Lindstedt -Grounding the Discipline of Business

8/18/2019 Lindstedt -Grounding the Discipline of Business

1/10

tions, standards and other continuity prac-

tices. Finally, the paper outlines areas for

future research with an eye to proving the

efficacy of BCP, especially to executives and stakeholders.

Keywords: business continuity, business resilience, certification, discipline, profession, grounding

INTRODUCTION

If business continuity planning (BCP) is to

be an acknowledged discipline, it must be

placed on firm footing, from both a

theoretical and practical stance. Currently,as anyone working in the field is likely to

say, it is not well defined by its prac-

titioners and not well understood by its

customers.1 Its lines of responsibility are

blurry, bleeding into areas of IT disaster

recovery, risk management, crisis manage-

ment and others. This paper offers an

approach to reverse this trend and more

firmly ground the discipline and profes-

sion of BCP.

WHAT IS AT STAKE?

The profession

What is expected of the business

continuity planner? Expertise of haz-

ardous waste disposal? Ability to

configure a backup server? DRI Interna-

David Lindstedt is the Director of Enterprise

Continuity Management for The Ohio State

University. The Ohio State University is the

largest university in the USA with approximately 60,000 students and 38,000 employees in 928

buildings on five campuses. He administers

business continuity software for a ‘BCP federa-

tion’ of nine Ohio universities, and serves as the

chair of the Ohio Regional Users Group. Prior to

his work in business continuity, he worked as an

IT consultant and the manager of a pro-

gramme management office. David holds a PhD

from Tulane University, is a Certified Business

Continuity Professional (CBCP) and a Project

Management Professional (PMP).

A BSTRACT

Business continuity planning (BCP) is emerg-

ing as a profession unto its own. It is

separating itself from related fields such as

emergency management, IT, disaster recovery

and risk management. But can it attain the

status of an independent discipline? And if so,

what is, and is not, included in this new

discipline? What are the core competencies that

should be required of its practitioners? This paper offers an approach to founding BCP as

a discipline, but with a narrower demarcation

than traditionally accepted. It presents three

criteria by which to delineate and ground BCP.

It discusses the difference between BCP and the

more encompassing ‘business resilience’, and

emphasises the need to clearly choose one or the

other of these contexts when discussing certifica-

Grounding the discipline of business

continuity planning: What needs to be

done to take it forward?

David Lindstedt

Received (in revised form): 8th October, 2007

The Ohio State University, 1121 Kinnear Road, Columbus, OH 43026, USA Tel: 1 614 688 3086; E-mail: [email protected]

Journal of Business Continuity & Emergency Planning Volume 2 Numb

Page

Journal of Business Continuity &

Emergency Planning

Vol. 2 No. 2, pp. 197–205

Henry Stewart Publications,

1749-9216


2/10

tional’s ‘Professional Practices’ publication

includes risk evaluation, emergency

response and crisis communications as

core BCP practices,2 while other

organisations cite different requirements.Where does one draw the circle around

the discipline of BCP? This is not a

trivial matter. At the most fundamental

level, a profession that is not well defined

cannot ultimately prosper. Customers

cannot be expected to be satisfied with a

service they do not understand. Analysts

cannot hope to provide useful research if

the scope of their analysis is poorly

demarcated. Executives cannot be ex-

pected to support a BCP programme if they consider it as simply part of another

function of the business, like emergency

services or risk management. The

profession as a whole may eventually be

in danger of either being swallowed up by

other disciplines or divided up and farmed

out to other areas.

Standardisation and certification

Proper standards cannot be established

without a clear understanding of the

profession it is standardising. To whatdiscipline should standards such as National

Fire Protection Association (NFPA) 1600

or BS25999 be applied? BCP alone? Some

combination of all professions involved in

a wider effort to protect the organisation?

Should a BCP professional be expected to

perform and comply with all areas of these

standards?3 If executives decide to adopt

one of these standards for their organisa-

tion, which area should be expected to

bring the organisation into compliance?This may become a more pressing con-

cern as more legislation regarding public

and private preparedness is introduced.

Before experts can argue the merit, details

and proper responses to legislation such as

the US Senate Bill S 4,4 they will first

have to identify the disciplines to which

the recommendations will apply.

In the same vein, rigorous certification

standards cannot be created and applied

without a clear understanding of the dis-

cipline of BCP and the appropriate ex-

pectations of its practitioners.

Funding and authority

On the most practical level, BCP will not

receive the appropriate budgets, staf fing or

authority if it cannot be shown to be of

value. Executives will not fund and

support BCP programmes without proof

that professionals can directly and posi-

tively impact the organisation. When

push comes to shove, BCP will never

achieve solid recognition and supportwithout the numbers to justify its under-

taking.

As a recent study from the

EDUCAUSE Center for Applied

Research summarised:

‘BC continues to be largely a back-

engineered process whose technical

aspects are left to IT and whose

business aspects are only investigated

after the fact. Once post hoc attention

is finally brought to bear on BCquestions, the familiar issues of uncoor-

dinated action, unclear funding, and

ambiguous ‘‘ownership’’ of BC are

ready to flourish.’5

In order to address the above concerns,

BCP must be placed on a firm founda-

tion, both in theory and practice. The

remainder of this paper outlines how this

might best be accomplished.

THEORETICAL GROUNDING

The discipline of business continuity plan-

ning ought to be grounded on the follow-

ing three criteria:

1. BCP is (narrowly) centred on the

continuity of processes and functions.

Grounding the discipline of business continuity planning

Page 198


3/10

value and trained accountants are its best

practitioners. Law is a discipline because

there is a body of knowledge centring on

the theory and practice of law, the work

has particular value and a lawyer is abetter practitioner than a layman. While

it is necessary to better define and defend

each criterion, they should serve as the

foundation for discussion.

THEORY: WHAT IS INCLUDED?

If it is right that BCP should be con-

cerned with the continuity of processes,

that it is worth doing and that it is best

done by BCP professionals, then there isa good position from which to understand

what ought to be included in the dis-

cipline. Based on the three criteria, the

following sub-areas should be included

under BCP:

• business impact analysis;

• recovery time objectives;

• resources and locations;

• process continuity plans/strategies;

• incident management plans/strategies;

• exercises.

While much can be said about each of

these sub-areas, the following comments

will be brief.

The staple of BCP to date has been

the business impact analysis (BIA), and

this is properly so. Naturally, if BCP is

going to ensure the continuation of busi-

ness processes, the practitioner must know

what those processes are and why they

matter. BCP must therefore be able toidentify the processes of the business, the

functions they perform, the impact (quan-

titative and qualitative) of their loss, and

their upstream and downstream depend-

encies. The BCP practitioner must work

with leadership to drive and establish

recovery time objectives (RTOs) for each

process as well as upstream and down-

It is the ‘process of developing ad-

vance arrangements and procedures

that enable an organisation to respond

to an event in such a manner that

critical business functions continue withplanned levels of interruption or essen-

tial change’.6 This means that the core

of BCP is the discipline of identify-

ing and ensuring the continuity of

processes. One may wish to think of

BCP as ‘process continuity planning’.

2. Process continuity planning is valuable

work that needs to be undertaken.

While better research is required to

prove this point conclusively (see the

section on practical grounding, below),there should at least be the correct

intuition that processes drive a busi-

ness, businesses drive an economy and

support a nation, and it is worth the

time, money and effort to ensure the

continuity of most businesses. Hence,

there are fiscal, political, and poten-

tially ethical arguments to be made as

to why continuity planning must be

performed and supported as a dis-

cipline unto itself.

3. No other profession can properlyprovide the service of process con-

tinuity planning. This is the (mostly

unstated) assumption that there is

rightly a BCP discipline to be learned

and a methodology that can be

discovered and improved. Again, while

research needs to be directed to this

area, there is the instinct that there are

better and worse ways to perform

continuity planning, and those better

ways are chiefl y accessible (and, it ishoped, known) only to the BCP

professional.

These three criteria are not unique (save

for the content of criterion 1). Account-

ing is a profession because there is a body

of knowledge surrounding the tracking

and payment of monies, it has proven

Linds

Page


4/10

stream dependencies, including IT sys-

tems.

Because processes need resources and

locations to recover, BCP should focus

on identifying and securing these relevantresources. Identifying, making contact with

and securing the services of vendors may be

a necessary component of this work, as well

as obtaining, staffing and equipping on- or

off-site recovery locations.

If the processes are going to continue in

the wake of a disaster, BCP must work

with the owners of these processes to

develop (and exercise) appropriate con-

tinuity strategies. The BCP practitioner is

the proper person to situate each processwithin the context of the entire busi-

ness and to facilitate the development of

these plans/strategies, from response, to

recovery, to restoration. They are also one

of the persons best qualified to develop,

facilitate and judge the outcome of exer-

cising these strategies.

Finally, BCP must ensure that the busi-

ness is capable of reacting and responding

to a potential disaster incident. Incident

management plans/strategies are therefore

the proper purview of BCP, and they mayrightly go into some detail. If leadership

cannot guide the business through an

incident, it will be much more dif ficult (if

not impossible) to recover the individual

processes. Accurate and available contact

information for vendors, agencies and staff

is a must. The BCP practitioner must be

knowledgeable in many aspects of this

area to ensure that leadership can ef-

fectively respond to an incident. Other

aspects may include:

• emergency responders protocol (eg the

US National Incident Management

System (NIMS) and Incident Com-

mand System (ICS), general police and

fire response activities, environmental

health and safety procedures);

• HR requirements and concerns;

• psychology of crisis situations;

• facilities management and damage as-

sessment;

• workforce continuity;

• general leadership and communicationsactivities.

This discussion of what ought to be

included in BCP is not meant to be

exhaustive. Analysts should be able to

evaluate other areas and activities to

determine their fit within the discipline.

Analysts should also be able to judge their

unfitness, as in the next section.

THEORY: WHAT IS EXCLUDED?

If the criteria presented above are used to

judge what activities best belong to BCP,

then many activities which are often in-

cluded under BCP should be excluded.

At the top of the list are emergency

management, IT disaster recovery and risk

management. Each of these is a dis-

cipline unto itself, with its own body of

knowledge, certifications and programmes

of study. These should not be part of BCP

because they do not meet criterion 3;each is best performed by its respective

discipline. Therefore they should not be

folded into the discipline of BCP.

Perhaps this is intuitive when it comes

to emergency management and IT dis-

aster recovery. For example, the BCP

practitioner should not advise staff on

proper evacuation techniques, unless they

have been trained in the (separate)

discipline of emergency management.

Likewise, a detailed discussion of storagearea network options and mirroring

techniques does not belong in a course on

BCP but rather in a course on IT disaster

recovery.

But this line of thinking applies to risk

management as well. Counter to many

current beliefs, BCP should not involve

risk analysis. Risk analysis fails to meet


Page 200


5/10

3. Many communications and journalism

programmes focus on this topic well apart

from the context of process continuity.

BCP practitioners can learn from this

separate discipline — but while a goodcontinuity plan must include crisis com-

munication placeholders, it should not be

a core competency of BCP.

An even greyer area is that of crisis

or reputation management, namely, ef-

fectively responding to a public event

in order to preserve the reputation and

branding of a product or company (eg the

textbook example of the Tylenol scandal).

To ensure continuity of processes, the

continuity of the business must be en-sured, as argued above. Crisis manage-

ment could arguably be part of incident

management, which is to be included in

BCP. However, this could be seen to

violate criterion 3, in that it is best

handled by experts of crisis communica-

tion. Perhaps there is a subset within crisis

management that is properly BCP.

The above list of what should be ex-

cluded from the discipline of BCP is by

no means comprehensive. Analysts should

be able to use the criteria presented aboveto judge any area and activity as to

whether it should be part of the discipline

of BCP.

