The past couple of decades have seen huge changes in the world and our field. Read on for a list of a dozen business continuity practices that have fallen into disuse or are no longer recommended.
Related on MHA Consulting: All About BIAs: A Guide to MHA Consulting’s Best BIA Resources
The past twenty-five years have seen a lot of changes in the world especially as pertains to business. A partial list would include: the 9/11 terrorist attacks, the rise of the internet and cell phones, the spread of cybercrime, globalization and the lengthening of supply chains, the COVID pandemic, the growing impact of climate change, growing international tensions, the shortening of attention spans, and the rise in cloud computing.
Most of these have had demonstrable impacts on the practice of business continuity management (BCM), rendering some traditional practices obsolete and ushering in new concerns and techniques.
At the same time, the fundamental focus and strategies of BCM have remained constant, eloquent testimony to the soundness of the ideas on which BC is built.
It’s interesting to look at BCM practices that have fallen into disuse or are no longer regarded as beneficial or sufficient. It’s also informative in that in can help us think about how we should update our practice to ensure we are adapting to changing times.
A Dozen Outdated BCM Practices
Here are a dozen BCM practices that have become outdated or are in the process of being superseded by new ways of doing things:
- The biennial BIA. Traditionally, organizations conducted a Business Impact Analysis every other year or even less frequently, but in today’s fast-moving world, that’s not sufficient. It leaves too much time for systems and applications to change, reducing the relevance of the BIA and the recovery plans based on it. These days, a more frequent tempo of BIAs is needed to ensure you have truly identified and protected your most critical processes and dependencies. Companies should conduct a basic BIA or update at least annually, and in some cases, for highly critical departments or processes, quick quarterly check-ins are advisable.
- The marathon BIA. BIAs used to be a complex production with interviews that would drag on for hours. In today’s world, this approach is a nonstarter. People conducting BIAs need to be prepared, efficient, and surgical, especially when making claims on their colleagues’ time.
- The go-dark media strategy. Once upon a time, companies experiencing turbulence could get away with telling reporters “No comment” and declining to share information about internal company matters. In the days of social media and internet news sites, such an approach amounts to public relations malpractice. Companies need to be forthcoming in talking about what’s happening to them. If you don’t control the message that’s being put out about your company, someone else will.
- The single RTO and RPO. There was a time when it was considered sufficient to have one RTO (Recovery Time Objective) and one RPO (Recovery Point Objective) for a given business process. Nowadays, we recognize that the criticality of a given process can vary greatly depending on the time of the week, month, or year. That’s why companies that are sophisticated about business continuity should consider moving toward identifying multiple RTOs for a given process, where applicable. This helps ensure that recovery plans track with the company’s needs through all the phases of the year.
- The one-and-done “Big Bang” exercise. There’s still a place for the annual “Big Bang” business continuity exercise, but in the old days that was all many companies did. That’s no longer enough. Organizations should conduct a variety of tests of different intensities throughout the year with the scenarios changing as the threats change. Ideally, some should be chaos tests where more than one type of event or situation occurs. The company should consider operating manually for a short period of time as well.
- The traditional alternate work location. In the old days when everyone worked in the office, an alternate work location usually meant one facility where everyone would go to keep the business running if the main site became unavailable. In the age of remote work and the hybrid workplace, the need for such sites has contracted. At the same time, a new need has developed: one for a place remote workers can go if they are no longer able to work at home (due to a power outage or whatever it might be). The fundamental need for a place people can go to do their jobs if their usual workplace is unavailable is the same as ever.
- The “What, Me Worry?” approach to cybersecurity. In the early days of networked computing, virtually no one worried about cybersecurity. The threat was minimal and security was light. Obviously, that innocent, relaxed approach is a thing of the past. These days worry about cyberattacks is one of the things that keeps BC, IT, and Information Security professionals awake at night.
- The “What, Me Worry?” approach to third-party management. Concern with vendor security has followed a trajectory similar to that of cybersecurity. Two or three decades ago, few people worried about the resiliency of their supply chains. Almost no one saw them as a significant source of potential disruption. Nowadays, with globalization, the rise in extreme weather, heightened international tensions, and the vulnerabilities of the shipping industry that were revealed by the pandemic, the old approach has become insupportable. Thoughtful organizations have moved heavily into strengthening their supply chains and vetting the BC and DR capabilities of their service providers and third- and fourth-party vendors.
- The company-owned DC and physical servers. In the old days many mid-sized and large organizations had their own data centers and physical servers. Now relatively few do, and the number is shrinking all the time. The virtualization of IT has greatly changed this aspect of BC and IT/disaster recovery; however, the need to ensure that critical services have the appropriate protections is as great as ever.
- The subordination of BC to IT. It used to be common for BC to be slotted under IT, either officially or unofficially, reflecting the fact that BC matured later than IT and was initially seen as an offshoot of it. Nowadays BC is usually a unit unto itself, and in progressive organizations, it tends to be part of the Risk department (since BC is all about risk mitigation).
- The stand-alone recovery plan. Years ago it was the norm for each department or business unit to have its own stand-alone recovery plan. Some organizations still do this, but we now realize this can lead to inconsistencies and inefficiencies. Thoughtful organizations now work to establish an integrated response, something that requires the BCM program to ensure collaboration, knowledge sharing, and standardized practices across the entire organization.
- The everything-but-the-kitchen-sink recovery plan. In the old days, recovery plans tended to be huge documents in big binders that explained everything in great detail. Nowadays, there’s a recognition that recovery plans should be slimmed down and put in checklist form, including only as much information as a knowledgeable professional would need to know to carry out the task. Background material should be left out or confined to the appendix. Regarding plan storage format, there’s still a place for hard-copy plans. The best approach is to keep plans in a variety of formats and locations to ensure they can always be accessed during a crisis.
Things That Have Not Changed
Recent changes in technology, business, global politics, and the environment have caused many old-school BCM practices to fall out of use or be superseded. Organizations need to continually evolve their practice of BC to ensure they are ready to cope with present-day challenges and threats.
At the same time, the underlying principles of BC endure. First and foremost of these is the need for organizations to identify and protect their critical processes, systems, and dependencies so they can continue to carry out their vital operations no matter what disruptions strike them.
Further Reading
For more information on BC best practices and other hot topics in BCM and IT/disaster recovery, check out these recent posts from MHA Consulting: