Copper Bonded Grounding Tape and Copper Bonded Grounding Strip
Lindstedt -Grounding the Discipline of Business
-
Upload
shahid-rashid -
Category
Documents
-
view
213 -
download
0
Transcript of Lindstedt -Grounding the Discipline of Business
-
8/18/2019 Lindstedt -Grounding the Discipline of Business
1/10
tions, standards and other continuity prac-
tices. Finally, the paper outlines areas for
future research with an eye to proving the
efficacy of BCP, especially to executives and stakeholders.
Keywords: business continuity, busi- ness resilience, certification, discipline, profession, grounding
INTRODUCTION
If business continuity planning (BCP) is to
be an acknowledged discipline, it must be
placed on firm footing, from both a
theoretical and practical stance. Currently,as anyone working in the field is likely to
say, it is not well defined by its prac-
titioners and not well understood by its
customers.1 Its lines of responsibility are
blurry, bleeding into areas of IT disaster
recovery, risk management, crisis manage-
ment and others. This paper offers an
approach to reverse this trend and more
firmly ground the discipline and profes-
sion of BCP.
WHAT IS AT STAKE?
The profession
What is expected of the business
continuity planner? Expertise of haz-
ardous waste disposal? Ability to
configure a backup server? DRI Interna-
David Lindstedt is the Director of Enterprise
Continuity Management for The Ohio State
University. The Ohio State University is the
largest university in the USA with approximately 60,000 students and 38,000 employees in 928
buildings on five campuses. He administers
business continuity software for a ‘BCP federa-
tion’ of nine Ohio universities, and serves as the
chair of the Ohio Regional Users Group. Prior to
his work in business continuity, he worked as an
IT consultant and the manager of a pro-
gramme management office. David holds a PhD
from Tulane University, is a Certified Business
Continuity Professional (CBCP) and a Project
Management Professional (PMP).
A BSTRACT
Business continuity planning (BCP) is emerg-
ing as a profession unto its own. It is
separating itself from related fields such as
emergency management, IT, disaster recovery
and risk management. But can it attain the
status of an independent discipline? And if so,
what is, and is not, included in this new
discipline? What are the core competencies that
should be required of its practitioners? This paper offers an approach to founding BCP as
a discipline, but with a narrower demarcation
than traditionally accepted. It presents three
criteria by which to delineate and ground BCP.
It discusses the difference between BCP and the
more encompassing ‘business resilience’, and
emphasises the need to clearly choose one or the
other of these contexts when discussing certifica-
Grounding the discipline of business
continuity planning: What needs to be
done to take it forward?
David Lindstedt
Received (in revised form): 8th October, 2007
The Ohio State University, 1121 Kinnear Road, Columbus, OH 43026, USA Tel: 1 614 688 3086; E-mail: [email protected]
Journal of Business Continuity & Emergency Planning Volume 2 Numb
Page
Journal of Business Continuity &
Emergency Planning
Vol. 2 No. 2, pp. 197–205
Henry Stewart Publications,
1749-9216
-
8/18/2019 Lindstedt -Grounding the Discipline of Business
2/10
tional’s ‘Professional Practices’ publication
includes risk evaluation, emergency
response and crisis communications as
core BCP practices,2 while other
organisations cite different requirements.Where does one draw the circle around
the discipline of BCP? This is not a
trivial matter. At the most fundamental
level, a profession that is not well defined
cannot ultimately prosper. Customers
cannot be expected to be satisfied with a
service they do not understand. Analysts
cannot hope to provide useful research if
the scope of their analysis is poorly
demarcated. Executives cannot be ex-
pected to support a BCP programme if they consider it as simply part of another
function of the business, like emergency
services or risk management. The
profession as a whole may eventually be
in danger of either being swallowed up by
other disciplines or divided up and farmed
out to other areas.
Standardisation and certification
Proper standards cannot be established
without a clear understanding of the
profession it is standardising. To whatdiscipline should standards such as National
Fire Protection Association (NFPA) 1600
or BS25999 be applied? BCP alone? Some
combination of all professions involved in
a wider effort to protect the organisation?
