[article] Resilience Industry Professional Ethics and Standards
Over the years, I've encountered practitioners whose skills didn't match their resume or claimed experience. Sadly, as there is no single accepted standard or any specific government regulations surrounding our industry, bad actors can worm their way into roles or contracts despite not having the experience to build solid programs. Adding to the complexity is the trend towards the removal of silos between Business Continuity (BC), Disaster Recovery (DR), Emergency Management (EM), Enterprise Risk Management (ERM), and other practice fields under the resilience umbrella. Who owns what? Defining "Resilience" might be a good first step in regulating standards in our industry, but that's a topic for another article.
The issue of ethical representation of skills and experience has been a bit of a thorn in the side of many resilience professionals I've known, but as individuals there's not much we can do to weed these imposters out beyond joining recognized organizations such as DRI, BCI, DRIE, etc. and adding your voice to those who are lobbying for real regulation.
Industry groups such as DRI, BCI, and others have strict rules around their requirements to earn and maintain a certification, but not every Human Resources professional, hiring manager, or individual charged with ensuring business resilience in an organization is aware of these and if you Duck Duck Go for Business Continuity (BC), Disaster Recovery (DR), or other resilience industry regulations, outside of Emergency Management (EM), you will not find any legal / legislated guidelines to use as a base to begin the search for your next Resilience Manager, but you will find many, many groups claiming to offer industry certifications.
Consider the fallout for someone who falsely claims a P.Eng, builds a structure which then collapses and kills people? Legal ramifications will ensure they never try that again. This why you rarely hear of someone without verified qualifications getting hired as an engineer, it's a strictly regulated profession.
The Resilience industry is unique from many in that currently there is no pass / fail on your efforts or knowledge. Doctors, software developers, engineers, carpenters, plumbers, etc. have very defined processes that if you cannot perform, your falsehood becomes apparent very quickly. In our industry, generic resilience plans of all shapes and sizes can be downloaded from the interweb and represented as your own work product, without management being any the wiser. This is due to many organizations being content to be able to say they have plans, despite having never exercised / tested them. This allows the pretenders to conceal their ineptitude. Will these generic plans work in a crisis? Highly unlikely, but how often are they implemented in a declared disaster to prove that they're useless? These individuals are a cause of significant misunderstanding of our processes in many organizations, and in most cases, this can be traced back to the spreading of erroneous or half understood information. It's like a game of broken telephone and provides the cracks that unqualified individuals slip through. Where does this leave us? If the individuals who claim to have experience they don't can only be dismissed, but not punished legally, what's to really deter them from continuing their charade? Nothing. If they had no compunction about lying to you, they won't think twice about lying to the next organization.
Aside from being very offended that someone who is not qualified is claiming to be a resilience professional, something that has taken me many years to confidently refer to myself as, it gives our profession a less than credible reputation. This has a trickle-down effect on several aspects of our professional lives;
Our ability to "sell" a project to senior leadership
Once they've been burned, getting buy in from the C-Suite is 10 times harder, and not possible in many cases. Programs that don't generate revenue are hard enough to garner support for at the best of times, try it after they've spent a significant amount of money and gotten vapourin return.
After an organization has had a less than stellar experience with someone in a role who claimed to be a professional, they might not be inclined to be overly generous with the next prospect, who then declines the offer because the expected compensation is not there. This becomes a vicious cycle and leaves a bad taste in everyone's mouth.
From a consulting perspective, these individuals force honest professionals to either pass on opportunities or lower their rates to match the discount rates unqualified individuals are quoting. Few people take "you get what you pay for" as seriously as they should when it involves budget for cost center projects.
To add insult to injury, those who purchase Errors & Omissions insurance face increased rates thanks to individuals who perform sub-standard work.
Firestorm publishes an annual report on continuity salaries, find a link HERE to obtain a copy.
Loss of reputation
Our industry can suffer from poor public image and may be seen as a wild west of anything goes, when it comes to professional standards.
Quantifiable standards for resilience need to be identified and enforced.
Catastrophic consequences during a crisis
An individual misleading an organization about their skills and knowledge and lack of ability to create solid crisis response plans could potentially be a life safety issue. When a professional creates plans for crisis events, they are aware that people are depending on these instructions to prevent further injury or loss of life, not just business assets.
Qualitative business losses such as reputation, client base, shareholder confidence, etc. can be severely impacted by poorly developed programs and will sour an organization on investing in a resilience program.
There are many other downstream effects of this particular brand of skullduggery, but even these examples should open our industry's eyes wide enough to realize that something must be done to ensure that our profession is elevated to the same level as other professions in the view of the public and business.
There are accepted standards from ISO (22301) and CSA (Z1600) which provide an organization with guidelines that identify what their program should look like, but unless the organization has someone who has actually read and understood these, they aren't much use in ascertaining if an individual is competent or your program is built to accepted industry standards. I've had people tell me how they use ISO 22301 to build a program, this is a dead giveaway that they're not as experienced as they represent. They use it as a buzzword to muddy the waters and cover their lack of experience. ISO 22301 is a standard, not a methodology for program development, and will not ensure that the data required to build an accurate program is identified.
As with any major crisis event, less honest individuals will use it as an opportunity to take advantage for financial gain and the issue of ethical representation of skills / experience is only going to be exacerbated by the Covid-19 pandemic and the scramble by organizations to respond and try to ensure they are better prepared for the next crisis. Don't grab the first individual or group that claims to be your resilience solution, your results may not be optimal.
Hoping that smarter people than I can identify a resolution to this plague on the industry that I truly love being a part of. I do not say that lightly because of the financial benefits, the professionals that I interact with at conferences, presentations, in business, and at DRI Canada #dric make me feel good about what I do, and I learn new or improved methods and processes consistently. Plus, they're typically very nice people who take what they do seriously and like the old saying goes, "Do what you love, and you'll never work a day in your life."
As a closing note, it's not that someone without a certification doesn't know what they're doing, but I can guarantee you, someone who doesn't know what they're doing will not have a certification (unless they've created their own fantasy industry group and named themselves Supreme Commander.)
As always, thank you to the folks who provided peer review for this lunchbreak learning module Garth Tucker, CBCP, CORP
Garth is the Principal of Green Apple Resilience Planning (greenapplebcp.com), a member of the DRI Canada (dri.ca) Board of Directors, and a Certified Business Continuity Professional (CBCP). His career focus is on the development and management of holistic resiliency programs as well as effective management of crisis events. The path to his current position began with software development, project and program management, and as an IT technology educator worldwide for IBM in the late 1990s and early 2000s. He transitioned to disaster recovery, business continuity, and crisis management beginning in 2002. Significant formal, and self-education throughout his career has ensured he remains relevant and effective.
As we begin our 36th year, we are eager to get back to regular in-person meetings at our favourite hotels. However, in keeping with current health guidelines, we must stay home and stay safe.
The TUG Board of Directors will continue to monitor the directives from the Ministry of Health and make responsible decisions for the health and safety of our members and guests, with regards to the re-opening of our Meetings of Members (MoMs). In the meantime (instead of in-person MoMs every two months) we are planning to compensate by presenting monthly Zoom meetings!
(See THE AGENDA page for the next scheduled meeting.)
We thank You for your patience and co-operation throughout these unprecedented times.
On Behalf of the TUG Board of Directors
Vaughn Dragland, Executive Director
TUG Board - Election of Officers
In July 2020, the following Directors were elected as officers of TUG's Executive Committee: