Inside Business Continuity Consulting
If you haven’t talked to business continuity consultants lately, you should know that much has changed in recent years. Gone are the days when a consultant was hired to build the plan and leave once the big red binder was complete.
“Business continuity is now a strategic business issue being influenced not only by internal stake holders but external entities interdependent on each other,” says Charles Woods of IBM. “Companies today are focused on a broader set of business continuity issues than they were five years ago. While traditional technology-oriented disaster recovery is still a requirement, companies are also focused on developing comprehensive plans for dealing with a wide variety of risks to a company’s operations.”
Business continuity consulting “really has changed considerably,” agrees Nicholas Benvenuto of Protiviti. “Prior to 9/11, the focus we had seen in the marketplace was primarily required by regulatory concerns and followed a regulatory format or was something that was done from a technology or DR standpoint. Today, most of our work is looking at business continuity as a business issue and is coming at the request of boards of directors or some C-level management within an organization.”
Gerry Nolan, of Eagle Rock Alliance, says that “BC and DR have really morphed more into risk management and enterprise resiliency, which means, as consultants, we have a much broader agenda today and a lot of focus on much more proactive solutions. Evidence of the risk management piece is that, in our own practice over the last year, we’ve been hired more by risk officers than anyone else. We also find ourselves going deeper and deeper into the technology realm – assisting customers with replication strategies and everything having to do with high availability,” Nolan adds.
Is It IT?
Scott Ream of Virtual Corporation sees the greatest change in “IT organizations trying to figure out how to engage the business. IT’s job is to support the timely recovery of applications and infrastructure and that is driven off of the business requirements. Historically, getting the business to give properly grounded business requirements has been practically impossible. Most businesses are aware that this is something they ought to be doing, but IT has not been able to get the attention of the business executives. So IT has a tremendous problem in prioritizing and, as result, they are often over-investing in recovery assets. They are now asking how best to hand business continuity off to the business as their problem. That’s where we have been putting our emphasis.”
“IT is a key enabler of business. It is just another productivity tool. The market place is seeing IT more as a business enabler that is key to their business in developing competitive advantage,” says SunGard Availability Services’ Ravi Mehrotra. “As a direct result, we see an impact in the consulting world in that the work we focus on now is not just looking at continuity and high availability infrastructure — that’s obviously a core part of what we do — but it is also focused on how we improve overall operational efficiency.”
Ted Brown of KETCHConsulting is seeing a shift in emphasis from systems to people. “I think 9/11 and Hurricane Katrina and the Virginia Tech tragedy all have focused the industry and our clients, at least the leading-edge ones, on people recovery and business continuity, not just IT. I’m seeing a level of detail in executive plans that is just incredible — plans for spouses, cats, dogs, fish, horses. That’s a significant change that is finally recognizing that people aren’t going 1,000 miles away to a hot site for six weeks if their house is rubble.”
Beyond the Binder
So is business continuity so ingrained and accepted that consultants aren’t called up on to build plans anymore? Hardly. “The truthful answer is that there are still a lot of programs to be built,” says Robert Giffin of Avalution Consulting. “And the effort is uniquely suited to a consultant given the amount of work required at the outset and the decreased amount of effort to take it over.” In fact, every consultant interviewed for this article still helps organizations builds plans and programs from scratch. However, there is a growing number of clients who are asking for more.
Giffin says some clients need help with “preparing for an industry certification or moving their program to the next level of maturity. We also offer the ability to help an organization during a time of disaster, which is something that most of the industry has shied away from in the past. We do it quite a bit. It’s not something you are necessarily contracted for, but when an organization has a problem, they turn to the people they trust. In many cases that can be a consultant who can provide an outside point of view and help stabilize that situation.”
Satori Consutling’s Audrey Cohen says today’s challenge is to “help organizations really integrate business continuity into the organization. We’re talking to firms about things like do they have the right resources and the right organizational alignment and what sort of governance and sponsorship do they need.” Cohen says her clients also are homing in on issues like “global supply chain” and “focusing on all the various dependencies that the organization has on the external world. Your plan is really only as strong as the third parties that support you.”