Should a BCP professional be expected to
perform and comply with all areas of these
standards?3 If executives decide to adopt
one of these standards for their organisa-
tion, which area should be expected to
bring the organisation into compliance?This may become a more pressing con-
cern as more legislation regarding public
and private preparedness is introduced.
Before experts can argue the merit, details
and proper responses to legislation such as
the US Senate Bill S 4,4 they will first
have to identify the disciplines to which
the recommendations will apply.
In the same vein, rigorous certification
standards cannot be created and applied
without a clear understanding of the dis-
cipline of BCP and the appropriate ex-
pectations of its practitioners.
Funding and authority
On the most practical level, BCP will not
receive the appropriate budgets, staf fing or
authority if it cannot be shown to be of
value. Executives will not fund and
support BCP programmes without proof
that professionals can directly and posi-
tively impact the organisation. When
push comes to shove, BCP will never
achieve solid recognition and supportwithout the numbers to justify its under-
taking.
As a recent study from the
EDUCAUSE Center for Applied
Research summarised:
‘BC continues to be largely a back-
engineered process whose technical
aspects are left to IT and whose
business aspects are only investigated
after the fact. Once post hoc attention
is finally brought to bear on BCquestions, the familiar issues of uncoor-
dinated action, unclear funding, and
ambiguous ‘‘ownership’’ of BC are
ready to flourish.’5
In order to address the above concerns,
BCP must be placed on a firm founda-
tion, both in theory and practice. The
remainder of this paper outlines how this
might best be accomplished.
THEORETICAL GROUNDING
The discipline of business continuity plan-
ning ought to be grounded on the follow-
ing three criteria:
1. BCP is (narrowly) centred on the
continuity of processes and functions.
Grounding the discipline of business continuity planning
Page 198
-
8/18/2019 Lindstedt -Grounding the Discipline of Business
3/10
value and trained accountants are its best
practitioners. Law is a discipline because
there is a body of knowledge centring on
the theory and practice of law, the work
has particular value and a lawyer is abetter practitioner than a layman. While
it is necessary to better define and defend
each criterion, they should serve as the
foundation for discussion.
THEORY: WHAT IS INCLUDED?
If it is right that BCP should be con-
cerned with the continuity of processes,
that it is worth doing and that it is best
done by BCP professionals, then there isa good position from which to understand
what ought to be included in the dis-
cipline. Based on the three criteria, the
following sub-areas should be included
under BCP:
• business impact analysis;
• recovery time objectives;
• resources and locations;
• process continuity plans/strategies;
• incident management plans/strategies;
• exercises.
While much can be said about each of
these sub-areas, the following comments
will be brief.
The staple of BCP to date has been
the business impact analysis (BIA), and
this is properly so. Naturally, if BCP is
going to ensure the continuation of busi-
ness processes, the practitioner must know
what those processes are and why they
matter. BCP must therefore be able toidentify the processes of the business, the
functions they perform, the impact (quan-
titative and qualitative) of their loss, and
their upstream and downstream depend-
encies. The BCP practitioner must work
with leadership to drive and establish
recovery time objectives (RTOs) for each
process as well as upstream and down-
It is the ‘process of developing ad-
vance arrangements and procedures
that enable an organisation to respond
to an event in such a manner that
critical business functions continue withplanned levels of interruption or essen-
tial change’.6 This means that the core
of BCP is the discipline of identify-
ing and ensuring the continuity of
processes. One may wish to think of
BCP as ‘process continuity planning’.
2. Process continuity planning is valuable
work that needs to be undertaken.
While better research is required to
prove this point conclusively (see the
section on practical grounding, below),there should at least be the correct
intuition that processes drive a busi-
ness, businesses drive an economy and
support a nation, and it is worth the
time, money and effort to ensure the
continuity of most businesses. Hence,
there are fiscal, political, and poten-
tially ethical arguments to be made as
to why continuity planning must be
performed and supported as a dis-
cipline unto itself.
3. No other profession can properlyprovide the service of process con-
tinuity planning. This is the (mostly
unstated) assumption that there is
rightly a BCP discipline to be learned
and a methodology that can be
discovered and improved. Again, while
research needs to be directed to this
area, there is the instinct that there are
better and worse ways to perform
continuity planning, and those better
ways are chiefl y accessible (and, it ishoped, known) only to the BCP
professional.
