This is partly tall tale, partly true related to business continuity. The time was pre—well everything and there were no frameworks like ITIL or DevOps or Agile. We were a mid-sized bank in Texas with a large-bank technology attitude. Our bank had survived all sorts of challenges such as hurricanes, financial downturns, changes in leadership, and competitive start-ups. The distance between the second and third bank (us) was vast and our board was happy to just be in business servicing customers and change was kept to the minimum.
Then two events occurred
First, we got a new CEO, a proud Texan who wanted more from his bank. He began changing the leadership and attitude of the bank from “no change” to “own the change and make us great.” He even included suppliers as part of the effort to make us the #1 bank. This future-thinking CEO realized that technology was going to be a differentiator and, while our budget now allowed for more innovation, we were still #3 and needed to work within realistic guardrails.
Our CEO knew how easily a Texas bank could be destroyed by events. He challenged everyone in the bank to begin to think about WHAT IF daily:
- What if a major hurricane hit the gulf coast?
- What if the markets took us into a recession?
- What if an important person (not only their rank but knowledge) was no longer here?
- What if the technology was down: mainframes and phones?
- What if bank locations, especially headquarters, were no longer useable?
- What if…?
Furthermore, he allowed everyone to make changes if they felt it would help address the above. In fact, he welcomed people coming to him with their suggestions which he would often support. Remember that this was before Agile or open leadership – plus business continuity – were hot topics.
Oh, and the second thing that happened… well, no prizes for guessing so keep reading!Here @Danielbreston explains many of the common business continuity issues and how blending in newer IT management approaches such as #DevOps will help. Click To Tweet
That darn hurricane!
We (all of the employees and major partners) created a collaborative way of working and improving how we serviced customers and worked. This is where I got my key message of “better, faster and safer,” and this attitude made us ready – in business continuity terms – for what happened next.
Texas got hit by a category 5 hurricane which was felt far inland and across much of the gulf coast. We had built new facilities, we had tested how we would react, and after 47 hours of wind, rain, tornados, and flooding, we were still servicing customers. The two largest banks were in terrible shape and we tried to help them to no avail. We offered the people of Texas an opportunity to continue to be able to pay bills by just showing us their bank statement and this trust allowed us to go from #3 to #1 in a matter of weeks.Just because you performed a test and satisfied an auditor does not mean you have a sufficient business continuity plan – @DanielBreston #ITSM Click To Tweet
The current state of business continuity management
Since that hurricane, business continuity management (or planning) has become a framework and a standard. The lifecycle of business case, executive sponsorship, creating an overview of the impact of events to an organization, ranking that impact, developing plans, and testing those plans are now all part of most corporate practices.
I’ve counseled many organizations, on business continuity management, since that hurricane and I usually find that:
- Someone has created a ton of documentation but the people that really need to use this, if something happens, may not have ready access to it
- As documentation is created, things continue to change and, unless the business continuity team are told, that documentation and the associated plans and tests are out-of-date by the time the ink dries
- No one ever tests the impact on staff of having to do something from someplace else
- Rarely are suppliers part of any testing, assuring us that they could support us because we instead rely on contractual statements
- Few are sure how customers feel about service capability during an event.
The ticks I do find:
- We performed the test – tick
- We showed we could bring something up in more or less an imposed time of our own choosing – tick
- We satisfied an auditor with our business continuity approach – tick
- Sometimes we even bravely did a few transactions or ran for a full day if we felt certain we could blend those transactions back into normal work when the test completed – hmmm, maybe a tick
Adaptive, Agile, DevOps, ITSM, Lean, digital business continuity
Since that hurricane, and especially in the 21st century, all of the words in the title of this section are aspirations or initiatives for almost every organization. So, question the following:
- You want to follow the Agile Manifesto but you create a ton of documentation
- You want to improve the way you service and support customers and staff, but you only test that annually, sort of
- You want technology-enabled change, but you rarely prove that these changes work in disruptive situations
- You have a dedicated team of people, or an outsourcer, responsible for making sure that your continuity plans are current, but the people that have to do the work daily are rarely involved in being accountable for their use or currency
- You think that you can bring things back up in a certain time but you don’t really know if, for a certain type of event, that time is tactically or strategically relevant.
Does this all make sense?
Wouldn’t it better if you allowed your staff to help maintain and improve the way they work and service someone in such a way that you could rest assured that your business will remain in business? Maybe even come out of an event in an even stronger and more competitive manner, because empowered decision-making allowed for change and improvement to occur during the event?
Remember that news article of a few years ago (or maybe last week) about the organization that had a business continuity issue, came up within SLA, but still managed to have reputational loss, customer anger, and fines?It’s time to let #Agile and #DevOps, and all of those other framework practices, blend into business continuity, says @DanielBreston. Click To Tweet
What current business continuity practices need
I believe that it’s time to let Agile and DevOps, and all of those other framework practices, blend into business continuity. Furthermore, I’m not alone in thinking this – as can be seen from the growing community of Adaptive Business Continuity. We want everyone to always be thinking about how they can be assured that tomorrow they will still have a place to work from and be able to service customers.
Want to know more? Curious about what metrics or tools or practices we think are important? I’ll be writing more about the new way of doing business continuity and welcome your comments and questions. Can’t wait? Contact me via the comments below or reach out on LinkedIn.
Daniel Breston is a 50+ year veteran of IT, ex-CIO and principle consultant, multiple framework trainer, blogger, and speaker. Daniel is on the board of itSMF UK and is a Fellow of the British Computer Society. Daniel may be retired, but he will help an organization if requested. Not full-time, but hey!