BCI World Hybrid 2022 - 24 Hours of Resilience by Luke Bird FBCI

  • 08 Nov 2022
  • Luke

I attended this year’s conference which, for the first time in several years, was virtual AND physical. So good to see old and new faces, and enjoy that fresh collaboration. We’ve done so well online but more face-to-face interactions as well, please! 

Business Continuity ROI = People

I started the day with Charlie MacLean-Bristol’s keynote session on return on investment (ROI) for business continuity, where he cited a clear need across vendors and consultants alike for a solid ROI. This topic is an ever-present on the conference circuit, which suggests a theme of under investment in our profession, don't you think? Nevertheless, it’s always a good way to start!

The key focus for ROI is people because, to Charlie’s point, it’s people who manage and stop incidents and near misses. He shared ideas on how we can see a ROI in our people.

First things first, Charlie asked what is the current baseline competency for both individuals and teams? This needs to factor in knowledge, skills, behaviours and experience, etc. He pointed to a qualitative self-assessment as a start to create a scoring system, with this further supplemented by umpire assessments during exercises. Personally, I’m not sure how this would fly in any organization I’ve worked in, but he admitted this would have to be sold in the right way. 

Credit to Charlie, he is a vastly experienced professional and well-oiled presenter, and he practices what he preaches in his own business -  but then, it is his business so he can do what he wants. In his defence, he acknowledges the challenges it presents. 

Albeit qualitative and highly subjective, Charlie’s approach put forward during his session has a solid method. It could be packaged up well if done correctly. The practitioner in me thinks this would take time, money and maturity to implement. For me, the people and capacity element is reminiscent of the ideas proposed by Adaptive Business Continuity via their “aperture” concept, which might be worth a compare and contrast because Dr David Lindstedt and Mark Armour propose similar ideas. 

Compliant But Not Yet Resilient

Next up were keynotes, Kate Needham-Bennett and Stella Nunn. As always, I was very much looking forward to this session - not least because I’m a big fan of Stella’s content - but also because the session is close to home being on operational resilience in financial services. The title of the session alone was quite telling - “compliant but not resilient” - as they spoke to the maturity challenges of the coming years. 

I did have a quiet chuckle when they said some people describe operational resilience as “business continuity on acid” and they acknowledged that this is a view held by many in our profession (unsurprisingly). They didn’t fully say they agreed, so the debate continues!

This was a powerful visual by  Fusion Risk Management regarding nations who have already released operational resilience regulations, which highlights  the clear and obvious gear change in recent years. They remarked on the broadly consistent tram lines in terms of consistencies across regulations, but acknowledged some differences in terminology which may provide challenges for a global roll out. I’d be really keen to see a delta between the regulations. If anyone sees something like that, please send it my way.

They also delved into 'intolerable harm’ to customers and argued that financial services have not traditionally looked at themselves in the way they are now expected to. That statement initially seemed odd to me because products and services are typically customer-centric and for that not to reflect customer harm  was surprising to me. Although the follow up point did highlight that banks today find it challenging   to differentiate harm and intolerable harm to customers and the market. That makes sense because I ask myself “do banks really understand when intolerable harm kicks in for pensioners when they can’t access their weekly money, and what does that look like?” I suspect not. I hope I interpreted this correctly Kate and Stella. If not, please do put me right! That is the joy of doing these sessions -they get your brain going!

The trickle down non-financial involvement is seeing more organizations who aren’t directly regulated looking to shadow comply. I assume that’s to keep up with business relationships that they have with the financial services sector, etc. If this move is as big as the endless list of material vendors in banking, then third-party risk and operational resilience scenes are going to explode in due course. Watch this space…

A Panel Discussion on Organizational / Operational Resilience

Next up: a panel discussion about debugging myths, starting with definitions of resilience. The panel featured international professionals with something close (I said close) to 100 years of collective industry experience!

It was interesting to see that all panellists had different perspectives on this topic, in both the way they defined it and approached it. One said ‘why would anyone outside  this room care about the difference of definitions?’ This suggests the value of nailing down definitions is perhaps placed too high on the list of stuff to talk about. It was quite a good mix of wanting to define and wanting to focus on the ‘so what?’