These three criteria are not unique (save
for the content of criterion 1). Account-
ing is a profession because there is a body
of knowledge surrounding the tracking
and payment of monies, it has proven
Linds
Page
-
8/18/2019 Lindstedt -Grounding the Discipline of Business
4/10
stream dependencies, including IT sys-
tems.
Because processes need resources and
locations to recover, BCP should focus
on identifying and securing these relevantresources. Identifying, making contact with
and securing the services of vendors may be
a necessary component of this work, as well
as obtaining, staffing and equipping on- or
off-site recovery locations.
If the processes are going to continue in
the wake of a disaster, BCP must work
with the owners of these processes to
develop (and exercise) appropriate con-
tinuity strategies. The BCP practitioner is
the proper person to situate each processwithin the context of the entire busi-
ness and to facilitate the development of
these plans/strategies, from response, to
recovery, to restoration. They are also one
of the persons best qualified to develop,
facilitate and judge the outcome of exer-
cising these strategies.
Finally, BCP must ensure that the busi-
ness is capable of reacting and responding
to a potential disaster incident. Incident
management plans/strategies are therefore
the proper purview of BCP, and they mayrightly go into some detail. If leadership
cannot guide the business through an
incident, it will be much more dif ficult (if
not impossible) to recover the individual
processes. Accurate and available contact
information for vendors, agencies and staff
is a must. The BCP practitioner must be
knowledgeable in many aspects of this
area to ensure that leadership can ef-
fectively respond to an incident. Other
aspects may include:
• emergency responders protocol (eg the
US National Incident Management
System (NIMS) and Incident Com-
mand System (ICS), general police and
fire response activities, environmental
health and safety procedures);
• HR requirements and concerns;
• psychology of crisis situations;
• facilities management and damage as-
sessment;
• workforce continuity;
• general leadership and communicationsactivities.
This discussion of what ought to be
included in BCP is not meant to be
exhaustive. Analysts should be able to
evaluate other areas and activities to
determine their fit within the discipline.
Analysts should also be able to judge their
unfitness, as in the next section.
THEORY: WHAT IS EXCLUDED?
If the criteria presented above are used to
judge what activities best belong to BCP,
then many activities which are often in-
cluded under BCP should be excluded.
At the top of the list are emergency
management, IT disaster recovery and risk
management. Each of these is a dis-
cipline unto itself, with its own body of
knowledge, certifications and programmes
of study. These should not be part of BCP
because they do not meet criterion 3;each is best performed by its respective
discipline. Therefore they should not be
folded into the discipline of BCP.
Perhaps this is intuitive when it comes
to emergency management and IT dis-
aster recovery. For example, the BCP
practitioner should not advise staff on
proper evacuation techniques, unless they
have been trained in the (separate)
discipline of emergency management.
Likewise, a detailed discussion of storagearea network options and mirroring
techniques does not belong in a course on
BCP but rather in a course on IT disaster
recovery.
But this line of thinking applies to risk
management as well. Counter to many
current beliefs, BCP should not involve
risk analysis. Risk analysis fails to meet
Grounding the discipline of business continuity planning
Page 200
-
8/18/2019 Lindstedt -Grounding the Discipline of Business
5/10
3. Many communications and journalism
programmes focus on this topic well apart
from the context of process continuity.
BCP practitioners can learn from this
separate discipline — but while a goodcontinuity plan must include crisis com-
munication placeholders, it should not be
a core competency of BCP.
An even greyer area is that of crisis
or reputation management, namely, ef-
fectively responding to a public event
in order to preserve the reputation and
branding of a product or company (eg the
textbook example of the Tylenol scandal).
To ensure continuity of processes, the
continuity of the business must be en-sured, as argued above. Crisis manage-
ment could arguably be part of incident
management, which is to be included in
BCP. However, this could be seen to
violate criterion 3, in that it is best
handled by experts of crisis communica-
tion. Perhaps there is a subset within crisis
management that is properly BCP.
The above list of what should be ex-
cluded from the discipline of BCP is by
no means comprehensive. Analysts should
be able to use the criteria presented aboveto judge any area and activity as to
whether it should be part of the discipline
of BCP.
