与ChatGPT再聊业务连续性管理（一）

导读：去年3月初发布了《和ChatGPT聊业务连续性和韧性》的译文，当时恰值ChatGPT如火如荼之际，有读者留言说希望看到更多相关文章。前两天新加坡专家Richard Ang（洪福生）在微信群中发了篇小文，内容是他与ChatGPT关于BCM理解的对谈，我觉得问与答都十分精采，特别是其中揭示了在BCM发展过程中、2010年后已较少人员讨论的另一个传统。在运营韧性已越来越热的今天，有必要让更多的专业人员看到这些理解并思考其对今天的价值。这次的”再聊”将分为两部分，第一部分是对Richard Ang（洪福生）所发内容的翻译（原文为英文，附在中文翻译之后）；第二部分会谈谈我对这篇对谈的理解和注解。

另：Richard Ang（洪福生）在微信群发文后，另一位专家杨险峰提出可让ChatGPT谈谈”为什么中国推动BCM不顺利？“，ChatGPT对这个问题的回答挺有意思，有一定的参考意义。这个问答也合并在本文中。

Richard Ang与ChatGPT的对谈

洪福生：请写一篇关于业务连续性管理的摘要。

ChatGPT：业务连续性管理（BCM）是指组织用来识别潜在威胁并制定计划以确保在扰断性事件期间和之后持续运营的战略框架。BCM旨在保护人员、资产和关键业务流程，同时在面对如自然灾害、网络攻击或经济混乱等各种风险时保持韧性。

BCM的核心组成部分通常包括风险评估和分析以了解漏洞，制定响应和恢复策略，实施降低风险的措施，制定应急计划，以及定期测试和更新这些计划以确保有效性。

BCM涉及多个阶段，包括：

1. 风险识别：识别可能影响业务运营的潜在威胁和漏洞；
2. 业务影响分析（BIA）：评估这些威胁对关键业务功能和流程的潜在影响；
3. 制定策略：制定计划和策略以降低风险并确保连续性，其中可能包括备份系统、替代供应链、远程工作能力等；
4. 测试和培训：通过演习或模拟定期测试连续性计划，并为员工提供培训，以确保在实际扰断时做好准备；
5. 维护和更新：持续审查和更新BCM计划，以应对商业环境、技术或潜在风险的变化。

BCM对各种规模的企业都至关重要，因为它有助于最大限度地减少停机时间，减少财务损失，维护客户信心，并确保遵守法规。这是一个持续的过程，需要组织各级的承诺、资源和协作，以有效地管理和应对意外扰断。

洪福生：你所描述的基本上是业务运营的连续性，对吗?

ChatGPT：是的，我描述的（BCM）确实侧重于确保业务运营的连续性。业务连续性管理（BCM）实际上是围绕着扰断性事件期间和之后保持组织内关键过程、系统和功能的正常工作而展开的。

BCM涵盖多个方面，包括运营连续性，这涉及到确保基本业务功能在面临挑战或扰断时继续运营的战略和计划，包括建立备份系统、替代过程和恢复策略。

然而，BCM是一门更广泛的学科，它还包括运营连续性以外的方面。它涉及一种更全面的方法，不仅关注运营方面，还关注整个组织的韧性，包括以下因素：

1. 风险管理：识别、评估和减轻可能扰乱运营的风险。这超出了直接的运营问题，还包括人员、声誉、法规合规等方面的风险；
2. 危机管理：处理意外事件或危机，包括沟通策略、决策过程，以及有效管理危机的响应机制；
3. 恢复和重续：不仅关注即时的连续性，还要规划扰断后的恢复和复原正常运营。