Similar to the keynote speakers, the panellists also described operational resilience as ‘business continuity on steroids’. First acid and now steroids - what next? And why does business continuity need to consume so many different types of drugs? Clearly there is an underlying theme in the professional community that operational resilience is just business continuity ‘done  right.’

The panel discussion then touched on the point of a recent British publication term ‘consumer duty,’ pointing to the clear change in focus to a more customer-centric approach. 

Ultimately, this session felt like a clashing of tactical and strategic views and it was really useful to hear the disagreements. I saw a lot of nodding heads in the room with the voice of the tactical focus - this is quite telling given the nature of a lot of what business continuity professionals have to do in their day-to-day. There was a slight audible gasp when one panellist said “do we even need a plan to test?”

I was  pleased to have attended this panel discussion because the differing perspectives got me thinking. More of these types of sessions please!

Fix it? But at what cost and with who?

Next up was Susie Ansary, BCI Board Member, global head of BCM & NEM R&D, Novartis Pharma AG, and generally all-round ‘kick ass’ (can you tell I’m a big fan?). Her session was titled ‘Forget ME, Remember We’,  which discussed the BCI competency framework,  with a special focus on non-business continuity related competencies, e.g. leadership, collaboration, communication, etc.

Using a case study about a cyber-attack on an organization via a third party, the audience were tasked to implement a sustainable solution, with a timeline and budget, to manage the incident. We were presented with a list of people with different skills and experience, as well as their associate salaries. We  were then asked to decide who we wanted on the project to remediate the issue. 

It was great to bring it back down to brass tacks (i.e. ‘what’s the cost?’) I think it’s important to exercise this point and explore the balance of skill, experience and cost = value add to the project.  

The development and implementation of a resilience strategy is delivered at a cost to the business and this should be a guiding marker in one’s mind at the design stage. Don’t create a monster that you can’t run!

Advice from my Grandchild’s Computer Game

Next up was Mark Hoffman, co-founder of the Resilience Think Tank. In his session, he made reference to the popular game Fortnite and compared the game to a business continuity professional’s day to day life. 

First off, he asked us to write as many  song titles that included a name  in 60 seconds. The audience came up with loads. It was a fun activity because of the big songs coming from different countries, and we all got to learn about hits from Kenya to Finland! His point was that although individually we came up with four or five songs, together the number of song titles was exponentially higher with a more diverse set of thoughts and ideas. It was a really good warm up exercise. 

He continued the comparison with Fortnite, considering how we should gather resources as we go like the characters in the game who start with nothing. His message was to ‘build as you go’. 

The fact that everyone is against everyone is much like the business continuity battle for buy in. Mark suggested finding something that matters and using that as the hook. The game has a storm circle that closes in on the remaining participants, and Mark believes all organizations have one. He believes that in itself is justification for the programme and we, as practitioners, should find that and use that to gain buy in. 

Getting Business Continuity Insights Through to Leadership

The last keynote session of the day was great! YouTuber and Podcaster, Alex Fullick, and Margaret Millett, Head of Global Resilience at Uber, pointed to enterprise risk management as a way to drive your programme through to leadership level visibility. I was massively biased on this session, as I couldn’t agree more. Margaret talked about  linking business continuity into existing organizational taxonomy so issues post-incident or exercise are truly owned by the right part of the business, and are therefore rated consistently with any other issues raised across the business.  Sound advice in my opinion. 

 

That’s a Wrap

It was great to be around the professional community for the first time in several years. The BCI managed the conference really well and I think next year it will be an even bigger and better event. I used the virtual platform to share comments and questions during each of the sessions and to engage with my colleagues tuning in from all parts of the world. Also, I can now go back this month to watch the virtual sessions that I missed, as well as the breakout sessions I couldn’t attend at the physical conference.

What. A. Day

 

To be the first to know about BCI News and more follow us on LinkedIn here, or on Twitter @TheBCEye

More on
About the author

Luke Bird

Vice President - Business Continuity and Disaster Recovery

Award-winning continuity & resilience professional working in financial services.  

Global Board Director for the Business Continuity Institute.

Business Continuity Institute Scotland Chapter Committee Member.

*All opinions shared are mine and not those of the BCI board, which is a collective decision-making body.