Late in 1985, there were two minor and unconnected incidents that changed my life. Without both of them happening I doubt if I would be Chairman of the BCI today, or even in the industry at all. Firstly, I was contacted by a gentleman called Ron Ginn who I knew only slightly and (like me) was an Englishman living in The Netherlands. He had an idea for a new company doing something called ‘Continuity Planning’ and asked if I would be interested in becoming involved. I liked his ideas but doubted their viability or my suitability to help launch a new company with a brand new concept in a foreign country.

At that time I was European Business Systems Manager for a US multinational based in Amsterdam. On one of my visits to the States about a month after the call from Ron, I was giving a routine presentation to my US colleagues. The only issue I was grilled on was Disaster Recovery - what were we doing about it and did we not realise how important it was? By the end of that trip I had visited a commercial hot-site, been half a mile underground to see off-site storage and spoken with several Disaster Recovery consultants.

When I got back to Holland, I was ready to talk to Ron Ginn again. If the subject was becoming a hot issue in the US, why not in Europe? My new life as a missionary, prophet of doom, and minor entrepreneur had begun.

I make no apologises for starting this article with my personal initiation into the business because my story mirrors the industry itself and gives me a solid base from which to speculate on its future. What I did not realise in 1985 was that there were two fundamentally different industries laying claim to Business Continuity. Firstly there were the product providers such as DR Backup Sites, mobile recovery, data vaulting and salvage.

Secondly there were the professional service companies (consultancies and auditors) who were primarily concerned about their client's inability to continue fundamental business processes - not the technical means by which they did so. This difference has largely been ignored because it was in everyone's interest for the idea of DR/BCM to become more widely known to a general business audience.

To understand why this happened it is useful to reflect upon how it all started. Until the early 1970's most companies had no serious form of contingency planning (as it was then called). Major disasters were rare and companies relied on insurance to protect them against asset loss and loss of profits. Business complacency was shattered, however, by the OPEC oil embargo, which showed US corporations that they were vulnerable to external events beyond their control. Dealing with the rest of the world suddenly became riskier with the emergence of terrorism and global cultural conflict. At the same time and closer to home, the US financial sector realised that they were becoming more and more dependent upon new computer technology and the catastrophic impact that non-availability might have on a financial institution's ability to function.

Not surprisingly, this problem (as challenges were then called) soon generated saleable solutions. The computer industry (which was totally IBM dominated at that time) saw this as an opportunity to sell more equipment. If loss of your Data Centre would put survival of your business at risk then surely it would be a good idea to duplicate it in a location that could not be affected by the same disaster. IBM were mainly interested in selling hardware, leaving the leasing business to 3rd parties like Comdisco, so they judged that the market for selling totally duplicated systems as a standby was limited. Major banks and airlines were the only feasible candidates for this strategy. However, leasing companies often had large stocks of equipment and a less than ideal cashflow position. They invested heavily up front on equipment that they leased out very profitably. However, they were very susceptible to any business downturn and also to IBM changing their business and/or technical strategies. For them, Disaster Recovery became an ideal complementary business and it gave their clients who could not afford duplicate sites the opportunity to participate in a shared service with minimal risk.

At the same time another 'solution' emerged - and it became known as the Disaster Recovery Plan, provided by small specialist consultancies. Arguably the first of these was Devlin Associates, founded by Ed Devlin in 1973. This company and a number of similar ones that started up over that decade in the US created the basic methodologies and terminology still largely used in the BCI and DRII standards to this day. Until the early 1980's there was effectively no Disaster Recovery industry of any significance outside of the States although the ideas had started to take root in Australia, South Africa, the UK and The Netherlands. Commercial hot-sites similar to those offered by the US market leaders Comdisco and SunGard had been opened in some of those territories and limited technical DR consultancies followed.