Several consultants mentioned inquiries from clients who are worried about standards. Ream says “standards bodies are creating an environment in which companies in all industries are all looking at what does this mean to me? When will standards become not a nice to have but something I will be forced to adhere to? We’re seeing is organizations looking to get certified and using us a pre-certification tool to identify gaps.”
Methodology and Software
Now that you’ve got an idea what consultants are being called up on to do, let’s move to how they’re doing it. Just about every consultancy has a colorful pie chart or a pyramid or a graph that attempts to explain their “proprietary” methodology. What these graphics offer in style, they often lack in substance, leaving prospective clients bewildered.
Not to worry, says Nolan. “If you look at the different methodologies published by these consulting firms, including our own, they aren’t all that different. They all have the same types of phases and none of them is rocket science. It is a pretty basic approach to solving a business problem. But it is important to have a methodology in order to grow a consultancy, to have structure and be able to leverage on a methodology in order to train other consultants in best practices and on a knowledge base you’ve established,” he says.
One key differentiator in the area of methodology is the use of software tools by consultants. Some consultancies also sell and market software tools; others claim “tool neutrality” and offer to use the tool of your choice or none at all; still others say they use an in-house tool that is not commercially marketed but is used by consultants on engagements.
“It’s a question that comes up all the time,” says Benvenuto. “As far as the tools go, the question is more what the consultancy is focused on. In many cases when there is tool, the focus is on selling that tool, particularly for some of the larger tools. It should depend on what the organization really needs and is willing to commit to. The bigger the tool, the more complex it is to manage and work with but it also may provide a lot of benefits. But in many cases no tool is really necessary, as long as plans are written in a way that they are actionable, manageable, and can be updated.”
Frank Perlmutter, of Strategic BCP, thinks that software tools often should be part of an efficient, effective consulting methodology. “What we see people still doing is creating these huge plans that are still paper based a lot of times. These big documents may help in passing compliance, but when you’re out in the field, they aren’t actionable. People just haven’t been able to use them,” he says.
Perlmutter advocates “actionable plans” in “formats that are a lot more useable, like checklists. With this type of plan you get the information you need when you need it and how you need. It is available in a lot of different formats — online, in an electronic format – and there are lots of different delivery methods.”
“You shouldn’t get a 400-page document,” he says. “People should get access to the information they need. If you are a facilities person, you need access to blueprints of your facility, the current status of what’s going on, and an action plan that says, from the start through full restoration of that facility, exactly what you need to do.” Software, says Perlmutter can help consultants deliver that, but he warns not to hire a consultant based on software alone. “The consulting engagement should be a time when you get to try out the software and not be locked into a long-term deal.”
Perlmutter says software also helps in “turnkey maintenance” consulting engagements, where consultants are asked to maintain plans. “Should every organization take ownership of the plans and maintain them? Sure, but that’s not reality. Reality is that plans get built, plans get old, and not every organization has a full-time continuity planner. If your consultant used a tool and it’s integrated with your change control, they can come in and update the plan, exercise it, and keep the organization committed to continuity and keep the process alive.”
Maybe some organizations do need consultants to maintain their plans, but what about those with a business continuity staff that is supposed to take over when the consulting engagement ends? How is knowledge transfer ensured?
“As a consultant, I always tell my clients: ‘Eventually I get to go home,’” says Woods. “So it is important that the company be able to carry on with the policies, programs and processes the consultant has helped them establish.”
“Knowledge transfer is broader than skills transfer,” he says. “Skills transfer teaches a client how to execute specific techniques (e.g., how to execute a business impact analysis). Knowledge transfer is focused on helping clients retain some of the broad experience and ways of thinking of the consultant, so that they can continually adapt their approaches to business continuity as conditions change.
“Skills transfer is accomplished through explicit teaching as well as through working with the client to lead workshops, etc. Knowledge transfer is accomplished through partnering with the client throughout the engagement and sharing with them not only the specific topics that are part of the project, but also the tools, techniques and experiences I have gained through my work with other clients, even those that may not currently be pertinent to this particular client.”
Benvenuto says senior management should be “required to own the process and be committed to the process of developing and testing the plan and maintaining it, or, frankly, our services are not really of great use to the organization. We really want that commitment and involvement of senior management, and, for the most part, that’s not even a question anymore.”
