives be identified, documented, and approved by the executive team before the practitioner could even begin work to prepare the organization’, but this is something they deliberately take to extremes to justify the need for such a principle. Standards and best practices simply recommend obtaining top management commitment during all phases of the BCMS, as it should be. In fact, if you start writing a plan without having the executives’ approval on the design phase (continuity solutions) and incident response structure, there is a significant risk that your plans will display inconsistencies and/or be ineffective.
  • ‘Using an incremental approach, the practitioner can consistently deliver value and make beneficial course corrections based on regular feedback’, and this is something that is fully aligned with international standards and best practices that recommend continuous feedback and consultation with the strategic level of the organization in any phase (e.g.: policy approval, BIA validation, continuity solutions selection, crisis plans editing, tactical / operational plans validation, crisis scenario simulation, post-exercise reporting, plans maintenance, management review, performance appraisal, audit phase, etc.).

9. Omit risk assessments and business impact analyses; once again, this claim is not very original and it can also be quite damaging for an organization. This is why I think experts should engage more and more in the development of ‘traditional’ industry standards and best practices. The number of times I have been asked to write a plan without the support of any kind of assessment / analysis is very high. I have always refused to engage with these clients, for the benefit of both my own reputation and the PANTA RAY brand. Luckily, this kind of request is steadily decreasing year after year. The argumentations they bring to support this principle are rather odd:

  • Risk Assessments
  • ‘The results of a risk assessment may lead the practitioner, leadership, participants, and organization as a whole to prepare for and mitigate threats that never materialize while other non-identified threats materialize instead’. Based on my experience, which is not – immodestly – narrow, the materialization of non-identified threats is exceptional and largely due to lack of risk management awareness / experience. What definitely is common, instead, is the materialization of underestimated threats. Nevertheless, considering the benefits risk assessments bring to business continuity, this is not sufficient reason to discard them.
  • ‘Some threats, such as cyber attacks, disgruntled employees, and utility or infrastructure disruptions, are identified and mitigated but materialize nonetheless.’. This sounds like ‘sometimes prevention does not help people in avoiding illnesses’. What should we do, then? Shall we invest only in continuity planning (therapy), without wasting time in risk assessments which provide the basis for risk treatment (prevention)? It would be definitely easier, but also unrealistic and therefore wrong. It is both elements combined that lead to improved organizational resilience (patient’s health).
  • ‘Risk assessment is a technique of risk management, a discipline with its own body of knowledge apart from business continuity. Administering a proper risk assessment and implementing the resulting action items may necessitate deep knowledge of actuarial tables, information security, insurance and fraud, state and federal regulations, seismological and meteorological data, and the law. Typical continuity practitioners do not possess such deep knowledge; those who do are most likely specifically trained as risk managers’. I do not disagree with this, BUT – since every organization has a limited budget – how do top managers decide how to prioritize interventions to mitigate business continuity risk, without a proper risk assessment process in place? The key, as always, lies in the collaboration between risk and continuity experts. And once again, this is not an innovation: this same principle is well-explained in the ISO 22301, which explicitly refers to the ISO 31000 in the 8.2.3 Risk Assessment clause (implying that this is a subject for risk experts).
  • Business Impact Analysis (the information they provide on the BIA’s purpose is inaccurate and misleading, to the point of needing an entirely separate article)
  • ‘Rainer Hübert’s definitive paper, “Why the Business Impact Analysis Does Not Work,” makes a compelling argument for the industry to abandon the practice of BIA work entirely because of the “very costly and even fatal misinterpretations and misrepresentations” inherent in the process’. I sadly read on Mr. Hübert’s (public) Linkedin profile that he is retired and is no longer able to contribute. Therefore, I have decided not to comment on his paper. However, I must point out that it was published in May 2012, around the time when the ISO 22301 was issued and way before the publication of the ISO/TS 22317, which is now the international standard for business impact analysis. If a BIA is compliant with ISO/TS 22317 principles, and is conducted by an experienced practitioner who knows how to do it (see my comment above on principle #3) it is highly beneficial to the organization. The fact that some (many?) practitioners do not know how to perform a BIA properly does not make it worthless.
  • ‘Executive leadership can be trusted to identify critical services based on their experience and knowledge of the organization’. First of all, this sounds contradictory with principle #4 (see above). Secondly, the Initial BIA phase as outlined by the BCI Good Practice Guidelines already entails the involvement of executive leaders in the selection of critical products / services. However, especially in large and complex organizations, tactical and operational levels need to be involved too. Otherwise, the ‘proper sequence to restore services’ (see right below) would be extremely vague.
  • ‘The proper sequence to restore services at time of disaster will depend on the exact nature of the post-disaster situation, a situation that cannot be predicted ahead of time’. I have already commented on the need for a ‘worst-case scenario’ assumption when conducting the BIA (see my comment above on principle #3). Furthermore, this sounds contradictory with principle #10 (see right below).

10. Prepare for effect, not causes; I perfectly agree with this point, but yet again it is neither innovative nor ‘(r)evolutionary’. Indeed, international standards always refer to ‘disruptive incident’ generically and encourage organizations to be ready for any kind of disruption, no matter the cause. In the explanation of this principle, Adaptive BC promoters list the effects of an incident – ‘Unavailability of location, people and resources (physical or virtual)’ – and state: ‘An organization cannot responsibly afford to plan for so many causes’. This is why ‘traditional’ business continuity methodology supports the principle according to which ‘The CMP [Crisis Management Plan] should be focused on the provision of a generic response capability. It should not be scenario-specific, as a plan for every possible contingency would be unwieldy, potentially suppress flexible thinking and action, and miss the point that many crises are essentially unforeseeable and impossible to plan for in precise detail’ [Source: BS 11200:2014].

WHAT IS NEW WITH ADAPTIVE BC THEN?

Nothing new, unfortunately.

They present the Manifesto’s ten principles as a way to synthesize and foster improvements and innovations across the industry; however, the professional community has accepted most of them for decades now (Adaptive BC simply exhibits them anew and questionably), while a few of them are actually common mistakes that experts have proven wrong countless times.

My personal feeling is that they are re-packaging as a ‘(r)evolution’ ideas that have been current since the late ‘80s / early ‘90s, when the first business continuity international professional bodies were founded.

CONCLUSIONS

Instead of fighting BC methodology, more efforts should be put into influencing the debate around the need to update local and international regulations in a way that forces organizations to deliver results rather than pointless documentation.

Adaptive BC sounds like nothing more than a mix of common sense and, regrettably, of poor knowledge of international standards and best practices.

Having said that, I must recognize that they are raising an important issue: most practitioners are still unaware of industry standards / best practices or do not know how to apply them effectively. This is something that BC experts / industry leaders should seriously work on. Thought leadership demands the courage to step up and take a stand. Are we, as leaders, doing enough?