To close this section, here is a clarifying
point. This line of argument does not
mean that the BCP practitioner should be
restricted from performing the types of
activities excluded above. It would be
ridiculous, for example, to say that the
BCP practitioner could never create an IT
disaster recovery plan. But if the posi-tion is correct, then IT disaster recovery
should not be part of the core discipline
of BCP. Executives should not expect that
a certified BCP practitioner would be
trained to create an IT disaster recovery
plan any more than they should expect a
lawyer to perform surgery. If the BCP
practitioner is able to create such a plan,
criterion 1, namely, that it does not play
a part in planning for the continuity of
processes. The BCP practitioner should
not have to identify the entire theatre of
threats for related processes. Whatever itis that interrupts normal operations needs
to be addressed. Identifying all possible
threats then calculating their probability
and impact affords no advantage. Little is
learned from such an effort with respect
to planning for processes to continue after
they have been affected by a cause.
This coincides with some thinking
within BCP to abandon specific threat-
based contingency planning in favour of
flexible planning that focuses on effectsinstead of causes (eg Johns Hopkins
reducing the results of their risk analysis
down to five all-encompassing scenarios).7
Continuity strategies should focus on
flexible responses to make sure that the
right people are available to continue
critical processes with alternative tech-
nologies. Continuity plans should not be
a manifold of individual threat-based
responses.
One might argue that a risk analysis is
necessary to BCP as the foundation for risk mitigation. But risk mitigation does
not meet criterion 3. Risk mitigation is
properly performed within the context of
a complete risk management programme,
where there is a focus on the protection
of the business. Risks, both large and
small, need to be identified, scored and
prioritised. Work must be assigned and
progress tracked. Questions of liability,
litigation, regulations and insurance rise to
the fore. Such a programme is best led byexperts in other programmes, and does
not belong in BCP.
Moving on from these three areas, one
might also judge to exclude crisis com-
munication from the discipline of BCP.
While it arguably meets criteria 1 and 2,
it is already a field of study unto its
own, and therefore fails to meet criterion
Linds
Page
-
8/18/2019 Lindstedt -Grounding the Discipline of Business
6/10
it is because they have cross-discipline
training.
It might be thought that the BCP prac-
titioner would be skilled in all related areas.8
When looking for the best help, one maywell prefer the surgeon with excellent
bedside manners, the lawyer who is a
Certified Public Accountant (CPA), and
the plumber who can tile. But that is not
the point. The issue surrounds the primary
qualifications of a BCP professional, not the
additional skills they can bring to the table.
When hiring a certified project manager, it
is expected that they will have the core
competencies to create a work breakdown
structure, an activity sequencing and dura-tion diagram, etc. If we want them to
develop software too, that is a second
skill set that we are seeking in addition
to the skills of a project manager. Simi-
larly, executives might desire a BCP prac-
titioner who is a Certified Information
Systems Security Professional (CISSP) and
risk management certified with an MBA to
boot, but these should be considered addi-
tional competencies. The best BCP prac-
titioners will be likely to draw from a
wealth of experience and competencies,but this is not what should be expected of
a standard BCP professional.
Business continuity versus business
resilience
All the areas discussed in the last section,
including BCP, fall under the purview of
a larger discipline that might be called
business resilience or continuity of opera-
tions. It is concerned with the continua-tion of the business from start to finish,
from protection to restoration. For the
purposes of this paper, it will be referred
to as business resilience.9
It is of vital importance for any discus-
sions on the nature of BCP or business
resilience to be clear on the scope. If the
discussion concerns the specific discipline
of BCP, then only those activities which
meet the three criteria above should be
included. It should be narrowly focused.
If, on the other hand, the discussion is
casting a wide net around the proper practices of business resilience, then it
needs to include all aspects of business
resilience, from emergency management
to risk management and all in-between.
When analysts evaluate the coherency,
completeness and content of BS25999 or
the NFPA 1600, for example, they need
to make clear whether they are talking
about BCP or business resilience. Under
a (properly) narrow definition of BCP, the
NFPA 1600 is much too broad; under business resilience, it may not be broad
enough.
