Jean-Marie Paquet is a Certified Business Continuity Professional and the representative of DRI in Luxembourg. For more information on becoming involved with DRI in Luxembourg, please visit his consulting firm, Net-Consilium.
He shares his experience in resilience as well as his insights into the industry as a whole.
How did you become involved in resilience and its related industries (business continuity, disaster recovery, emergency management, etc.)?
I became involved sort of by chance. During a visit on site in the late 90s, the hosting company started a BC exercise for operations during a business meeting. I wrote a business summary to the attention of my management and was quite soon appointed to present BC / DR concepts to the Board and to design a blueprint for BC / DR program. Later as a manager in operations, BC/DR became a constant point of attention with a primary focus on BIA (Business Impact Analysis) and development of continuity strategies for operations or to mitigate PMO related risks.
In most recent years BC / DR became close to a full time occupation, providing consultancy, audit and education services.
How would you describe your job to someone who is unfamiliar with the industry?
Conductor in the sense that the deliverable of a BCMP is dependent upon all stakeholders in an organization, each with own interests and challenges and with possible interdisciplinary conflicts.
Organizer, because no one else will take the lead and the associated risk.
Persuader, because in a situation of economic crisis, with scarce resources and possible conflicts of interest, it take a lot of energy to ensure BCM Programs are implemented or maintained at a decent level.
Communicator, because to ensure the BCM activities stay in focus, are funded appropriately, stakeholders must be provided diligent and pragmatic reports about the allocation of resources and the contribution of expenditures to the definition and design of viable BCM, and insurance concerning its effectiveness.
What is your biggest challenge as a resilience professional?
The greatest challenge is two-fold: ensuring permanence of appropriate funding and ensuring BC/DR/Resilience does not become a “simple” issue of technology.
Addressing the challenge of funding cannot simply rely on legal or regulatory constraints, or put in simple terms “fear of the authority”; owners, share- or stake-holders, executive and C-level managers have to be constantly and appropriately repeated that “resilience” is a state of corporate mind and is not just about avoiding fines. It’s about persuading that adverse events will happen and that any state of preparation is better than none to ensure survival of business or activity.
The second challenge is related to the holistic scope of resilience. Despite the needs to cope with specific information technology or facility related issues in respect with resilience, adverse events may have origins that have no connections at all with hard- or software: pandemics, compliance, reputation, compromised deliverables, social-bashing, environmental or climate changes.
What do you consider your greatest achievement or milestone as a resilience professional?
Being given the chance to become lecturer discussing resilience, risk management, continuity, disaster recovery courses in corporate environments and in academic ones (universities and research centers).
Why do you consider resilience and its related industries to be significant?
At the least, they contribute to preserve a “going-on concern” and the need for it, in corporations and in the public sector. In the long term, they promote the preservation of our civilization, mankind and life.
The related players contribute by disseminating and raising the state of awareness.
What do you consider the most important issues facing resilience professionals today?
I consider silo-approaches in resilience as a major issue; they contribute to an ineffective allocation of resources and worse, to inappropriate ranking in critical functions.
From recent adverse events, I recommended also no longer to consider a “discrete” (i.e. step-wise scheduled) approach to run through “Risk Assessment – BIA – Strategies” but on a more continuous basis.
Risk and Business Impact Analysis need to be catered to with a much more proactive mindset and need to be addressed and judged against the current reality of permanent unrest and instability.
Some examples may illustrate the concerns.
- Some years ago, while ranking possible threats during a BCMP update, I promote to address the crisis in the EUR-zone; although a highly political sensitive matter and apparently not directly related to operations, the topic was finally accepted for a higher ranking. Political talks may fail; states may fail. From the perspective of a professional in resilience, the risk for my client was higher (occurrence and exposure) than the one related to a nuclear plant or social unrest.
- To mitigate risks related to critical suppliers, a client accepted to revisit on a quarterly basis the assessment instead of a yearly base review; moreover, a snapshot related to critical suppliers is released every month with a provision for a weekly update if conditions request for it. The points under review do directly address the health status of each supplier, but also the geopolitical context; for each supplier, alternate ones are indentified in advance; for the most critical ones, pre-arrangements are put in place.
- During a BCM audit of an insurance company, some flaws were highlighted and revealed that BIA was conducted from a silo-based approach i.e. top-down, each business unit next to the other. As result, in case of invocation of the BCP, the company would not have able to meet regulatory and contractual obligations after the close of the first day. The entire plan was revisited on a “system and processes” (end-to-end) based approach. This enabled to better evidence the interdependencies. As a result, RTO and RPO could be adapted with savings of about 15% p.a. could be earned towards the former recovery strategies
Hence, I’m advocating to design and implement “risk radars” with an holistic prospective; to consider a periodic refresh appropriate and proportionate with the underlying business criticality, but definitely to communicate a brief executive summary on a monthly basis, or more frequently if required.
What advice do you have for those just beginning in this field?
Considering my description of the role – conducting, organizing, persuading and communicating – my advice would be:
- Do not stay in a remote office. Even when a working place is required, be mobile when possible and work from the units where business is made.
- Ask, ask and ask again (5 whys). Use a glossary and set up one if none is available, very often people are using terms and forgot their meaning.
- Immerse yourself in the business before actually starting planning or designing BC / DR; even though best practices are common to every business, there is no “one fit for all” solution. Immersion will enable to share objectives, resources and terminology, to assess complexity, to identify formal stakeholders and those from the shadows.
- Involve people; associate with them as much as possible.
- The ultimate motivation: the plan(s) is (are) not yours but theirs, hence make sure they endorse it and accept ownership for it
- To remember “NESCITIS QUA HORA DOMINUS VENIET” ; in the context of resilience, one doesn’t know when an adverse event is likely to happen, but having anticipated about its nature, its likelihood, its impacts and having elaborated on how to overcome it, is the only posture testified by the figures that is increasing the chances to remain in business.
What have been the most important developments in resilience in the past decade? Why?
From a methodology prospective, risk frameworks (COSO, ISO31k,..) have made interesting developments to support resilience and broaden its scope.
Technological developments have also contributed to a mutation in resilience (High Availability, Continuous Availability, Cloud computing, …) have enabled the emergence of significant progress to support resilience.
Recent trends to encapsulate climate changes in resilience framework will undoubtedly contribute to address major treads.
I also consider with great care and interest the publication of the WEF Risk Report. The Risk Reports produced by the WEF are not only interesting as stand-alone reading but also a very useful piece of information to consider the evolution of risks perception during the last decade and above all, the risk interconnections and cascading effects.
Jean-Marie started his career as Officer within the Belgian airborne and paratroopers units. In 1991, he joined the pan-European RINET (REinsurance and Insurance Network) joint-venture as consultant for the design and the implementation of a VAN, based upon UN-EDIFACT standards. In 1993, he moved to Luxembourg and was appointed as senior consultant within KBL epb S.A. From 96 to 2000, he successively joined the managing staff of Brown, Shipley & Co (London) and of KBL Swiss Private Bankers (Geneva / Lugano) to supervise the implementation of core-critical banking packages. Back in KBL epb S.A., he pursued his career as senior manager and Head of Division within operations. In 2013, he founded NET-CONSILIUM to provide consulting, audit and educational services; he is acting as part-time lecturer at the University of Luxembourg and at the Luxembourg Institute for Science and Technology. Jean-Marie is holding a master’s degree in Applied Military and Social Sciences from the Royal Military Academy (Brussels) and graduated from the “ICHEC-ISCSL-ISFSC Group) with a master’s degree in Business Engineering.