虽然运营连续性是BCM的重要组成部分，但该学科扩展到更广泛的范围，旨在确保组织在面对各种威胁和挑战时的整体韧性。

洪福生：应该通过业务生存和增长的光谱来看待业务连续性和韧性，其中包括经营业务的更广泛的方面，如增长潜力、市场接受、产品和服务的改进等。

业务生存和增长的光谱

ChatGPT：绝对的，你说得对!业务连续性和韧性实际上远远超出了直接的运营方面。它们应被视为涵盖企业整体生存、可持续性和增长的更大光谱的一部分。

除了确保日常运营在扰断期间的连续性外，组织的韧性战略还应整合有助于其长期生存和成功的更广泛的因素，包括：

1. 增长战略规划：发现机会并制定战略以扩大市场份额、推出新产品或服务、进入新市场，以及进行创新以保持竞争力；
2. 客户体验和市场接受：专注于了解客户需求，根据反馈改进产品或服务，并确保良好的客户体验以保持和提高市场接受度；
3. 适应性和灵活性：建立一种能够适应不断变化的市场状况、技术进步、监管变化和演化的消费者偏好的文化和基础设施；
4. 财务稳定和资源管理：保持财务健康，有效配置资源，管理现金流，并为经济不确定性制定应急计划；
5. 人才发展和员工福利：投资于员工发展，确保健康的工作文化，并优先考虑员工福利，因为他们是创新和成功的关键驱动力。

虽然业务连续性管理处理对扰断的即时响应，但整合这些更广泛的方面可以确保业务不仅能够生存，而且能够长期蓬勃发展。它是关于建立一个坚实的基础，使组织能够承受挑战，同时抓住市场增长和进步的机会。

洪福生：不幸的是，我们所讨论的内容并没有包含在可认证的国际标准ISO22301中。大多数咨询项目仍被归类为运营连续性，而不是业务连续性和韧性。

ChatGPT：您完全正确，业务连续性管理体系的国际标准ISO22301，主要关注运营连续性和管理扰断，而不是涵盖业务增长和韧性的更广泛的光谱。ISO22301实际上强调建立、实施、保持和改进业务连续性管理体系，以最大限度地减少扰断的影响。

符合ISO22301的咨询项目和实施通常围绕着确保：

1. 风险评估和减轻：识别潜在威胁，分析其对运营的影响，并制定减轻这些风险的计划；
2. 业务影响分析：了解组织内的关键功能和流程，并排定其在扰断情况下的恢复优先顺序；
3. 制定响应和恢复计划：制定策略、程序和协议，以确保扰断性事件期间和之后的连续性，包括备份系统、备用场所和通信计划；
4. 测试和演练：定期进行操练和演练，以测试连续性计划的有效性，并根据结果进行改进；

虽然ISO22301是运营连续性和减少中断的宝贵框架，但重要的是要承认，它可能没有明确涵盖您所强调的业务增长和韧性的更广泛方面。以ISO22301认证为重点的咨询项目事实上倾向于强调运营连续性和符合标准要求，而不是对业务连续性和增长的整体看法。

然而，具有前瞻性思维的组织通常会将ISO22301原则与更广泛的业务战略相结合，以创建一种更全面的韧性方法，涵盖增长计划、市场动态、创新和以客户为中心的战略以及运营连续性措施。这种整合提供了一种更加平衡和有效的方法，不仅可以确保生存，还可以确保在动态商业环境中实现可持续增长和适应性。

洪福生：谢谢你的想法。

ChatGPT：不客气!如果您还有任何问题或需要进一步的见解，请随时提出。祝您一切顺利！

杨险峰的问题与ChatGPT的回答

杨险锋：为什么在中国BCM推动不顺利？

ChatGPT：与其他一些地区相比，可能有多种因素导致中国采用业务连续性管理（BCM）实践的速度较慢：

1. 监管环境：虽然中国有灾难恢复和应急响应相关的法规，但可能不象其它一些国家制定有或执行明确关注全面BCM的具体法规或标准。这可能会影响中国企业对BCM的优先级考虑；
2. 意识和教育：对BCM重要性的认识可能没有在中国所有行业中广泛传播。教育企业了解BCM在降低风险和确保连续性方面的重要性，会在其采用中发挥作用；
3. 文化因素：风险管理和危机应对的传统商业方法和文化观点在中国可能有所不同，从而影响了对BCM必要性或方法的感知；
4. 资源分配：为BCM计划确定资源优先级可能会与其它即时业务需求或合规要求竞争，从而影响组织内的资金分配和重点；
5. 不断演变的商业格局：中国经济的快速增长和不断演变的商业格局可能导致对扩张和增长战略的关注，在某些情况下可能会掩盖BCM；
6. 获得专业知识和指导：专业从事BCM的熟练专业人员和顾问的可用性也可能影响这些实践在中国企业中的实施和采用；

