BFM2013_3_10_Cultural approach to Business Continuity

A first practical step is to map “buffer zones” between activities, to allow the design of alternative processes (“fall-back procedures”) to be adopted if the standard ones fail.

Identifying the buffer zones requires a clear understanding of the weaknesses inherent in your processes, and identifying the “sub-cultures” inside your organization.

While we consultants talk about “Corporate Culture” as a whole, in reality any large enough organization will develop sub-cultures with distinctive traits, often through the interaction with external sub-cultures and stakeholders (private and corporate).

As an example, consider a typical company delivering consumer products to the market.

Such a company would have different roles demanding different approaches- and different behavioural profiles.

These differences are blatant in conglomerates, and are actually the reason of the practical failure of quite a few mergers, mostly between IPR-based companies: the cultural clash results in the newly acquired expensive IPR walking away through the door inside the head of the people leaving the company.

If you identify the “sub-cultures”, you can design Business Continuity processes tailored to the specific strengths and weaknesses of your organization.

BFM2013_3_11_Setting priorities

Priority-setting should be built around business priorities, i.e. the internal administrative processes are probably the easiest ones to temporarily replace with alternative paths, but shouldn’t resources be focused on below par revenue-generating processes?

While processing time-reports can usually wait few days, ensuring that the supply chain is properly fed so that your production line is not stopped has certainly a higher priority.

Once you identify sub-cultures, you could easily map for each subculture its own buffer zone vs. the organization or external suppliers/customers, and ask each sub-group to map their own priorities, by designing a simple set of parameters to classify their own processes.

You can also leave priority setting to each part of the organization, but then you will just obtain the relative priorities inside each part, not a set of priorities that refers to common values- better to add then a mapping toward a shared framework.

A “priority setting & buffer” approach simplifies also management when changes will have to be reported.

This should not be confused with an assessment of the preparedness level- two parallel tasks.

Our basic suggestion is: leave the reporting and updating at the operational level, but define a set of easily understandable common parameters, to ease finding trouble spots.

BFM2013_3_12_Business continuity and Outsourcing

Assessment of the preparedness is something more akin to an “audit” activity, and in most organizations priority setting could be supported by a central “internal consulting” organization.

Using the same organization to deliver both consulting and audit requires sound management and monitoring: otherwise, one of the two will suffer.

As discovered by many a government, outsourcing sometimes clashes with Business Continuity.

Why? Because often the contract has not been structured with a proper definition of the structural SLA levels, i.e. ensuring that the supply chain adopted by the outsourcing supplier is really able to comply with the agreed SLAs.

Last issue described our suggestions on how to negotiate, structure, manage, and implement the governance of outsourcing agreements, to ensure long-term ability to deliver.

If you start analysing outsourced activities using the archaeological methodology described above, do not be surprised to discover that some outsourced activities could be actually impossible to replace.

After some time, it is quite common that unused knowledge is lost, as internal resources have no incentive in spending time (and budget) to keep the knowledge up-to-date, and your outsourcing supplier becomes a de facto component of your organization.

BFM2013_3_13_Business Continuity Management

Once you define the Business Continuity profile of your organization, the next element to consider is how to keep up-to-date your newly defined map.

Adopting a “buffer zone” technique and identifying the internal sub-cultures are key elements of Business Continuity.

The buffer technique will allow focusing on the “inputs” and “outputs” of the outsourced activities, so that you can build emergency procedures to be used short-term, should the outsourcing supplier become unable to fulfil the SLA.

There are two basic ways to manage knowledge: building a collection or building a thesaurus.

As described in the first issue , in our experience a thesaurus is actually a collection that keeps a connection with the source of the knowledge, as only that can ensure that the information is up-to-date.

If the connection is lost, the thesaurus becomes a collection, and any decision taken on this information will progressively increase the risk level, as any decision taken on misleading information.

Once the thesaurus and map are in place, managing the Business Continuity requires the typical structuring activities.

Incidentally, this has a side-effect on human resources management.

Often, managers promoted “from the ranks” are appointed to their new position not only because they are the most appropriate candidate, but also to ensure “knowledge continuity” with their former colleagues.

