Speakers’ Soapbox: Lynnda Nelson On Risk Management’s Shortcomings & Heavy Metal
In the leadup to the 11th Annual Continuity Insights Management Conference, April 22-24, 2013 at the Sheraton San Diego Hotel & Marina, Continuity Insights asks presenters about their chosen topics, lessons learned from Superstorm Sandy, critical business continuity skills and hypothetical band names. This week Lynnda Nelson, President of ICOR, discusses “soft” business continuity issues, why risk management is not a panacea and the business continuity-themed supergroup: Strapperjack!
Continuity Insights: Your conference session is titled Adaptive Capacity & The Principles Of Resilience. What is adaptive capacity and why should it be important to business continuity professionals?
Lynnda Nelson: Recent research has found that an organization’s resilience is impacted by both the integration of management systems as well as “softer” issues such as organizational leadership and culture. The adaptive capacity of leadership and the entire organization is being pointed to more and more as a critical factor in not just responding to crisis events, but in the management of every day operations.
With business continuity focusing on continuing operations during an incident at a pre-defined level, having an understanding of how to make these practices more adaptive is vital. Organizations that are successfully managed and led during “normal” times are more likely to be managed and led successfully during times of crisis. These are topics that top management understand and value.
Another recent trend of focusing solely on risk management has the potential to severely limit an organization’s adaptive capacity. I consider this a very “risky” approach! While risk management is a very important part of continuing operations, it is just one part and cannot become the entire focus of business continuity management.
Understanding how adaptive capacity can aid in increasing an organization’s resilience and understanding how to increase an organization’s adaptive capacity is something that business continuity professionals need to learn more about if they are to have an impact on the organization outside of writing and maintaining business continuity plans and procedures.
CI: Your two-day post-conference workshop trains practitioners to assess the maturity of an organization’s business continuity program. Why is it important that organizations have their program’s maturity assessed, rather than simply complying with one of the standards such as ISO22301 or NFPA 1600?
LN: Actually, the Business Continuity Maturity Model (BCMM) tool includes an assessment to ASIS SPC.1, NFPA 1600, BS 25999 and ISO 22301. The model has six levels of maturity and Level 4 is “Standards Compliant.” In the audit assessment, the requirements or the “proofs” are tied directly to what is required by the standards.
CI: Are you seeing a growth in organizations using a maturity model? If so, what is driving this?
LN: For so long BCM professionals have been reliant on consultants to determine how to mature and improve their BCM program. With continual improvement being so important but not always easy to measure, the BCMM provides the practitioner not only with goals and objectives for program improvement, but also with a way to measure readiness for a third-party audit. The BCMM can also be used to meet internal audit requirements.
CI: What is the number one lesson learned from Superstorm Sandy in terms of business continuity and disaster recovery strategies?
LN: The plans must be comprehensive enough to meet the needs of a “worst-case scenario.” This is not to say they should be “contingency” based, but if the plans do not address more than one type of interruption, they will not be comprehensive enough to deal with a complex event. Also, with a regional event of this magnitude, I believe one challenge was off-site recovery capabilities were stretched thin and not always as available as assumed.
CI: Complete this sentence: To be a successful business continuity professional you must master the risk assessment, the BIA and ___________________.
LN: Managing teams of people who do not necessarily report to you.
CI: True or false: There are some things you simply cannot plan for, e.g. the massive earthquake and tsunami in Japan in 2011.
LN: False. That goes back to my comment regarding Superstorm Sandy. Plans should be organized to manage impacts and not for specific events. For example, planning for loss of facility (or access to facility), loss of personnel (or unavailable personnel), loss of technology infrastructure (due to whatever reason -- power outage, technology equipment failure or virus), loss of supply chain and impact to reputation provides the organization with the ability to respond to any type of incident in some manner.
CI: Which U.S. president, sports person or musician do you think would have made a good business continuity professional and why?
LN: I think Woodrow Wilson -- 28th President of the United States of America -- would have been an excellent business continuity professional. He was elected about 100 years ago and had to deal with emerging technologies, globalization, and business and political issues in a new century.
He was also an effective communicator, making good progress in his first term as President -- especially in legislative issues that remain in effect today. He was clearly an effective Crisis Manager as he managed our country’s role in the First World War. History shows that he did not micro manage during the conflict; he delegated many wartime decisions to the US Army. He was able to absorb lessons learned and after actions. He was also awarded the Nobel Peace Prize.
I think this blend of vision, leadership and enabling empowerment in a new century would have served him well as a business continuity professional.
CI: If you formed a band with other business continuity professionals what would you call it?
LN: The band would be called Strapperjack! This would immediately raise interest, curiosity and a need to know all about it; rather a different approach to the less than sexy role and image of business continuity planning. The name also expresses an intensity and energy that all business continuity professionals possess and seek to embed in their program or management systems.
It would be a heavy metal hurdy-gurdy band with a Hungarian-speaking lead singer. The keyboards and rhythm section would be provided by a calliope that also serves as the band’s tour bus. This speaks to the diversity of business continuity professionals we encounter and their flexibility to operate in a changing environment.
For more information on Nelson’s conference session, Adaptive Capacity & The Principles Of Resilience, go to http://www.cimanagementconference.com/session/adaptive-capacity-principles-resilience.
View Nelson’s two-day post-conference workshop at http://www.cimanagementconference.com/pre-post-conference-workshops.
Jim Nelson, President of BCS Inc., contributed to this article.