According to Nolan, knowledge transfer “can be delivered in a variety of ways, but in order for it to be effective, you need a well-defined organization that is receptive to the knowledge. If you have an organization that doesn’t have a full-time business continuity person, it is kind of difficult to do knowledge transfer when the person has another full-time job.
Perlmutter says knowledge transfer should be part of every consulting proposal and that it should be in the forms of training (on business continuity principles and methodologies, not software use and configuration) and testing (to ensure that everyone knows what they are to do and are comfortable actually using the plan).”
If you’re thinking about hiring a consultant, you’ll want to ask some of the following questions. “Some of the important considerations are: How will you engage with my team? How will you deal with unanticipated issues? What experience do you have with issues beyond what we have specifically asked you to help us with? What other industries have you worked in? What are some of the toughest issues you’ve had to deal with, and how have you dealt with them? Tell me about a project you have worked on that did NOT go as well as you or the client wanted it to? How will we ensure that together we are successful? What do you need from me and my team?,” says Woods.
“In my mind, there are three things that Continuity Insights readers should be asking prospective consultants,” says Ream. “Ask to see sample deliverable so that you get a sense of quality of their work. Do not accept the answer that all of our deliverables are confidential. However, do not expect to see complete deliverables. One of the most important assets a consulting organization brings to the table is their intellectual property. It is not reasonable for you to ask them for copies of completed intellectual property materials before you’ve hired them.”
Ream says you should “sit with them and just talk about your current environment, your goals, your known limitations, and your risks. In the course of that conversation, mostly listen. Let the consultant speak. If they are confident and knowledgeable about your industry, about your problems, they will be able to translate what you said into logical, practical, approaches. If it doesn’t sound logical or practical, but boy is it impressive, it’s probably not the right consultant.”
“Finally,” says Ream, “demand that you get a statement of work before you hire the consultant. The statement of work should clearly delineate the following: objectives, scope, deliverables, approach, schedule, costs, and a clearly-defined change management process for changes in scope.”
Giffin adds that it is important to know “exactly who is going to actually be doing the project and what their qualifications are.”
Certification a Must?
And that brings us to the issue of certification.
“You ought to make sure the people you hire are certified by a third-party that’s objective, like the DRII or the BCI,” says Brown. “After 9/11, every consulting organization decided they did business continuity and hung out a shingle. That doesn’t make them qualified. All of the people who will be working on the project must be certified.”
Ream sees a grey area here, with “two dominant business continuity professional certifications and an emerging variety of university course and degree programs.” He says the way to go is to “request an experience profile for every consultant to be assigned to your project and insist that you have the right to decline a resource.”
The importance of certification “depends on the subject matter of the engagement,” says Mehrotra. “Let’s say I’m trying to do a security assessment. If I have folks on my team that have a business continuity certification, are they going to be able to help with that? Having folks on your team who are certified is important, but you want folks who really have the business experience and business judgment, and there’s no certification for that.”
Why would I need consultants if my organization already has a business continuity professional? Here are three of the most common reasons why consultants are often retained by organizations with in-house business continuity professionals:
- Consultants can speed up the effort to achieve a desired level of readiness. Perhaps your organization recently launched its business continuity effort, the scope changed, or new, aggressive objectives were identified. Regardless, supplemental experienced resources may be needed to deliver timely results. Consultants can help deliver results when in-house personnel are time-constrained, and they can introduce new ideas.
- Consultants introduce skills or experiences that your organization may not otherwise possess. Very few business continuity professionals have every skill or experience necessary to meet their organization’s unique expectations. Consultants can supplement full-time resources, complimenting in-house personnel and transferring knowledge internally to the organization.
- Consultants gain organization-wide attention and cooperation. Consultants have the opportunity to identify what works — and what doesn’t — in a large number of organizations. They’ve honed value proposition messaging, and often, executive management respects their external, independent opinion due to these diverse experiences.
Though some still think that organizations with in-house personnel should not consider consultants, business continuity is a diverse profession with a growing number of responsibilities. As a result, supplemental skills and resources can help organizations meet management objectives.
There seems to be a new heightened interest in Business Continuity (BC) Standards this past year. How has that affected your consulting efforts in supporting clients?