To close this section, here is a clarifying

point. This line of argument does not

mean that the BCP practitioner should be

restricted from performing the types of

activities excluded above. It would be

ridiculous, for example, to say that the

BCP practitioner could never create an IT

disaster recovery plan. But if the posi-tion is correct, then IT disaster recovery

should not be part of the core discipline

of BCP. Executives should not expect that

a certified BCP practitioner would be

trained to create an IT disaster recovery

plan any more than they should expect a

lawyer to perform surgery. If the BCP

practitioner is able to create such a plan,

criterion 1, namely, that it does not play

a part in planning for the continuity of

processes. The BCP practitioner should

not have to identify the entire theatre of

threats for related processes. Whatever itis that interrupts normal operations needs

to be addressed. Identifying all possible

threats then calculating their probability

and impact affords no advantage. Little is

learned from such an effort with respect

to planning for processes to continue after

they have been affected by a cause.

This coincides with some thinking

within BCP to abandon specific threat-

based contingency planning in favour of

flexible planning that focuses on effectsinstead of causes (eg Johns Hopkins

reducing the results of their risk analysis

down to five all-encompassing scenarios).7

Continuity strategies should focus on

flexible responses to make sure that the

right people are available to continue

critical processes with alternative tech-

nologies. Continuity plans should not be

a manifold of individual threat-based

responses.

One might argue that a risk analysis is

necessary to BCP as the foundation for risk mitigation. But risk mitigation does

not meet criterion 3. Risk mitigation is

properly performed within the context of

a complete risk management programme,

where there is a focus on the protection

of the business. Risks, both large and

small, need to be identified, scored and

prioritised. Work must be assigned and

progress tracked. Questions of liability,

litigation, regulations and insurance rise to

the fore. Such a programme is best led byexperts in other programmes, and does

not belong in BCP.

Moving on from these three areas, one

might also judge to exclude crisis com-

munication from the discipline of BCP.

While it arguably meets criteria 1 and 2,

it is already a field of study unto its

own, and therefore fails to meet criterion

Linds

Page


6/10

it is because they have cross-discipline

training.

It might be thought that the BCP prac-

titioner would be skilled in all related areas.8

When looking for the best help, one maywell prefer the surgeon with excellent

bedside manners, the lawyer who is a

Certified Public Accountant (CPA), and

the plumber who can tile. But that is not

the point. The issue surrounds the primary

qualifications of a BCP professional, not the

additional skills they can bring to the table.

When hiring a certified project manager, it

is expected that they will have the core

competencies to create a work breakdown

structure, an activity sequencing and dura-tion diagram, etc. If we want them to

develop software too, that is a second

skill set that we are seeking in addition

to the skills of a project manager. Simi-

larly, executives might desire a BCP prac-

titioner who is a Certified Information

Systems Security Professional (CISSP) and

risk management certified with an MBA to

boot, but these should be considered addi-

tional competencies. The best BCP prac-

titioners will be likely to draw from a

wealth of experience and competencies,but this is not what should be expected of

a standard BCP professional.

Business continuity versus business

resilience

All the areas discussed in the last section,

including BCP, fall under the purview of

a larger discipline that might be called

business resilience or continuity of opera-

tions. It is concerned with the continua-tion of the business from start to finish,

from protection to restoration. For the

purposes of this paper, it will be referred

to as business resilience.9

It is of vital importance for any discus-

sions on the nature of BCP or business

resilience to be clear on the scope. If the

discussion concerns the specific discipline

of BCP, then only those activities which

meet the three criteria above should be

included. It should be narrowly focused.

If, on the other hand, the discussion is

casting a wide net around the proper practices of business resilience, then it

needs to include all aspects of business

resilience, from emergency management

to risk management and all in-between.

When analysts evaluate the coherency,

completeness and content of BS25999 or

the NFPA 1600, for example, they need

to make clear whether they are talking

about BCP or business resilience. Under

a (properly) narrow definition of BCP, the

NFPA 1600 is much too broad; under business resilience, it may not be broad

enough.