Unfortunately, after a while, their “thesaurus” becomes a “collection”, detached from reality, also if, quite often, they do not acknowledge that what they still assume to be current knowledge, a “knowledge base”, is frozen in time.

Moreover, if they fail to acknowledge this issue, they risk “short-circuiting” decision-making processes, taking on and by themselves operational decisions based on their own past experience, ignoring the current operational realities.

Yes, generalist managers, whose key expertise is in management science, have their own shortcomings, but neither choice (from the ranks, or from an MBA) is fool proof: as in any other activity involving humans, also Business Continuity requires a constant oversight from human resources, in support to management, to validate that the people appointed to coordination roles in this domain have the appropriate combination of skills and potential.

First and foremost, a proper communication path has to be defined, a path that has to be structured and maintained- also in this case, it is something closer to a programme than a mere project.

Any information affecting the Business Continuity delivered to the “thesaurus management” function of the organization must be propagated back to the organizational units that could actually be affected, for their own information and consideration.

Usually, the lack of this two-way communication structure results at best in duplicated and uncoordinated efforts to keep up-to-date, at worst in simply adopting a “wait-and-see” attitude.

If the management structure and processes are defined, then Business Continuity Management could become another tool to support the definition and implementation of strategy.

In the early 1990s, as part of a cultural and organizational change initiative, this “Business Continuity management” approach was used with a customer to minimize the number of meetings required to ensure that all the required information to develop cross-functional system in a banking environment was available to all those whose systems or organization could be impacted by a proposed change, be it of an organizational or technological nature.

At the time, before Internet, the tool used was Lotus Notes (the collaboration suite); in mid-2000s, a Wiki-like use of an Open Source platform called DotProject provided the same ability to manage multiple initiatives at the same time anywhere, anytime.

Today, there is no limit to the number of tools available, but the process and culture should drive to the right tool, not the other way around.

BFM2013_3_14_Continuous improvement

Instead of suggesting yet another “life-cycle model” for continuous improvement, we suggest that you consult the website dedicated to the Capability Maturity Model, sponsored by the U.S. Department of Defense and produced and copyrighted by the Carnegie Mellon University (in short: CMMI; a cross-checking between CMMI, ITIL, Six Sigma, Lean is available as a free 22-pages Acrobat document).

CMMI Model- capability levels
Level Name Typical activity
5 Optimizing Continuous Process Improvement
4 Quantitatively Managed MBO, KPIs, etc.
3 Defined Methodology Introduction
2 Managed Basic Project Management
1 Initial Self-organized

If you have been involved in ISO9000 or other certification activities, you probably are familiar with the levels of maturity.

Most companies with a formal project management and documenting methodology in place could easily reach level 3 with a modicum investment in formalization and training.

As we previously discussed BFMagazine , knowledge production and maintenance have to be carried out at the level where knowledge is produced and understood, not from some central “ivory tower”.

Instead, a “central exchange” can and should be managed, at least to allow information propagation and alerting.

A continuous improvement approach allows any organization, no matter how small, to empower a limited set of people with specialized skills to actively participate in multiple projects.

Adopting this approach results in a reduction in the number of meetings and document exchanges, as your resources will be confident that they will receive all the information they would need to make informed decisions, and they will have a shared communication path and protocol to “launch” information requests across the organization, to be informed by their colleagues of any potential impact from or to other parts of the organization.

The use of “agile” and “lean” methodologies increases the frequency of organizational and technical updates, as systems and organizations are constantly “tuned” to current and future business needs: hence, managed communication is critical.

Business Continuity can start as a simple map, but Business Continuity Management requires at least a level 3 organizational approach.

You can have processes in place, but limit the documentation to a few lines and tracing knowledge ownership, but a good Business Continuity Governance needs at least a 4 on organizational maturity.

The higher your organization maturity level, the less you need your operational people to “pull” knowledge from the organization (i.e. to carry out their own fact-finding, and the more you can simply introduce a “push” or “alerting” approach

BFM2013_3_15_Dynamic Corporate Governance

A short digression on the evolution of Corporate Governance will better define the context of the Business Continuity.

While continuous improvement focuses first and foremost on the internal workings of an organization, organizations like OECD are sponsoring an approach toward convergence on the management of relationships between organizations.

