As you are making plans for the RIMS 2017 Conference in Philadelphia, make sure you don’t miss Lootok’s Sean Murphy and Jeremy Stynes speaking on Monday, April 24th. They will be exploring the psychology of risk, sharing innovative ways to market your program, and breaking down traditional myths of Business Continuity Management. All in our signature, non-conventional Lootok way. We hope you come and join us!
RIMS 2017: April 23-26th, 2017 | the Pennsylvania Convention Center | Philadelphia
Lootok Sessions on Monday, April 24 :
12:00 – 12:25 pm | Market Your Program Like a Product | Jeremy Stynes, President
1:00 – 1:25 pm | Five Myths of Operational Risk and Business Continuity Management | Sean Murphy, CEO
3:00 – 4:00 pm | Risk Shrink: Exploring the Psychology of Risk | Sean Murphy, CEO, Lootok; Hester Shaw, Internal Control Framework Director, GSK
Zona Walton [ADP - Global Business Resiliency] and I spoke at a private conference last month. The title of our session was The Future of Resiliency. We explored the idea that the future of resiliency isn’t resiliency; that is, it will be something else.
How to bring business continuity back to the basics
As business continuity practitioners, it would serve us well to take a cue from writer Antoine de Saint-Exupéry, who stated, “Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.”
Many risk and resiliency initiatives are more robust and complicated than they need to be. Common signs of an over-engineered program may include: lengthy plans packed with procedures and protocol, a BIA that takes months to complete, lengthy internal audits fixated on industry standards, and just a handful of people who actually know what to do in an incident.
Blessed with “the curse of knowledge,” we as practitioners can easily lose sight of how business continuity is perceived by our stakeholders. We fall prey to assuming that others understand the value of participating in program activities, much less have the expertise to decipher industry jargon (how many times in your career have you had to explain “RTO” and “MTPD”?).
Even Wikipedia’s description of “business continuity planning” is prefaced with the warning: “This article may contain an excessive amount of intricate detail that may only interest a specific audience.”
Put yourself in the shoes of a stakeholder who rarely thinks of contingency planning or has yet to experience an incident, and it’s even more critical that you keep your program simple.
What would happen if we were to boil down business continuity to just the basics? What if we began describing concepts in layman’s terms, and it helped to ease understanding and facilitate program adoption?
Facilitating an exercise? Find out how to reel people in!
Last month, I showed up at a client’s manufacturing site to facilitate an annual tabletop exercise. The company had recently kicked off its crisis management and business continuity initiative, so I wasn’t surprised to walk in and hear several people ask what this meeting was about, and how long it was going to last.
It is commonplace within organizations to have initiative atrophy or program of the month syndrome. People are doing more with less. Everyone is highly skilled at prioritizing work and recognizing false positive initiatives. Crisis management and business continuity can quickly get categorized as a ‘not now’ or ‘postpone as long as possible’ project in this environment. Therefore, it is important for risk and security professionals to allow our stakeholders bring themselves into the program. We need them to want the program and value the work we need them to do.
In my experience, there are usually three different types of people sitting in the room.
First, you have your evangelists, or your program advocates—they’re often the ones leading the initiative or they’ve already experienced some kind of catastrophic event. On the other end of the spectrum are those who have already decided risk management is irrelevant, so they’re checked out and sighing loudly.
But almost everyone in between is a good corporate citizen who has showed up with a printed copy of their plan because they were told to. Other than the occasional email, they’re not used to thinking about risk. You can’t blame them for wanting to just get the meeting over with and get on with their lives.
This mindset, unfortunately, is not uncommon. Whether people are unaware of the program or struggle to understand its value, it’s important to recruit them as active participants. So what are we as risk management professionals to do?