The Millennium brought two nice examples, both of the unpredictable and the improbable. For a start, it was a century leap year. This was entirely predictable (it occurs any time the year is cleanly divisible by 400). But it’s also very unlikely, from a probability perspective: in fact, it’s only happened once before (in 1600, less than 20 years after the Gregorian calendar was introduced).
A much less predictable event in 2000 happened in a second-hand bookstore in the far north of rural England. When the owner of Barter Books discovered an obscure war-time public-information poster, it triggered a global phenomenon. Although it took more than a decade to peak, just five words spawned one of the most copied cultural memes ever: Keep Calm and Carry On.
From propaganda to public safety
The phrase dates from 1939, a period before management systems existed as a defined approach, but it nicely sums up the importance of perseverance and keeping a cool head when crises loom. Although when it comes to dealing with the complexities of a modern business, there’s a bit more to it than just keeping a stiff upper lip, as James Crask, Convenor of the ISO working group on continuity and organizational resilience, explained to me.
As Chair of the working group responsible for ISO standards for business continuity and organizational resilience and as Head of Risk for the UK’s Nuclear Decommissioning Authority, James has the perfect job to satisfy his lifelong interest in how people and businesses avoid, and recover from, disasters. He’s brought expertise gained in roles from local government and the London Fire Brigade, as well as “Big-Four” consultancy, to the ISO process, contributing alongside other experts in the field to standards such as ISO 22301, Societal security – Business continuity management systems – Requirements. I started by asking him what the difference is between risk management, crisis management and business continuity.
“They share a common goal of providing protection. Risk management tends to concentrate on specific threats and opportunities whilst business continuity provides a recovery plan that can be used under any circumstances when things go wrong and the business is disrupted. There’s wide acceptance of the concept having been in use for many years and ISO 22301 formalizes that as an International Standard.” So, in essence: business continuity management is about building a recovery plan to recover from disasters when they happen. When coupled with risk management, organizations have a comprehensive system to identify potential hazards with the goal of avoiding disasters before they happen; establishing contingencies and defining procedures that will limit the impacts if, despite your best efforts, disaster does strike; and getting back on your feet as soon as possible afterwards. “The most important thing is to avoid incidents in the first place, and above all to make sure that people and the environment are safe.” It’s reassuring to know that for the Nuclear Decommissioning Authority, which is charged with dealing with nuclear sites around the UK, safety is a top priority.
Looking to the future
But as James goes on to explain, there’s a more encompassing side to business continuity management that moves into longer-term resilience. “In the long-term, a business that has really understood the process of identifying threats to its survival will also apply that to the products and services that they offer.” In other words, resilience is about more than just resisting earthquakes or floods, it can be about looking at the business environment and asking whether you’re in shape for the future.
While hindsight tends to throw things into sharp focus, it still seems worth asking whether owners of video rental stores or manufacturers of camera film could have benefitted from an integrated approach to business continuity. I’m fairly sure that, right now, manufacturers of hard drives, games consoles and maybe even combustion-engined cars are asking some pretty searching questions about their future.
And while the really big questions might, at first, seem outside the scope of ISO 22301 (being more directly addressed by ISO 22316, Security and resilience – Organizational resilience – Principles and attributes), the links are there. For example, just a few months ago, China’s Xin Guobin, the Vice-Minister of Industry and Information Technology, announced that the government is planning to end the sale of cars that burn fossil fuels1). It’s a brave, forward-looking move that recognizes the effects that such vehicles have not only on the lungs of people whose grid-locked cities they pollute, but in places that experience the worst of climate change.
As I write, the destruction wreaked by hurricane Irma, the strongest tropical hurricane in more than ten years, continues. Irma follows hot on the heels of Harvey, which caused widespread devastation, particularly in the US state of Texas, just two weeks earlier. When it comes to the impact on businesses in Houston alone, the early estimates2) are in the high tens-of-billions of US dollars. While, for some companies, it’s a matter of wrangling it out with their insurance company, for others, it will be the end of the road. Too big a hit coming on the long tail of a period of economic malaise.
For the survivors, there’s no doubting the enormity of the task; those that do make it through will have done so only through some kind of serious planning and level-headed action. Whether just a hybrid of common sense and business acumen or a consistent, defined approach, business continuity is about continually trying to look around the corner. Taken together, ISO 22301 and ISO 22316 serve as something like a convex traffic mirror; they can’t help you predict the future with perfect clarity but they can help to see the shape of what’s coming, and to manoeuvre accordingly.
In the case of 2017’s Atlantic storms, the focus is on reducing loss of life, and while it is too early to say with certainty, it seems that prudence on the part of planners has considerably lowered potential death tolls. Organizations in the USA, such as the National Hurricane Center and the Federal Emergency Management Agency (FEMA), have developed their own crisis management protocols, suited to disaster avoidance and recovery at the national level, but many of the principles are similar to those of business continuity management.
We’re all in this together
Some degree of this resilience can be attributed to size. In a big country, a larger business can spread its operations between different sites, and there are areas of “high ground” to which people can be evacuated. Often for smaller businesses, organizations or countries, it seems there are fewer options. It is the smaller islands that have been hit the hardest; places barely visible on a world map whose economies rely on seasonal tourism have been devastated on a scale that was unprecedented.
Storms come every year, but this one has literally flattened whole islands. Even as this terrible situation develops, the threat of further hurricanes looms. It will take determination, planning and a consolidated effort from the outside world to help the people recover and rebuild. It will take even greater cooperation and foresight to achieve a serious and unified response to climate change, which, unchecked, is likely to lead to further unexpected and devastating weather events.
A firm foundation
Understanding the underlying concepts of business continuity management helps to broaden its applicability. Although some small and medium-sized businesses may feel that International Standards are designed for global-scale companies or manufacturers of products, it’s a misconception. Like many International Standards, especially ISO management systems, it’s really about the formalization of processes and behaviours that, taken individually, are just good practice. The key is in defining the interaction of these practices and how loss of function in one area will impact the entire operation. It’s also about moving it from something that long-time employees or owners just know to something that’s written down.
In this way, by understanding and implementing the underlying principles of ISO 22316, and related standards such as ISO 31000, Risk management – Principles and guidelines, even small businesses can adopt a comprehensive approach to improving their resilience. For some, it’s enough to have robust systems in place, while others, typically larger organizations, will seek certification to ISO 22301. James Crask again: “Typically, companies that sit within a supply chain or professional services networks have gone for certification. In my experience, it’s not only about public reassurance, or even avoiding problems in the future, it has immediate benefits by reducing insurance costs and demonstrating preparedness.”
A basic two-step formula
“Historically, especially from the risk management perspective, it tended to be heavily regulated industries, such as banking, that were early adopters of business continuity management,” Crask informed me. So while safety-critical industries, like extractives, were good at the process end of things, such as safety on ships or drilling platforms, they often had weaknesses in other areas, like IT: “An over-focus on dealing with sharp-end risks can leave vulnerabilities. Resilient organizations will look at behavioural aspects too.”
By taking a broad approach, examining the underlying principles, and asking themselves “what does this mean to me”, businesses of any size can be better prepared for the future, and for the unexpected. It seems that the formula for business continuity is simple: Keep Calm and ISO 22301.
1) China Fossil Fuel Deadline Shifts Focus to Electric Car Race, Bloomberg News, 10 September 2017 (updated 11 September 2017).
2) Hurricane to Cost Tens of Billions but a Quick Recovery Is Expected, New York Times, 28 August 2017.