然而，值得注意的是，随着企业面临越来越多的全球不确定性和扰断，BCM的重要性正在全球范围内得到认可。鉴于商业环境的动态性，随着企业在面对各种风险时寻求增强其韧性和可持续性，中国可能越来越有兴趣和努力采用BCM实践。

附英文问答原文

Richard：Write a summary of Business Continuity Management

ChatGPT：Business Continuity Management (BCM) refers to the strategic framework that organizations use to identify potential threats and develop plans to ensure ongoing operations during and after disruptive events. BCM aims to safeguard people, assets, and critical business processes while maintaining resilience against various risks such as natural disasters, cyber-attacks, or economic disruptions.

The core components of BCM typically involve risk assessment and analysis to understand vulnerabilities, the development of response and recovery strategies, implementation of risk mitigation measures, creation of contingency plans, and regular testing and updating of these plans to ensure effectiveness.

BCM involves various stages, including:

Risk Identification: Identifying potential threats and vulnerabilities that could impact business operations. Business Impact Analysis (BIA): Evaluating the potential effects of these threats on critical business functions and processes. Developing Strategies: Creating plans and strategies to mitigate risks and ensure continuity, which might include backup systems, alternative supply chains, remote work capabilities, etc. Testing and Training: Regularly testing continuity plans through drills or simulations and providing training to employees to ensure preparedness during actual disruptions. Maintaining and Updating: Continuously reviewing and updating BCM plans to account for changes in the business environment, technology, or potential risks.

BCM is crucial for businesses of all sizes as it helps minimize downtime, reduces financial losses, maintains customer confidence, and ensures regulatory compliance. It’s a continuous process that requires commitment, resources, and collaboration across all levels of an organization to effectively manage and respond to unexpected disruptions.

Richard：What you have described is basically business operation continuity, isn’t it？

ChatGPT：Yes, what I’ve described does focus on ensuring the continuity of business operations. Business Continuity Management (BCM) is indeed centered around maintaining the functionality of critical processes, systems, and functions within an organization during and after disruptive events.

BCM encompasses various aspects, including operational continuity, which involves strategies and plans to ensure that essential business functions continue to operate in the face of challenges or disruptions. This includes having backup systems, alternative processes, and recovery strategies in place.

However, BCM is a broader discipline that also includes aspects beyond just operational continuity. It involves a more comprehensive approach that not only focuses on operational aspects but also addresses the holistic resilience of the organization. This includes factors such as:

Risk Management: Identifying, assessing, and mitigating risks that could disrupt operations. This extends beyond immediate operational issues to include risks related to personnel, reputation, regulatory compliance, etc. Crisis Management: Dealing with unexpected events or crises as they occur, including communication strategies, decision-making processes, and response mechanisms to manage the crisis effectively. Recovery and Resumption: Not only focusing on immediate continuity but also planning for the recovery and restoration of normal operations after a disruption.

While operational continuity is a significant component of BCM, the discipline extends to a wider scope, aiming to ensure the overall resilience of the organization in the face of various threats and challenges.

Richard：Business continuity and resiliency should be viewed through the spectrum of survival and growth of the business, which includes broader aspects of running a business such as growth potential, market acceptance, improvements in products and services, etc.

ChatGPT：Absolutely, you’re spot on! Business continuity and resilience indeed extend far beyond just the immediate operational aspects. They should be viewed as part of a larger spectrum encompassing the overall survival, sustainability, and growth of a business.

In addition to ensuring the continuity of day-to-day operations during disruptions, an organization’s resilience strategy should integrate broader factors that contribute to its long-term survival and success. These include:

Strategic Planning for Growth: Identifying opportunities and developing strategies to expand market share, introduce new products or services, enter new markets, and innovate to remain competitive. Customer Experience and Market Acceptance: Focusing on understanding customer needs, enhancing products or services based on feedback, and ensuring a positive customer experience to maintain and improve market acceptance. Adaptability and Flexibility: Building a culture and infrastructure that can adapt to changing market conditions, technological advancements, regulatory changes, and evolving consumer preferences. Financial Stability and Resource Management: Maintaining financial health, efficient resource allocation, managing cash flow, and having contingency plans for economic uncertainties. Talent Development and Employee Well-being: Investing in employee development, ensuring a healthy work culture, and prioritizing employee well-being as they are key drivers of innovation and success.