If a professional certification were to

be developed for an expert business

resilience practitioner, the qualifications

ought to be dif ficult indeed. It would

have to combine the theory of all areas

within business resilience, meaning that

the expert practitioner would have to be

an expert in each. It is likely that if

business resilience is finally well defined

as a coherent discipline, there wouldhave to be several levels of certification

to allow for the varying levels of study

and expertise.

Thus, quickly returning to the issue

raised at the end of the previous sec-

tion, the BCP professional should not

be expected to be skilled in all busi-

ness resilience related areas (assuming,

of course, that the range of ‘all busi-

ness resilience related areas’ could be

clearly defined — a topic beyond thescope of the present paper). Someone of

this calibre would be certified in busi-

ness resilience, not BCP. An argument

that BCP ought to be more holistic

is misplaced; BCP ought to be clearly

delineated and deeply developed, while

business resilience should be expansive

and comprehensive.


Page 202


7/10

ment practices. While project manage-

ment was not much considered as a

profession a few decades ago, it is now

one of the more sought-after certifica-

tions. The development of the projectmanagement of fice (PMO) is perhaps the

current capstone of this maturing dis-

cipline, and PMO practitioners are work-

ing at higher and higher levels within

organisations.

This development of the project

management profession was built upon

the research of many individuals, perhaps

most notably that of Dr Harold Kerzner,

all of whom grounded the discipline on

thorough research and real-world results.It was proven that a formal methodology

consisting of certain practices provided

bottom-line benefits. Likewise, research-

ers in BCP must strive to meet the same

challenge for BCP if it is to follow a

similar path and be placed on a secure

footing.

CONCLUSION

In sum, BCP can be a definable area of

work, concentrating on the creation of plans to secure the continuity of business

processes. This work has value, and it is

best done by BCP practitioners. If any of

these three points are incorrect, then

the practice and discipline of BCP may

properly disappear. Obviously, if BCP

is not worth doing, the funding and

resources will eventually dry up. Similarly,

if it can be done by just anyone using just

any methodology, then there is nothing

special about the BCP professional, andthis function will simply be absorbed

by other areas of the business. As John

Copenhaver, president and CEO of DRI

International has challenged:

‘It is time for us to change. We must

have common definitions in our in-

dustry, and we must work with our

PRACTICAL GROUNDING: EFFICACY

One of the common complaints from

BCP practitioners is that they do not

have enough buy-in from executive

management.10 This seems perfectly un-derstandable on both sides. The heart of

the problem is that there is no well-

researched evidence proving that business

continuity planning is beneficial. While

many believe BCP provides organisations

with the ability to survive disasters, this

belief is largely based on intuition and

anecdotal evidence.

One part of a much larger research

effort needs to be directed to the ef ficacy

of BCP. It is known that 43 per cent of businesses experiencing a major disruption

fail, and that 51 per cent of those that

survive will fail within two years.11 It is

also known that shareholder value in-

creases for companies that effectively sur-

vive crises.12 But what has yet to be

proven is that:

• businesses that have and utilise a prac-

tised BCP plan in response to a major

disaster are n per cent more likely to

remain in business than those that donot;

• BCP plans that contain X, Y and Z

types of information are n per cent

more successful than those that do

not.

This research needs to be undertaken as

soon as possible.13 If it can be proven that

a certain approach to BCP is effective

for businesses to survive disasters, BCP

practitioners will have a very strong ar-gument for taking their place in the

boardroom.14

By way of example, the discipline of

project management has been proven

to be ef ficacious and, therefore, indis-

pensable for businesses which undertake

projects. Project success has been directly

correlated with formal project manage-

Linds

Page


8/10

colleagues in risk management and

security to better define our respective

roles in corporate governance.’15

Discussion on the nature of BCP needs tobe properly focused. Participants in these

important discussions need to be sure they

are clear as to whether they are defin-

ing BCP, business resilience, or another

discipline. Work by the Financial Serv-

ices Technology Consortium (FSTC) and

Carnegie Mellon University,16 standards

such as NFPA 1600 and other discussions

likewise need to be precise.

