“A rose by any other name would smell as sweet.” – William Shakespeare, Romeo, and Juliet
In our profession, like most others, we have developed our own terminology, jargon, buzzwords, and acronyms used to discuss what we do, how we do it, and the end product of that work. If there is one thing that has remained consistent throughout the history of business continuity and its related practices, is the inconsistency of how we define and use terms. In my perspective, the most long-term (multi-decade) example of this has been Disaster Recovery and Business Continuity with these terms historically being misused, confused, and used interchangeably.
While after a few good years this example does seem to be getting sorted out, as we continue to evolve and mature, new inconsistencies have created the same fuzziness. Ask a random group of practitioners to define business continuity and crisis management. You are likely to get varied responses. Some will say they are interchangeable terms, others will say that one is a subset of the other, while others will absolutely declare that they are two quite different things.
In approaching what for some may be a controversial subject, someone might warn me to avoid dealing with this potentially touchy subject. As my grandmother used to say: “Don’t poke a stick at a hornet’s nest.”
But as fools rush in, here are some thoughts on this topic. To start, here are some brief definitions of three of our commonly (though not necessarily consistently) used terms, Disaster Recovery (DR), Business Continuity (BC), and Crisis Management (CM), with a couple of basic descriptions of each.
It is almost a given that some of those reading these descriptions will disagree with even these very elementary definitions. For those who do not like or agree with these, they are only a small sampling of the thousands that can be found with a quick internet search. In addition, to verify that they are in fact important terms, each has a recognizable acronym.
- Disaster Recovery (DR) is the technical aspect of business continuity. A collection of resources and activities to re-establish information technology services (including components such as infrastructure, telecommunications, systems, applications, and data).
- Disaster Recovery (DR) focuses on the ability to recover the IT infrastructure in case of a disruption, whatever the cause – natural disasters, cyberattacks, technological failures, or human error. It is viewed as being both proactive and reactive.
- Business Continuity (BC) is the capability of the organization to continue or restore delivery of products or services at acceptable predefined levels following a disruptive incident.
- Business Continuity (BC) has as its goal ensuring that operations continue to enable products and services being delivered at pre-agreed upon levels when disruptions or disasters occur. Seen as being proactive.
- Crisis Management (CM) is the overall coordination of an organization’s response to a crisis, in an effective, timely manner, with the goal of avoiding or minimizing damage to the organization’s profitability, reputation, or ability to operate.
- Crisis Management (CM) is responsible for ensuring timely, accurate decision-making to determine if the event is a problem, disruption, or disaster while managing the crisis, and it has the appropriate authority to declare a disaster, make notifications, activate teams, allocate resources, and oversee the management of the event. Viewed as being reactive.
It is a given that each of these three plays a critical role in protecting people, operations, physical property, and intangibles, such as company reputation, brand, and market share. Each contributes to creating a resilient organization.
The purpose, roles, and responsibilities under the heading Disaster Recovery have now been relatively agreed upon – with the possible exception of whether cybersecurity is part of DR or a separate entity – for now, let us take a look at business continuity and crisis management which I have noticed have recently become a topic of significant interest and discussion due to a lack of agreement on the roles of each, who is in charge, and how each best fits in the bigger picture of organizational resilience.
You have also quite likely noted the uptick in interest, as has Ashley Goosman, MBCP, MBCI, who noted in her Disaster Empire post “Business Continuity vs Crisis Management”: “People around me are taking opposing views about whether business continuity and crisis management are the same thing or not. One group sees crisis management as part of an emergency management structure.
They believe that business continuity only focuses on helping business operations to recover from an outage. Others, like the Disaster Recovery Institute International (DRI), see crisis management as part of an overall business continuity management program. Both sides believe they are right.”
Some might ask if we actually need a separate crisis management team plan, as it creates a new layer, one that perhaps overlaps with business continuity. In response, others might call attention to the fact that crisis management addresses situations where disruption may or may not pan out to impact operations to the extent of requiring business continuity activation, though may demand monitoring and perhaps media and social response to a threat to the company’s reputation.