At this stage the business drivers for DR service providers and DR consultancies were not incompatible. DR consultancies wrote technical recovery plans to make the invocation and activation of the recovery sites more effective and secure. Without the sites, the consultancies had no plans to write and without the consultants the DR sites risked having unsuccessful invocations with the resulting adverse publicity. Inevitably, the consultants became closely involved with the DR companies and often got taken over by them. Devlin Associates, for example, became part of SunGard.

The Ron Ginn message that so enthused me back in 1985 was that Business Continuity was not about Computer Disaster Recovery. It was about a new way of managing a business, viewing the continuation of business functionality in all circumstances as the key responsibility of The Board. Recovery of computer systems was simply part of the technical implementation of the overall business strategy.

From this perspective it is clear that the role of the Business Continuity professional is not the same as the original DRP consultant. Whereas a DRP Consultant is primarily concerned about recovery of corporate resources that are lost, a BCM professional is concerned about reducing the likelihood of loss, mitigating the impact if it does occur and possibly re-engineering the process so that it does not have to be directly recovered to its former state. A BCM consultant may even tell you that you don’t need a backup contact and suggest ways of re-organising your working methods to reduce your dependency on IT. The traditional DRP consultant is very unlikely to do that.

As the industry progressed during the last 15 years thus dichotomy has become more marked. The DR specialists have centred themselves around the service providers whereas the true BC consultant has moved more towards the Risk Management arena. In fact in some ways this has caused a ‘crisis of confidence’ in the BCM profession. Should we remain with our traditional cohorts (The Disaster Recovery companies) or move to the higher ground perhaps only to find it already occupied by Risk Management?

For BCI members this is the crucial question and comparison with established professions helps clarify the point. Are doctors in the same profession as engineers who design CAT Scanners? Are accountants in the same profession as programmers of accounting software? Are architects in the same profession as builders? The answer in all cases is obviously no, although in each example they interact within the same industry. If we are to progress as a profession we must recognise that being an excellent technician in DR, does not necessarily make you a BCM professional.

So where is BCM today? Judging by my postbag and Inbox the answer is ‘confused’. Some people tell me that DR is dead as a management discipline, technical solutions rule, you just need to understand their implications and be able to afford them. This is probably true; the traditional services have been widened to include dealing room, LAN, telecom and work area recovery, web hosting and self-healing technologies. The DR companies are viewed as part of the IT industry - their share price fluctuations demonstrate this. Perhaps DR has returned to its roots.

Even that holy grail of BCM, the Business Impact Analysis, is under attack from a raft of general management techniques, which owe nothing to Devlin, Ginn, Hiles or any of our gurus. Risk Management has claimed the corporate high ground already in North America and Turnbull has revolutionised executive thinking about operational risk in the UK.

All of this might be depressing at first glance, but step back a little and ask why our subject exists at all. It is to ensure that organisations can continue to meet their business and service goals whatever may threaten them. Turnbull has recognised that “for many companies, BCM will address some of the key risks and help them achieve compliance”. Business Continuity has come of age.

The boundaries of Business Continuity have to change; we cannot continue to assume that our role is to recover the corporate infrastructure and nothing else. We need to be pro-active in challenging the status quo, asking the questions which management prefer not to address. Our subject has too many specialised islands of knowledge - Emergency Planning, Crisis Communication, Health & Safety, Risk Management, and Information Security. Our holistic philosophy needs to encompass all these specialist skills, not compartmentalise them. Until BCM is an essential part of the management of all businesses we have not won the argument. We have to forget the tools, techniques and gimmicks and simply concentrate on the big picture. There is nothing more important in Business than Continuity.

Back in 1988 I concluded, in the first article on the subject that I ever had published:

“Simplistic standard solutions such as those proposed for a traditional data centre or single site operation are irrelevant to the major global corporation. The next five years should see Continuity Planning achieve what is necessary and became a strategic corporate issue discussed at the highest levels”.

Maybe my timing was out but I still believe this can happen provided we focus on the business rationale and not the technical solutions. Return to Menu...