Very little quantitative progress has been made in Business Continuity Management since IT-Disaster Recovery programs began to morph into BCM programs in the 1980’s. Standards and best practices have been hashed and rehashed but nothing substantial has changed.
BCM programs still struggle to attain “management buy-in”. Newcomers to the industry (lacking any other meaningful bearings) cling to measuring their programs against ‘standards’ to justify their – and their own – existence. Industry analysts, consultants, certification bodies and practitioners continue to march to the same tune: BCM for BCM’s sake.
Lately there have been many conversations on BCM discussion forums regarding where BCM, as an industry, is headed. The consensus seems to be that many believe the industry has gone as far as possible down the present path – and desperately needs a new direction, a new vision.
It’s no longer the 1980’s; or the end of the millennium. Our wired, global world presents challenges to the BCM industry that stretch current capabilities beyond their present capacity. Those challenges include:
- When IT can be easily outsourced or moved to the cloud – is DRP still necessary?
- If Customer Support, CRM, HR, Marketing or business functions are outsourced – what does BCM planning look like?
- What impact does outsourcing of manufacturing, distribution or logistics have on traditional supply-chain risk mitigation and recovery strategies?
- Where customers are distributed globally and loyalty is tied to the lowest price -how does that impact the identity of your critical processes?
- With the speed of propagation on social media – does the traditional RTO have any relevance?
- With their focus on quarterly earnings – do senior leaders care about BCM?
Let’s focus on Outsourcing.
Outsourcing, by its very nature, is a form of traditional Supply-Chain risk management. BCM programs may play a role in reacting to vendor failures, but managing Supply Chain resiliency has historically been outside of the preview of BCM programs. In traditional Supply Chain risk mitigation, options can include vendors diversification to deliver the same supplies (raw materials) geographically, through split sourcing volumes, proportional pricing and different SLAs.
Business Process outsourcing presents a completely different challenge. Outsourcing Customer Support or HR Benefits does not lend itself to those traditional supply-chain risk mitigation strategies. Raw materials may be acquired from multiple suppliers, but Business Processes are seldom (if ever) outsourced to multiple vendors. Such an option would be extremely difficult to manage and is not commercially viable.
In an outsourced business ecosystem, the organization’s Business Continuity is directly related to the outsourced vendor’s service availability. The organization’s only control is the agreed upon contract and Service Level Agreement (with associated penalties & remedies).
With that in mind, one option for BCM programs is to monitor, measure and, in some form, have a say in the performance of every outsourced vendor’s BCM program. This could be done through frequent questionnaires, tracking of (or participation in) vendor’s DR/BC tests & exercises and/or auditing of their Business Continuity programs. Simply trusting in your service provider’s Business Continuity capabilities will not ensure a peaceful night’s sleep.
But, is ‘trust but verify’ really the only valid strategy?
Our future blogs will look at alternate approaches to this conundrum.