The first attempt, the MAI (Multilateral Agreement on Investment), was highly criticized as an attempt to infringe on the sovereign rights of States to policy private citizens’ and corporate behaviour.

Since 1999, OECD sponsored the “Guidelines for Multinational Enterprises” , first adopted in 1976 and most recently updated in 2011, clearly stating that:
“The OECD Guidelines for Multinational Enterprises are far reaching recommendations for responsible business conduct that 44 adhering governments – representing all regions of the world and accounting for 85% of foreign direct investment – encourage their enterprises to observe wherever they operate.”

Progressively, the focus extended toward other areas, and recent extensions to supply chain management renovated requests to extend the Guidelines application beyond the financial arena, adding links to fair trade and extending the “corporate citizenship” sections.

Some industry-specific international initiatives moved forward, requesting an explicit improvement of the internal operations of companies, to reduce systemic risks generated through “domino effects”.

Consider the following scenario: what would happen if cash were to suddenly disappear from the market?

How many days would be required to bring any industrialized nation to its knees?

Few years ago, a strike of employees working for security companies delivering cash forced Belgium to allow supermarket chains to operate as de-facto ATM networks.

ISO/EN standards since the 1990s expanded from technical/product issues to process and management activities.

Through e-government initiatives (the focus of the next issue of BFMagazine ), governments are progressively urging companies to integrate internal processes with government-mandate processes, e.g. with the progressive extension of “electronic filing”.

Major public failures of the old regulatory system, that basically stopped on the “company doorsteps”, allowed government and regulatory bodies to ask for changes in the way internal affairs had been managed by companies, e.g. with new Corporate Governance frameworks.

BFM2013_3_16_From BCManagement to BCGovernance

Since 2000, events have clearly illustrated the inherent complexity of our society, and therefore is foreseeable that, in order to reduce the systemic risk, e-government will progressively produce a wave of rules and regulations that will change the old Corporate Governance attitudes, and introduce “inherent transparency” as a regulatory requirement to operate in advanced economies.

It should now be clear the difference we attribute to the inward-looking management and governance of Business Continuity: you can have management without governance, but you cannot have governance without management.

If you build a cascade of plans (e.g. to create the high-speed railway network), you can keep in line with some general guidelines and targets, and revise the operational plan by managing the maze of resulting projects, so that you can introduce a degree of overall control, while maybe scrapping or delaying a specific project/sub-project, or re-allocating resources between projects.

Managing Business Continuity still assumes that you can use the basic instruments of management- a plan, a resource allocation and budget, etc.

If you aim to move toward governance, you need to use the information derived from preliminary priority-setting to actually refocus management activities according to current needs.

BFM2013_3_17_Introducing BCGovernance

The normal budgeting process is useful in Business Continuity mainly only to cost and maintain the redundant resource allocation required to ensure the proper working of “skeleton processes” to a minimum and controlled level.

Introducing a Business Continuity governance requires a further step: a good manager is not necessarily a good governor, and vice versa.

You will probably need at least three types of capabilities (as opposed to acquired skills) involved in any activity (not necessarily three people): governing, managing, controlling.

Eventually, you should be able to have a small “Business Continuity Governance team”, composed of managers, while leaving the management activities to each line manager.

The controlling team should be independent of any manager, and report only to the Board, while delivering any preliminary report to the “Business Continuity Governance secretary” (somebody that usually delivers status reports to the Board on behalf of the management team).

Caveat actor: while implementing Business Continuity Governance, remember to check the specific profile of the “human resources” involved, otherwise you could end up building just another layer of bureaucracy that produces nice reports and radar charts, while being unable to deliver the Business Continuity you are investing on.

BFM2013_3_18_Conclusions

While the suggested approach applies to any organization, as described in previous issues a “Big Bang” (i.e. instantaneous change applied across all the organization) is not always feasible.

Using a “buffer zone” technique you can easily start your Business Continuity Governance activities in parts of your organization, expanding later on to other sections of the organization.

We suggest that after reading this article, you try to visualize your own version of the process.

If you are not currently implementing some form of Corporate Governance, we suggest that you refer to the Corporate Governance suggested guidelines appropriate for your country.