Business continuity planning should

continue to mature, if it can do so. If it isgoing to be an acknowledged profession,

it needs to move beyond its roots of IT

disaster recovery and emergency manage-

ment to establish itself firmly on its own

ground. Practitioners and researchers alike

should lend their voice to this worthy

discussion.

REFERENCES

(1) See, for example, Baker, B. (2006)

‘Who is the business continuity

professional’, Continuity Insights, Vol. 4,No. 4, pp. 16 – 18; and Lewis, G. (2006)

‘Identity crisis: how resilient is the

resiliency profession’, Continuity Insights,

Vol. 4, No. 4, pp. 40 – 41.

(2) DRI International (2003) ‘Professional

Practices for Business Continuity

Professionals’, DRI International, Falls

Church, VA.

(3) See, for example, Shaw, G. L. and

Harrald, J. R. (2006) ‘The core

competencies required of executive

level business crisis and continuity

managers’, in ‘11th Annual Disaster

Resource Guide’, pp. 66 – 69,

Emergency Lifeline Corporation, Santa

Ana, CA.

(4) ‘A bill to make the United States more

secure by implementing unfinished

recommendations of the 9/11

Commission to fight the war on terror

more effectively, to improve homeland

security, and other purposes’. This bill

includes recommendations on voluntary

private sector preparedness.

(5) EDUCAUSE Center for AppliedResearch (2007) ‘IT and Business

Continuity in Higher Education’,

ECAR Research Study 2, p. 155,

EDUCAUSE, Boulder, CO.

(6) From the January 2005 edition of the

Business Continuity Glossary maintained

by the Disaster Recovery Journal and the

Disaster Recovery Institute (author ’s

italics). The 2007 edition has changed

‘Business Continuity Planning (BCP)’

to ‘Business Continuity Plan (BCP)’

and modified their definition.

(7) Cole, G. and Barnes, A. C. (2005) ‘The

business continuity planning initiatives

at Johns Hopkins health system’,

Continuity Insights, Vol. 3, No. 3, pp.

32 – 40.

(8) But here, already, one should see a red

flag: what should it mean to be skilled

in ‘all’ areas related to BCP? What are

‘all’ the areas? Where does one draw

the line? IT disaster recovery and risk

management? Is an MBA, CEM, CPA

or PMP required?

(9) ‘BRP’ is not an accepted acronym, andthere is no widely-accepted definition

for either business resilience or

continuity of operations. Indeed, that

there are no clear definitions of these

terms is a good indicator of the very

problem at hand.

(10) See, for example, Callahan, J. G. (2007)

‘Boardroom BIA — Elevating our

profession’, Disaster Recovery Journal , Vol.

20, No. 1, pp. 26 – 30.

(11) US Bureau of Labor and Statistics.

(12) Knight and Pretty, 1998.

(13) This research must be conducted in

addition to the discussion as to whether

BCP should be considered to have actual

return on investment for the company or

whether it should be considered more

akin to insurance. These are both

important discussions to the future of

BCP. For more on this issue see, for


Page 204


9/10

BC Management are important, but

ought to take a back seat to the more

pressing concern to provide a practical

foundation for BCP.

(15) Copenhaver, J. (2007) ‘Setting sails for open seas’, Disaster Recovery Journal , Vol.

20, No. 2, p. 80.

(16) See Owens, C. C. and Wallen, C. M.

(2006) ‘A capability model for

enterprise resiliency’, Disaster Recovery

Journal , Vol. 19, No. 2, pp. 28 – 32.

example, Stagle, J. M. (2007) ‘The real

return on investment for BCP’,

Continuity Insights, Vol. 5, No. 1, p. 58;

Wilson, B. (2006) ‘Business continuity

cannot be an optional decision for investment’, Continuity Insights, Vol. 4,

No. 5, pp. 40 – 41.

(14) Benchmarking studies like the kind

undertaken by Continuity

Insights/KPMG and Gartner/DRJ and

salary data like the kind provided by

Linds

Page


10/10

Lindstedt -Grounding the Discipline of Business

Documents

Transcript of Lindstedt -Grounding the Discipline of Business