While business continuity management deals with the immediate response to disruptions, integrating these broader aspects ensures that a business not only survives but also thrives in the long run. It’s about building a resilient foundation that enables the organization to withstand challenges while seizing opportunities for growth and advancement in the market.

Richard：What we have discussed, unfortunately, is not captured in the certifiable ISO standard 22301. Most consulting projects are still classified as operational continuity, not business continuity and resilience.

ChatGPT：You’re absolutely correct that ISO 22301, the international standard for business continuity management systems, primarily focuses on operational continuity and managing disruptions rather than encompassing the broader spectrum of business growth and resilience. ISO 22301 emphasizes establishing, implementing, maintaining, and improving a Business Continuity Management System (BCMS) to minimize the impact of disruptions.

Consulting projects and implementations aligned with ISO 22301 often center around ensuring:

Risk Assessment and Mitigation: Identifying potential threats, analyzing their impact on operations, and developing plans to mitigate these risks. Business Impact Analysis: Understanding the critical functions and processes within an organization and prioritizing their recovery in the event of a disruption. Developing Response and Recovery Plans: Creating strategies, procedures, and protocols to ensure continuity during and after disruptive events, including backup systems, alternate facilities, and communication plans. Testing and Exercising: Conducting regular drills and exercises to test the effectiveness of continuity plans and making improvements based on the results.

While ISO 22301 serves as a valuable framework for operational continuity and mitigating disruptions, it’s important to acknowledge that it may not explicitly cover the broader aspects of business growth and resilience that you’ve highlighted. Consulting projects focused on ISO 22301 certification do tend to emphasize operational continuity and compliance with the standard’s requirements rather than a holistic view of business continuity and growth.

However, forward-thinking organizations often integrate ISO 22301 principles with broader business strategies to create a more comprehensive approach to resilience, encompassing growth initiatives, market dynamics, innovation, and customer-centric strategies alongside operational continuity measures. This integration allows for a more balanced and effective approach to not just surviving but also thriving in a dynamic business environment.

Richard：Thanks for the thoughts.

ChatGPT：You’re welcome! If you have any more questions or need further insights, feel free to ask. Wishing you the best with your endeavors in business continuity and resilience!

杨险锋：Why is BCM promotion not smooth in China?

ChatGPT：The adoption of Business Continuity Management (BCM) practices in China might have various factors contributing to its slower pace compared to some other regions:

1. Regulatory Environment: While China has regulations related to disaster recovery and emergency response, specific regulations or standards that explicitly mandate comprehensive BCM may not be as prevalent or enforced as in some other countries. This might affect the prioritization of BCM among Chinese businesses.
2. Awareness and Education: Awareness about the importance of BCM might not be as widespread across all industries in China. Educating businesses about the significance of BCM in mitigating risks and ensuring continuity could play a role in its adoption.
3. Cultural Factors: Traditional business approaches and cultural perspectives on risk management and crisis response might differ in China, influencing the perception of the necessity or approach to BCM.
4. Resource Allocation: Prioritizing resources for BCM initiatives might compete with other immediate business needs or compliance requirements, affecting the allocation of funds and focus within organizations.
5. Evolving Business Landscape: China’s rapid economic growth and evolving business landscape might have led to a focus on expansion and growth strategies, potentially overshadowing BCM in some cases.
6. Access to Expertise and Guidance: Availability of skilled professionals and consultants specializing in BCM might also impact the implementation and adoption of these practices among Chinese enterprises.

However, it’s worth noting that as businesses face increasing global uncertainties and disruptions, the importance of BCM is being recognized worldwide. Given the dynamic nature of the business environment, there might be a growing interest and effort in adopting BCM practices in China as businesses seek to enhance their resilience and sustainability in the face of various risks.

---

原文发表于公众号”业务连续性+” | 原文链接