Business Continuity Management (BCM) helps your organisation to prepare for disasters, but is, sadly, very often neglected. Can agility help here?
Imagine that, each day, before stepping out your door, you would try to prepare yourself for all risks that you may encounter on the outside. Many people need to commute to work, for instance, which is already the first risky activity that they engage in.
Our Life Is Full Of Risks
Let us take the less obvious means of transport in terms of riskiness, namely public transport. A risk can be you being late to work due to late arrivals, so you could, for example, take the earlier train each day to be on the safe side. Keep in mind that, if that risk materialises itself more frequently, you might lose your job - so do not take it lightly.
A more existential threat are accidents in public transports, such as derailments or crashes. This virtually never happens, you might probably say. Let me give you a counterexample: I was once standing in a tram in the city of Zurich, in the gangway inbetween two coaches. Whilst the tram was slowly making a turn, I suddenly heard a loud thud just right next to me. Looking out the window in shock, I saw that a truck had crashed into the coach exactly were I was standing. I imagine that wearing a steel helmet and body armour could have helped me in this situation. Although, if I was supposed to wear it on a daily basis in the tram, it would have surely quickly made me a celebrity amongst Zurich's commuters.
Of course, depending on what we do at work, we also face many risks there: for craftsmen, falling off a roof or being electrocuted are quite probable risks, whereas for office workers, according to the CDC, mundane accidents such as falls inside the office or incidents while lifting objects are the most common. And, actually, already even before we have made a single step outside our home, we are exposed to very material risks such as dying from poisoning, suffocation, and drowning. In 2017, for instance, nearly 65'000 people died from "unintentional poising" in the US (source: CDC).
I will not elaborate further here, as a comprehensive list of the more and less probable risks that we face each day would have quasi-infinite length. Who would, for instance, put a "gamma-ray burst" on such a list, although there is even a chance that earth was hit by one in the past?
It Pays Off To Be Prepared
The bottom line is that we as humans can not possibly keep all of those risks in mind and be prepared for them on a daily basis, as otherwise, quite frankly, we would go crazy. This is why individuals tend to ignore most unknown and even most known risks. Preparing for known risks is often time-consuming and costly and may even entail social stigma (see my example from above).
For the same reasons, organisations are hesitant to mitigate and address risks by devising a Business Continuity Management (BCM) plan. Studies showed that up to 60% of US organisations do not have BCM plans and, even more shocking, only half of those who have really test them (you can find more information in this PhD thesis), although on an organisational level, much more is at stake.
Potentially critical goods need to be produced, basic services need to be provided, salaries need to be payed and the overall economy needs to be kept running. When properly implementing Business Continuity Management (BCM) practices, organisations can prepare for major disruptions that may result from hypothetical risks and act prudently when they occur.
I came to believe that the often used waterfall-like approach to defining, implementing and testing such practices is part of the reason why their penetration is so low. Accordingly, I want to dedicate this post to how agile methodologies and practices can help in Business Continuity Management.
Business Continuity Management in a Nutshell
Business Continuity Management (BCM) is a company-wide undertaking that aims to ensure that critical business functions, i.e. activities and processes, can be upheld when sudden disruptive internal or external events (commonly referred to as disaster) occur. The goal of BCM is to minimise the social, financial, legal and reputational damage that such disasters cause.
In the classic model, BCM is based on a Business Continuity Plan (BCP) that is elaborated upfront. Crisis communication, crisis management and disaster recovery are also part of BCM efforts.
Business Continuity Planning is mostly conducted in a waterfall-like approach and comprises the phases risk analysis, business impact analysis, development of continuity strategies and plans, testing of those plans and operational handover:
Risk Analysis: identify major risks of business interruption and rate them according to their probability of occurence, potential geographical reach and temporal extension.
Business Impact Analysis: first, identify critical business functions in the organisation, their input, resources & tools & frameworks that are necessary for their execution, and their output. Then, quantify how the identified major risks impact critical business functions and, in consequence, the overall organisation.
Development of Continuity Strategies and Plans: different approaches can be taken to manage the impact of a disaster or several disasters on critical business functions, namely avoidance, mitigation and absorption. There might be preventive strategies that can be formulated, strategies that need to be followed after a disaster has occured (crisis response), or strategies that aim to restore normal operations (recovery strategies). All of those strategies can be translated into plans or standard operational procedures (SOPs) that are meant to be followed by the different departments or teams within an organisation.
Testing: the developed business continuity plans need to be tested and, if required, adapted according to the findings made during the tests.
Operational handover: the tested plans are finally handed over to the individual departments and teams, where they are meant to be implemented.
What Could Agile Business Continuity Management Look Like?
Does the Business Continuity Planning process seem familiar to you? It probably does, as it nicely reflects traditional, sequential approaches to software development and obviously has the very same drawbacks. Accordingly, several crisis managers and authors have examined approaches to BCM that are based on the principles of the Agile Manifesto and incorporate iterative development practices.
Let me just briefly sketch how, in my opinion, an agile approach to BCM could look like:
Nominate a person that is accountable for BCM in your organisation with taking over the responsability for a BCM Backlog, the contained items and their priorisation. That person can delegate both BCM Backlog elaboration and priorisation, but is, at least, to be held accountable for the outcome.
Put together a cross-functional team containing one or several crisis managers and non-managerial representatives from different departments that provide critical business functions.
Let the person accountable for BCM and the team meet for one, at most two days to together identify and rate major risks and enter them into a Risk Matrix, and, additionally, analyse critical business functions (breadth before depth) and the impact potential disasters might have on them. Then enter the latter into the BCM Backlog as individual items. I am not going into detail as with regard to methodology here, but, to give you an example, a BCM Backlog item might contain a description of the critical business function (textual or via e.g. BPMN), the resources, tools and frameworks that it depends on, and the impact that disasters resulting from risks from the Risk Matrix might have on it.
Use the BCM Backlog and the Risk Matrix to, in a team setting, deduce tasks for addressing the impact of disasters on BCM Backlog items and for testing and operationalising any plans that you have deduced. Use the forced ranking of BCM Backlog items as guidance on which critical business functions you will work on first. You can enter the tasks into a Kanban board that will serve you to track their progress and manage their flow.
Define iterations, at the end of which you will review your results and discuss which BCM Backlog items to focus on next and which tasks are needed. Periodically, also make sure that you review your Risk Matrix and work on refining your BCM Backlog. Keep in mind to, at all times, have as few meetings as possible that are only as long as necessary.
There are, of course, many approaches to considering agile methodologies in Business Continuity Management. The important thing is to keep the principles of the agile manifesto in mind and proceed such that frequent inspection and adaptation of any BCM plans is guaranteed.
Care to Know More?
I took the above image in a supermarket of average size close to my home, shortly after a first round of serious measures where introduced by the Swiss Federal Council as a response to the still ongoing SARS-CoV-2 pandemia. Who would have, just two months ago, assumed that Switzerland will eventually end up in a quasi-lockdown with widespread panic buying? It is exactly those scenarios that we need to prepare for, even if, from afar, they do not seem likely.
Would you also like to know more about this post's topic? If so, then please post your questions in the comments below and I will be answering them. If the subject of your question is a hot topic, then I will dedicate a post to it in the future.