The Hierarchy of Needs – How to make BCM a Board‐level Issue By John Matthews, Steelhenge Consulting Ltd I had reason the other day to look up Maslow’s hierarchy of needs to refresh my memory of the different levels. For those who, like me, need a reminder, please see below: One thing which occurred to me was the interesting parallel between the progression of needs and how organisations view BCM and other related disciplines. I believe that we can draw some interesting conclusions from this, particularly in the area of getting it onto the agenda of senior management. When most organisations start to look at BCM, typically the focus is on the physical resources required to maintain and recover the critical needs of the business; people, ICT, premises etc. Ideally, we do Business Impact Analyses (BIAs) to establish these needs and then implement our disaster recovery and contingency arrangements. At this stage of the process, it is usually the IT or facilities department most involved, as this is designed to back up their own core services. The majority of the organisation would see this as something which supports what they do, rather than core to their own function and it is unlikely to appear on senior management’s horizon, unless in terms of the cost implications. IT Manager Facilities Manager Basic Needs ICT Disaster Recovery Workarea Recovery Once these measures are in place, the focus often turns to security; how do we keep ourselves safe, how can we protect ourselves from unanticipated events so that we can continue to operate. Some of the tools we use here are Risk Management, Information Security etc. These help us to guard against threats and protect our organisation. Usually, the champions are Risk Managers or Information Security Managers, people with a direct stake in reducing exposure. Again, for the rest of the organisation, this is non‐core and senior management may have a degree of oversight, but are unlikely to be active stakeholders. Risk / Infosec Manager Security Needs Risk Management Information Security IT Manager Facilities Manager Basic Needs ICT Disaster Recovery Workarea Recovery On the next level of our model, there is the need to develop a supporting culture with recognized roles and responsibilities. Typically, this would be where the organization starts to see BCM or one of the other resilience disciplines as a whole business process and begins to involve its staff. Appreciating the value of its people to its operations, it develops structures, processes and programmes to engage people. This is where the management systems would sit, together with the plans and team structures and training. Whilst this may well still be driven by the (de facto) BC/Risk/InfoSec Manager, for the first time resilience is not a marginal, specialist issue. In order to accomplish this stage, much wider involvement and awareness is necessary and this moves it more into the business as usual space. Senior management may sponsor this activity and even engage, to some extent in the training process. Business Continuity Manager Cultural Needs Programme Management Teams & Processes Risk / Infosec Manager Security Needs Training Risk Management IT Manager Facilities Manager Information Security Basic Needs ICT Disaster Recovery Workarea Recovery The next step on our ladder is the need to acquire and maintain reputation, respect or esteem. The appreciation of the importance of resilience and particularly of incident management and crisis communications in protecting reputation and stakeholder value in the face of adverse events tends to drive this. The toolkit here principally consists of incident/crisis management training and exercising and crisis communications training. This is tends to be the point at which senior management really engages; brand, reputation or share price are the main drivers at this level of the organization and, once convinced of the need for a well‐rehearsed process, typically they are happy to commit to this part of the programme and gain an increasing appreciation of the importance of organizational resilience as a result. Senior Management Reputational Needs Crisis Management Crisis Communications Business Continuity Manager Cultural Needs Programme Management Teams & Processes Risk / Infosec Manager Security Needs Training Risk Management IT Manager Facilities Manager Information Security Basic Needs ICT Disaster Recovery Workarea Recovery The final stage of realizing the potential of a resilience programme is often accelerated by senior management’s increased involvement from the previous phase. It is at this point that organisations begin to appreciate the importance of integrating resilience into the business as usual model and of seeking continuous improvement and development in all aspects of the business. This tends to be when organisations start to look at BCM in conjunction with the other related disciplines, risk management, information security et al, as all part of the same resilience piece, both integrated and integral to their operations and will involve increasing levels of training and awareness and multi‐ level feedback, review and audit processes, coupled with a structured exercising and testing programme. Everybody Development Needs Continuous Improvement Exercising Senior Management Reputational Needs Crisis Management Crisis Communications Business Continuity Manager Cultural Needs Programme Management Teams & Processes Risk / Infosec Manager Security Needs Training Risk Management IT Manager Facilities Manager Information Security Basic Needs ICT Disaster Recovery Workarea Recovery Whilst I have stretched the definitions a little and I accept that this model may not apply to all organisations, I think that there are sufficient parallels to justify the comparison. I would suggest that maturity is principally achieved once the level of corporate or organizational involvement reaches a certain point. BCM, like other resilience disciplines, normally starts off as a specialist interest, driven by security and