If a professional certification were to
be developed for an expert business
resilience practitioner, the qualifications
ought to be dif ficult indeed. It would
have to combine the theory of all areas
within business resilience, meaning that
the expert practitioner would have to be
an expert in each. It is likely that if
business resilience is finally well defined
as a coherent discipline, there wouldhave to be several levels of certification
to allow for the varying levels of study
and expertise.
Thus, quickly returning to the issue
raised at the end of the previous sec-
tion, the BCP professional should not
be expected to be skilled in all busi-
ness resilience related areas (assuming,
of course, that the range of ‘all busi-
ness resilience related areas’ could be
clearly defined — a topic beyond thescope of the present paper). Someone of
this calibre would be certified in busi-
ness resilience, not BCP. An argument
that BCP ought to be more holistic
is misplaced; BCP ought to be clearly
delineated and deeply developed, while
business resilience should be expansive
and comprehensive.
Grounding the discipline of business continuity planning
Page 202
-
8/18/2019 Lindstedt -Grounding the Discipline of Business
7/10
ment practices. While project manage-
ment was not much considered as a
profession a few decades ago, it is now
one of the more sought-after certifica-
tions. The development of the projectmanagement of fice (PMO) is perhaps the
current capstone of this maturing dis-
cipline, and PMO practitioners are work-
ing at higher and higher levels within
organisations.
This development of the project
management profession was built upon
the research of many individuals, perhaps
most notably that of Dr Harold Kerzner,
all of whom grounded the discipline on
thorough research and real-world results.It was proven that a formal methodology
consisting of certain practices provided
bottom-line benefits. Likewise, research-
ers in BCP must strive to meet the same
challenge for BCP if it is to follow a
similar path and be placed on a secure
footing.
CONCLUSION
In sum, BCP can be a definable area of
work, concentrating on the creation of plans to secure the continuity of business
processes. This work has value, and it is
best done by BCP practitioners. If any of
these three points are incorrect, then
the practice and discipline of BCP may
properly disappear. Obviously, if BCP
is not worth doing, the funding and
resources will eventually dry up. Similarly,
if it can be done by just anyone using just
any methodology, then there is nothing
special about the BCP professional, andthis function will simply be absorbed
by other areas of the business. As John
Copenhaver, president and CEO of DRI
International has challenged:
‘It is time for us to change. We must
have common definitions in our in-
dustry, and we must work with our
PRACTICAL GROUNDING: EFFICACY
One of the common complaints from
BCP practitioners is that they do not
have enough buy-in from executive
management.10 This seems perfectly un-derstandable on both sides. The heart of
the problem is that there is no well-
researched evidence proving that business
continuity planning is beneficial. While
many believe BCP provides organisations
with the ability to survive disasters, this
belief is largely based on intuition and
anecdotal evidence.
One part of a much larger research
effort needs to be directed to the ef ficacy
of BCP. It is known that 43 per cent of businesses experiencing a major disruption
fail, and that 51 per cent of those that
survive will fail within two years.11 It is
also known that shareholder value in-
creases for companies that effectively sur-
vive crises.12 But what has yet to be
proven is that:
• businesses that have and utilise a prac-
tised BCP plan in response to a major
disaster are n per cent more likely to
remain in business than those that donot;
• BCP plans that contain X, Y and Z
types of information are n per cent
more successful than those that do
not.
This research needs to be undertaken as
soon as possible.13 If it can be proven that
a certain approach to BCP is effective
for businesses to survive disasters, BCP
practitioners will have a very strong ar-gument for taking their place in the
boardroom.14
By way of example, the discipline of
project management has been proven
to be ef ficacious and, therefore, indis-
pensable for businesses which undertake
projects. Project success has been directly
correlated with formal project manage-
Linds
Page
-
8/18/2019 Lindstedt -Grounding the Discipline of Business
8/10
colleagues in risk management and
security to better define our respective
roles in corporate governance.’15
Discussion on the nature of BCP needs tobe properly focused. Participants in these
important discussions need to be sure they
are clear as to whether they are defin-
ing BCP, business resilience, or another
discipline. Work by the Financial Serv-
ices Technology Consortium (FSTC) and
Carnegie Mellon University,16 standards
such as NFPA 1600 and other discussions
likewise need to be precise.