This new interest or client focus on standards is a direct result of the Title IX voluntary standards under the direction of Homeland Security and the market thrust of the British Standards Institute BS 25999 certifiable standard; both driving awareness during this past year. The client response toward standards compliance is still a very measured response, although there is interest in how they may align to these standards. They are asking: “What is the value proposition?”
The industry has also had other BC standards and best practices in existence for some time in the form of the NFPA 1600 ANSI standard and the DRI Professional Practices for Business Continuity Planners, among others.
In response to our clients’ interest in establishing a benchmark for how they might compare to these standards and best practices, Eagle Rock has extended its ERA*360™ assessment model to provide multiple graphical views of a company’s Business Continuity Program as applied against these standards or best practices. We expect to see continued interest in third-party program assessment activity and also in pre-certification efforts to align with certain standards in the future.
How can a consultant help maintain operational stability?
Maintaining operational stability means staying in the game when it comes to the business objectives your organization is set to achieve. Going down or slowing down can seriously affect your revenue—or even your organization’s long-term survival. IBM works with you to understand your objectives and provides IT and infrastructure risk management and business resilience expertise to assess a range of risks to the IT resources and assets on which your business processes depend.
With business process expertise and more than 40 years of worldwide experience in business continuity, we can help you identify and fill gaps in your current business continuity strategy and guide you through the complex standards, practices and regulations that affect your business continuity program.
Using industry best practices and our Resilient Enterprise Blueprint approach, we can work with you to develop and manage a program that is aligned to your specific business needs and can create a reliable, more productive business environment. By reducing the risks related to noncompliance with contracts, industry standards, regulations and internal controls, we can help you link business planning and IT to business resiliency. The result: an integrated program aligned to your evolving business needs and risk tolerance levels.
How do you pick the right consulting firm?
Certification? Consulting experience? Recovery experience? Conferences? Publishing articles? All five are important! Firms that discount anyone of these, are missing that one. At KETCHConsulting, we’re all certified. We’ve done thousands of DR/BCP engagements. We have real-life recovery experience, withWorldTradeCentertragedies, hurricanes, tornados, power outages, etc. We speak at every conference. And we publish articles in industry publications. Everyone does IT recovery, as do we. How about business recovery, people, families, pets, helicopter evacuation, hotels, food, and executive plans? We’ve done all that, including IT-staff BCPs.
Funding DRP/BCP is always challenging. We’ll negotiate enough hot site savings to fund a BIA, plus. Need hot site alternative strategies? We’ll give you dozens from our thousand-vendor database. Educating your executives on BCP is a specialty. We’ll get you funding. Our methodology for BIAs is best practices, guaranteeing participation and results. See us about Table Tops, BS25999 or DHS Certification.
Looking at emergency notification? We’re the industry experts with thousands of webinar enrollees, session attendees, and article readers. Need help with an Emergency Notification RFP, justification, internal selling, vendor selection/implementation? No one’s more recognized than KETCHConsulting.
As a consultant, what’s one of the most frequent questions you hear?
Clients want to know if there’s one best approach to business continuity management (BCM). We believe that while the approach and project scope may vary, the strongest plans share one thing – a business-oriented approach. A focus on the risks related to key business processes results in the best balance of recovery strategies and implementation costs. As consultants, we help clients focus on the analysis and evaluation of strategies, development of approaches, and the testing and implementation of plans that meet continuity needs from a people, process, and IT infrastructure perspective.
How do you explain the relationship between business continuity and enterprise risk management (ERM)?
We see BCM as an important component of an effective enterprise program designed to manage risk; it’s emerging as one of many pillars within ERM.
What new concerns are you hearing from clients?
Reputation risk is top of mind among companies of all sizes. Companies see the importance of protecting their brand in the face of growing competition as well as maintaining the public’s approval for the way a company handles a crisis. They understand that neglecting this aspect can ultimately lead to revenue loss or even litigation.
What is the value of global enterprise risk management?