contingency requirements and then moves into a more central role as processes and structures are constructed to support it, involving more people from diverse operational areas. Ultimately, the programme obtains sufficient profile that senior management becomes aware of the potential for a mismanaged incident or service discontinuity to damage brand, reputation or share price. This, not only encourages the senior management team engage in terms of exercising and training for their own roles in managing incidents, they also become increasingly sensitized to the requirement for all aspects of resilience to be embedded into the day to day consciousness of the organization, in order to drive continuous improvement of processes and increased awareness of individual and collective resilience. Some organisations may start at different points along the way, depending upon what aspects of resilience already exist, but the fundamental for BCM and for wider resilience to be truly embedded is for it to be an integral part of the culture. It seems to me that this will not occur until all the underlying requirements have been addressed and an understanding reached of the central importance of organizational resilience at Senior Management level. As with Maslow’s hierarchy, it is only once we have satisfied a category of needs that we aspire to the next, so in resilience terms, we typically start by defining our recovery requirements, then look at our security needs, build our processes, involve our people, appreciate its importance in protecting reputation and finally, hopefully understand that to be effective it must be integral to our business at all levels of operation. One of the principal barriers to organizational maturity in this area is that frequently, resilience elements are viewed as separate, with separate sponsors, stakeholders, audiences and objectives. BCM generally sits at middle management level, as do Information Security, Health & Safety etc., with only Crisis Management really engaging Senior Management. To truly embed BCM in an organization, this and all other aspects of resilience must be regarded as part of an integrated whole, owned and driven by senior management and encouraging both individual and collective resilience in all areas of operations. That must be the level of maturity which we should be encouraging organisations to aspire to. We are unlikely ever to see a Business Continuity Director on the board, but if all the resilience disciplines are seen as part of an integrated organizational resilience model directly tied to brand, reputation, stakeholder value or share price, perhaps one day alongside the CEO, CIO and CFO we might see a CRO (Chief Resilience Officer) whose job is to protect the intrinsic value of the organization. How might we get there? The BCI is already looking at how the various related disciplines and elements which contribute to resilience fit together. If there was a dialogue between the various institutes to generate a common “resilience message”, that would be a clear step in the right direction. In the meantime, both individually and collectively, we should be encouraging our clients to take a holistic view of resilience, whilst making it clear that building and maintaining resilience in order to protect brand, reputation and stakeholder value is not only a Senior Management role, but also a fundamental and integral part of core business. STEELHENGE CURRICULUM VITAE JOHN MATTHEWS – SENIOR CONSULTANT Profile: A senior Crisis Management and Business Continuity professional with 15 years experience and indepth knowledge of good practice standards and requirements in both the public and private sectors (including BS25999, BS25777, Civil Contingencies Act, Corporate Governance etc.). Key Skills: Business Continuity Experience Business Impact and Risk Assessment and BCM Programme development to BS25999 for clients including: • A major UK energy provider • A local Council • A central government department • An NHS Trust • A global telecommunications company • The Tokyo operations of a major European Bank • A major Greek clearing bank • A UK Treasury Department • A major UK power station • Internal BCM programme management for a major law firm. BC Implementation and project management for a major European bank, a large European Motor Finance Company, a major UK retailer and a large call‐centre. Crisis Management consulting and training & Exercise Management Exercising Crisis Management and Response and Business Continuity Plans, including creation of training materials and provision of training for senior management and staff of various national and international clients, including Tier 1 financial institutions, Government Departments and a variety of blue‐chip clients. ICT Continuity ICT Continuity Programme development to BS25777 for clients including: • An NHS Trust • A global telecommunications company • A major Financial institution • A large distribution company • An IT outsourcing provider. ICT DR Strategy Reviews and project management for a major European bank, a large European Motor Finance Company, a major UK retailer and a large call‐centre. Career Experience: Current - STEELHENGE LTD Currently employed as a Senior Consultant by Steelhenge, covering Crisis/Incident Management and Business/ICT Continuity. July 2007 – March 2009 SIEMENS ENTERPRISE COMMUNICATIONS LTD (INSIGHT CONSULTING) A Senior Consultant with Siemens. His role included developing, managing and developing client relationships and delivering effective analysis, planning, implementation and exercising of all aspects of Business Continuity to BS25999. January 1998 – April 2007 SAFETYNET CONSULTING / GUARDIAN DR / SUNGARD AVAILABILITY SERVICES A Managing Consultant with SunGard since January 1998, through its previous incarnations as Safetynet and Guardian. Professional Qualification and Professional Memberships Consultant member of the BCI BSI trained & qualified Lead Auditor for ISO 27001 Education: 1972 - 1979 Royal Grammar School, High Wycombe