Another response from those questioning the value of a separate Crisis Management team would point out that a crisis management plan is one of a group of other specialized plans which belong under the BC umbrella, such as a pandemic plan, continuity of operations plan, or a product recall plan. On the other hand, some will say that business continuity should report to crisis management with crisis management taking a disruptive event under its control while business continuity enables operations to continue at an acceptable level.
Equally important, if both entities exist, do they work jointly, does business continuity report to crisis management or vice versa? Are responses initiated by crisis management and then turned over to business continuity? If so, at what point? In the meantime, what are the communication requirements between the two? What are the coordination points?
Perhaps this requires a review from a governance perspective where the business continuity organization is established, also roles and responsibilities are assigned to ensure that the current continuity organization reflects established governance. An important purpose of a business continuity policy is to provide a definition of what top management wants to achieve with the business continuity program. Does the approach we are taking meet the requirements established in our business continuity policy?
Are overall ownership, points of accountability, oversight, and support as originally established still valid, and are assigned roles and responsibilities still appropriate?
In some organizations following a negative event, disruption, or disaster, crisis management has as its focus communication – reputational management, public relations, media, and social media management to provide a unified response to protect the brand, reputation, and public image. For others, this is an element of crisis management. For others, this responsibility is yet another separate team that reports to top management and in some cases is titled crisis communication team.
One thing I believe we can agree on is this; neither business continuity, nor crisis management, nor disaster recovery, or any of the related functions can be viewed as a stand-alone separate discipline. Each plays a key role in building a resilient organization, in ensuring a capability to plan for, respond to, and recover from the multitude of risks that we all face today. Silos do not work; turf wars are counterproductive.
Keep in mind that even standards and best practices are meant to be a framework and to provide guidance, not a do it this way or else proposition. For example, ISO 22301: “… provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities”.
While standards and best practices provide a framework, they do not dictate details for exactly how each and every organization is to apply the framework. The emphasis must be on what works for the organization, not what has always been done before, what other organizations are doing, the latest trend, or guidance that was chosen at random or because it was a perfect fit another company.
It is likely that full consensus on this subject will not be achieved any time soon. My question then, is it required that every organization take the same approach? I believe that this is not necessarily a case of absolute right or wrong, rather what is best for the organization.
If we can accept this, then whether to have separate business continuity and crisis management programs or a business continuity program that incorporates the crisis management functions or vice versa, is a decision to be made, not a foregone conclusion.
Either way, here are some questions that may be worth some thought:
- Is our company’s continuity organizational structure right for us? – No, two continuity organizational charts will be identical when organization size, type of business, location(s), products and services, resources, and culture are taken into account.
- Does the current continuity organization meet the requirements established in our business continuity policy and any other applicable policies? – If not, perhaps there is reason to revisit the policy or the continuity organization, or both.
- If changes have been made to the continuity organization, were tests conducted that prove that no gaps or overlaps in responsibilities and authority have resulted? – A change in any part of the organization will most likely require changes in others.
- For smaller organizations, have functions been combined, e.g., business continuity and crisis management, based on personnel resources?
- Are there built in mechanisms to ensure full communication, cooperation, collaboration, and coordination before, during, and following any disruption or disaster?
- Have you adopted a shared glossary of terms, acronyms, and definitions for use across your organization so that everyone understands and shares the same meanings for business continuity, disaster recovery, crisis management, and related terminology?
More importantly, keep the focus on the overarching goals of your program which likely include continuing the company’s mission without major disruption, managing operations if the company experiences a significant disruption or disaster, continuing to meet customer and other stakeholder needs, and mitigating damage to reputation, or brand, legal, and regulatory issues.
Yes, shared terminology and agreement on what is the best organization for our company’s resilience-related business units are important. Just do not let the focus stray from why we do what we do, to create and maintain a more resilient organization.
“I know you think you understand what you thought I said but I’m not sure you realize that what you heard is not what I meant.” – Alan Greenspan