Traditionally, business continuity planning has been considered a necessity for satisfying compliance requirements and sustaining operations in the face of an array of business disruptions. Today, business leaders recognize that a robust business continuity program accomplishes more than simply meeting minimum standards and is essential for achieving competitive advantage. Progressive programs address the following dimensions across the enterprise:
- Strategic positioning through risk assessment and business impact analysis
- Organizational effectiveness through high levels of engagement in plan development, resource planning, and training and awareness programs
- Continuous improvement and organizational adoption of BCP through exercises/drills, measuring preparedness levels against desired outcomes, and course-correcting to resolve gaps
- Crisis management through effective governance and leadership
Business continuity consulting professionals are being engaged to develop, deliver and integrate these components, resulting in programs with a complete organizational context while enhancing resilience to: external threats/vulnerabilities, operational issues, compliance gaps, interdepartmental gaps, supply chain dependency gaps.
These specialists facilitate accelerated adoption of sound business continuity management practices, increasing accountability. Experienced professionals rapidly assess existing programs and identify an optimal course of action for improving resilience. By partnering with the right team, an organization can transform itself into an enterprise that has the ability to thrive, even in the midst of a crisis.
Why does methodology matter?
For over 15 years, Strategic BCP has been leading the shift towards efficient and actionable business continuity plans delivered in a fraction of the time of our competitors. Our proprietary, non-invasive plan development methodology and data gathering approach empowers our customers with inclusion and training throughout the entire process, rather than encumbering them with long surveys.
Our process is unique, combining our BCP industry and vertical expertise with the only true software-as-a-service (SaaS) in the industry, ResilienceONE™. ResilienceONE™ provides unique capabilities that perform tasks in minutes that normally take other consultants days! Our RTO Determination Engine and Operation Blueprint automatically determine RTOs and provide step-by-step process mapping capability for all business operations, IT, and crisis management activities. Our Thin Plans provide step-by-step, actionable playbooks interactively online, electronically, and on paper for any level of user and have been proven to reduce recovery timeframes by 50 to 70 percent.
Supplementing our commitment to building actionable plans is our unwavering commitment to training. All of our engagements include extensive training from our library of over 30 exclusive seminars. Strategic BCP will continue expanding our education tour, which has included over 50 seminars in 30 states to over 4,000 people over the last two years.
What makes you different?
SunGard Availability Services consultants are dedicated to helping their customers build and maintain customized, holistic programs that complement their focus and enable a sustainable, competitive advantage. This includes showing customers and prospects the solutions that will help them assess where they are today, examine the alignment between their continuity strategies and existing continuity programs, and implement, validate, and maintain their resilience as an ongoing program.
Essential steps to developing this programmatic approach to continuity include:
Understanding the customer’s organization, and becoming familiar with the IT and business elements crucial to their performance and survival. Developing a comprehensive strategy that addresses the key enabling pillars of availability, compliance, integrity and efficiency. Delivering a set of robust recommendations customized for the customer and approved and supported by senior management.
Executing on the strategy and recommendations, including implementation and ongoing maintenance of each component.
SunGard Availability Services is the pioneer and leading provider of information availability services, helping to ensure that 10,000 customers in North America andEuropehave access to their business-critical information systems. With four million square feet of operational space, SunGard offers a complete range of information availability solutions to keep their customers connected.
How do you define a leader in business continuity consulting?
Business continuity consulting market leaders are companies focused on innovative, sustainable solutions that leverage the existing state of preparedness and bring to bear industry best practices. Many consulting firms offer “cookie cutter” solutions requiring the client organization to adjust to fit the solution. In business continuity “one size” does not fit all. Because each client has unique organizational attributes, Virtual offers an extremely flexible and scalable approach. By adapting our methods and tools to each client, we ensure the success of the project and sustainability of the program, achieving “buy in” from the program participants and executive stakeholders.
Virtual Corporation distinguishes itself as a leader in BC consulting through our adaptive, innovative solutions for companies of every size and across multiple industries. We generate client satisfaction through cost-effective, practical and measurable results. Our consultants are skilled translators, turning process and technology innovation into sustainable BC programs. Virtual Corporation’s consulting philosophy is to “Delivery early and often”, “Be centered on knowledge transfer”, and “Leave our clients well trained and self-reliant”.
In additional to consulting services, Virtual Corporation is the creator of the Business Continuity Maturity Model®, recognized worldwide as the BC program benchmark and assessment standard and Sustainable Planner™ BC/DR software tool.