Business continuity planning should
continue to mature, if it can do so. If it isgoing to be an acknowledged profession,
it needs to move beyond its roots of IT
disaster recovery and emergency manage-
ment to establish itself firmly on its own
ground. Practitioners and researchers alike
should lend their voice to this worthy
discussion.
REFERENCES
(1) See, for example, Baker, B. (2006)
‘Who is the business continuity
professional’, Continuity Insights, Vol. 4,No. 4, pp. 16 – 18; and Lewis, G. (2006)
‘Identity crisis: how resilient is the
resiliency profession’, Continuity Insights,
Vol. 4, No. 4, pp. 40 – 41.
(2) DRI International (2003) ‘Professional
Practices for Business Continuity
Professionals’, DRI International, Falls
Church, VA.
(3) See, for example, Shaw, G. L. and
Harrald, J. R. (2006) ‘The core
competencies required of executive
level business crisis and continuity
managers’, in ‘11th Annual Disaster
Resource Guide’, pp. 66 – 69,
Emergency Lifeline Corporation, Santa
Ana, CA.
(4) ‘A bill to make the United States more
secure by implementing unfinished
recommendations of the 9/11
Commission to fight the war on terror
more effectively, to improve homeland
security, and other purposes’. This bill
includes recommendations on voluntary
private sector preparedness.
(5) EDUCAUSE Center for AppliedResearch (2007) ‘IT and Business
Continuity in Higher Education’,
ECAR Research Study 2, p. 155,
EDUCAUSE, Boulder, CO.
(6) From the January 2005 edition of the
Business Continuity Glossary maintained
by the Disaster Recovery Journal and the
Disaster Recovery Institute (author ’s
italics). The 2007 edition has changed
‘Business Continuity Planning (BCP)’
to ‘Business Continuity Plan (BCP)’
and modified their definition.
(7) Cole, G. and Barnes, A. C. (2005) ‘The
business continuity planning initiatives
at Johns Hopkins health system’,
Continuity Insights, Vol. 3, No. 3, pp.
32 – 40.
(8) But here, already, one should see a red
flag: what should it mean to be skilled
in ‘all’ areas related to BCP? What are
‘all’ the areas? Where does one draw
the line? IT disaster recovery and risk
management? Is an MBA, CEM, CPA
or PMP required?
(9) ‘BRP’ is not an accepted acronym, andthere is no widely-accepted definition
for either business resilience or
continuity of operations. Indeed, that
there are no clear definitions of these
terms is a good indicator of the very
problem at hand.
(10) See, for example, Callahan, J. G. (2007)
‘Boardroom BIA — Elevating our
profession’, Disaster Recovery Journal , Vol.
20, No. 1, pp. 26 – 30.
(11) US Bureau of Labor and Statistics.
(12) Knight and Pretty, 1998.
(13) This research must be conducted in
addition to the discussion as to whether
BCP should be considered to have actual
return on investment for the company or
whether it should be considered more
akin to insurance. These are both
important discussions to the future of
BCP. For more on this issue see, for
Grounding the discipline of business continuity planning
Page 204
-
8/18/2019 Lindstedt -Grounding the Discipline of Business
9/10
BC Management are important, but
ought to take a back seat to the more
pressing concern to provide a practical
foundation for BCP.
(15) Copenhaver, J. (2007) ‘Setting sails for open seas’, Disaster Recovery Journal , Vol.
20, No. 2, p. 80.
(16) See Owens, C. C. and Wallen, C. M.
(2006) ‘A capability model for
enterprise resiliency’, Disaster Recovery
Journal , Vol. 19, No. 2, pp. 28 – 32.
example, Stagle, J. M. (2007) ‘The real
return on investment for BCP’,
Continuity Insights, Vol. 5, No. 1, p. 58;
Wilson, B. (2006) ‘Business continuity
cannot be an optional decision for investment’, Continuity Insights, Vol. 4,
No. 5, pp. 40 – 41.
(14) Benchmarking studies like the kind
undertaken by Continuity
Insights/KPMG and Gartner/DRJ and
salary data like the kind provided by
Linds
Page
-
8/18/2019 Lindstedt -Grounding the Discipline of Business
10/10