Colin Jeffs, Head of BCM Assurance highlights the pros and cons of both outsourcing vs inhouse business continuity management.
As a provider who supports customers with their in-house business continuity management (BCM) but will also deliver it as a managed service, Daisy takes an objective look into factors that might shape this fundamental decision.
The notion of business continuity management (BCM) has taken on extra significance over the past two years. Risks that enterprises thought they were planning, or even prepared for, turned out to be rather more damaging than they’d anticipated – whether in the short, medium or long-term. For some, the effects of the pandemic and the numerous business challenges it caused, proved to be terminal.
However, this period has encouraged companies of all sizes to reassess what business continuity really means to them. It’s more than a list of theoretical risk management protocols and is now being rightly viewed as a ‘must’ have rather than a ‘nice to have’.
From this standpoint, the next key decision revolves around whether organisations should carry out their BCM in house, or whether to outsource the function to a specialist third party. There are naturally pros and cons to both approaches, but either way it doesn’t mean you’re having to go it alone.
The pros and cons of in-house BCM
In-house BCM tends to work more effectively with larger organisations, although not exclusively so.
The reason for this isn’t necessarily the size of the enterprise, but the complexity and uniqueness of their IT and operational environments. Larger, more complicated business structures bring with them more nuanced and complex department responsibilities, more stringent or bespoke compliancy protocols, and more intertwining report networks.
Someone who is aware of the strategic, tactical and operational details of the business is often going to be best equipped from the outset to pinpoint risks, potential areas for failure, and prospective mitigations. A big pro of this dynamic is that an internal person (or internal people) will have free and immediate access to all internal resources pertinent to the risk landscape. They are also available to the company around the clock, devoted to that business only, and will already be contractually attached to these responsibilities.
However, there is one quite obvious snag… finding such a skilled specialist in the first place.
The greater the size of the company also comes a greater volume of potential risks. Tasking one person or one department with overseeing that challenge is a big ask, and not an easy specialism to recruit for. And if the company is not hiring this person as a dedicated specialist, it may also mean their attention is split between the ‘day job’ and this additional function – something businesses now know can leave them vulnerable.
Another thing to consider is the possibility of ‘change creep’. This is to become complacent or even blind to the changing environment around a company, when everything inside the business feels so familiar. Similarly, the notion of challenging that status quo may also be more difficult for someone who has ties, friendships, and a sense of loyalty to those who set the existing rules. On the other hand, consultant or external resource will tell you what you need to know and be impartial to internal politics
Perhaps the biggest drawback of all, however, is finding the perfect person only for them to subsequently leave the business later.
Losing an internal resource who has managed to offset all of the above challenges, to provide optimum business continuity, is not just detrimental but inevitable in most cases. And that’s why, regardless of the positive-negative weigh-off of inhouse BCM, it does make sense to seek outside support as part of the equation.
Bringing a third-party in to provide discrete consultation, assessment, validation, audits and workshops can help to free up internal resources and help drive further internal change as required. Vitally, it also adds another pair of eyes to mitigate against any complacency and any subconscious resistance to progress.
The pros and cons of outsourcing BCM
While an in-house function may rely on one person or one small team to look from the inside, out; a dedicated BCM provider will have a number of specialists on hand to take an outside-in approach, backed by a host of real world experience.
While cost is always a consideration when it comes to outsourcing, it can be more cost-effective than the loaded costs of hiring and maintaining in-house staff and as your BCM spend will be more focused, leading to cost savings in the future.
With fixed costs and fixed deliverables, a company can set out exactly what the requirements should be and can then directly gauge the success of that investment – a facet which can be clouded when activity is undertaken in-house.
However, as ever, this latter ‘pro’ comes with a message of caution. As you’re unlikely to be a provider’s only client, consultancies may often use templates or cookie cutter approaches to expedite their activities, therefore enterprises need to be sure to set out their bespoke BCM requirements early on.
Business Continuity as a Service has taken the BCM equation to a new level courtesy of specialist providers, but needs to be delivered as part of a relationship with mutual understanding. Those who understand, and showcase, that there is no ‘one size fits all’ solution will be the partner that can guide your enterprise successfully through this business continuity journey.
Guidance for every journey
There are commonalities across both in-house and outsourced approaches, of course. A need to challenge the status quo, for instance, is something that should be expected of both an internal specialist, or an outsourced consultant. And you can only know this by applying a bespoke lens to the situation.
Business continuity affects all businesses, but not in the same way. Starting the BCM journey with a nod towards what everyone else is doing would be a bad place to start. If a prospective advisor or partner does the same, that should also be a red flag.
Instead, the conversation should begin with the company itself. Its objectives, its strategy, its ambitions, its strengths, weaknesses and vulnerabilities. From this starting point, you can assess the depth of assistance that is required, and the level of technological intervention needed. For example, the scope of software to help administer, track, control and report is evolving, but again it allows for either internal management or outsourced guidance.
Ultimately, BCM is essential for companies of any size. The key is establishing early on, whether an in-house, outsourced or even hybrid approach will meet your requirements. Ultimately, you need the peace of mind that your business won’t grind to a halt if the worst happens.
About the author
Colin moved into the realm of business continuity from IT project management where, as part of implementing IT systems, he had to implement resiliency. Colin has worked in business continuity and crisis management for more than 25 years, holding senior roles in both disciplines for many years at major financial institutions in the city. Colin now heads up Daisy’s award-winning business continuity management division.