C-Level Management BCM Needs and Action Steps
According to Forrester Research in a survey published in September 2007 , most firms are not ready for a disaster. This is despite a series of recent highly publicized, wide-scale disasters and disruptions that include 9/11, Madrid train bombings, Asian tsunami, Northeastern U.S. blackout, European floods, Hurricanes Katrina and Rita, and now the California wildfires of October 2007. This article explores why (1) C-level executives need to care and (2) some recommendations for action.
The best known method to address these highly probable future problems is with Business Continuity Management (BCM), a widely practiced professional discipline with excellent results in major organizations worldwide. Related standards are managed by a number of organizations internationally, the best known DRII in the U.S. and BCI in London. Most other professional standards bodies worldwide leverage their work.
It is important to note that increasing numbers of institutions do care deeply about the larger subject of enterprise risk management, also termed Governance, Risk and Compliance (GRC) by many large organizations, analysts and large solutions suppliers. Investment in GRC in many forms is growing quickly. As example, Forrester Research in 2006 showed an expanding investment in software in this emerging area, with revenue growing to $1.24 billion by 2010 .
Organizations are learning that a robust BCM capability is fundamental to a strong GRC program. Category per Forrester Research are (a) legal and regulatory, (b) strategic, (c) financial and (d) operational. The last factor is equivalent to BCM, covering information technology, people, processes, business relationships, physical assets, sales, marketing, supply chain, business interruption, health & safety, and fraud.
A standard definition for BCM is a holistic management process for the following:
• Identification of potential impacts that threaten an organization.
• Providing a framework for institutional resilience.
• Safeguarding interests of stakeholders, reputation, brand and value-creating activities.
• Management of recovery or continuity in the event of a disaster.
• Managing an overall program through training, rehearsals and reviews to ensure plans stay current .
Certified professionals, consultancies and solutions providers are numerous throughout the world, with demonstrated abilities to protect the interests of their institutions and clients. Large numbers of organizations understand and invest in significant BCM programs, as is demonstrated at numerous conferences and symposiums globally.
The benefit of a BCM program is avoidance of significant risk through cost-effective, sound programs of action. The benefit can be identified both subjectively and numerically.Audit requirement can make BCM compliance logical and obvious. Business continuity insurance needed by large organizations requires these programs. Listed companies in many countries are required to show evidence of BCM plans. In the United States, special industry-level standards are Gramm-Leach-Bliley Act of 1999 for the finance and the HIPAA Act of 1996 for health care. Other parts of the world have very similar provisions.
The numbers are also compelling. Research by Pretty & Knight has identified the consequences for large companies not being prepared for disasters. The average Global 1000 company has forecast a 40% chance of a catastrophe to their business in a five year period which would cause a loss of more than 30 per cent of its market value. In sum, senior management should understand that their company may have a high risk of a rapid loss of share value due to some form of catastrophe. Pretty and Knight other research also shows that prepared firms’ share prices recover much more quickly after a disaster.
Specific examples of calculated losses are common for natural disasters. Hurricanes Katrina and Rita in 2005 caused $125 billion in economic damage across the Gulf States with insurance claims $60 billion. The Asia Tsunami of 2004 killed over 280,000 people in towns and villages along the Indian Ocean, with over 3 million survivors’ livelihoods destroyed. A similar event is predicted some day on the U.S. East Coast following a land avalanche in the Canary Islands.
Understandably, company examples are rarely publicized. An exception shows how a mundane event can cause catastrophic business losses. Although a minor fire caused little physical damage at a Phillips microchip plant in New Mexico in 2000, the consequences triggered an unforeseen but serious disruption in supply and resultant high losses. One of two key customers (Nokia) was prepared, quickly mobilizing other global suppliers. The other key customer and a rival (Ericcson) was not prepared. With no alternate suppliers, they incurred more than $400 million in losses and left the handset manufacturing business the following year. Identifying supply chain vulnerabilities like this are one of the outcomes of a good BCM program.
Steps to Take
So, what should senior management do? BCM should be viewed as an important enterprise-level process, report to GRC management, and receive sufficient investment.
First, BCM efforts need to change and improve indefinitely. One-off projects rapidly become out-of-date. Constantly changing information of all types requires updates. Reorganizations, divestitures, and acquisitions can cause breakdowns in dependencies between organizational units. Exercises surface problems requiring long-term improvement. The work of outside experts ages rapidly over time. For large organizations, software specific to BCM programs is necessity to manage business-level interaction, complexities and international scope (e.g., languages, currencies, etc.) for comprehensive effort.
Second, GRC programs should own this process as they are becoming the preferred approach to manage cross-cutting risk issues on a large, enterprise scale. They are better able to deal with the sustained commitment to BCM programs necessary for success, as well as related accountability to senior management.
Third, management needs to invest commensurate with the high stakes involved. BCM programs frequently lack funds and staff, becoming the victim of the ebbs and flows of budget cuts, people changes, and management whims. Sufficient resources should match the business benefits and avoided risks of a strong BCM program..
Background of Author
Chris Alvord is CEO and Founder of COOP Systems, a worldwide BCM software supplier. He has CBCP certification from DRII and has taught hundreds of students as an Adjunct Professor and NYU, USDA Graduate School and for DRII. His education includes a BA with Honors from Harvard College, MBA from Harvard Business School, and doctoral course work at Virginia Tech.
Mr. Alvord can be reached at firstname.lastname@example.org. COOP Systems’ Web site is www.coop-systems.com.
Controlling the swell
By Henry Martin
With all due respect to your operations manager, entrusting the providence of your company to just a handful of techno-wonks simply isn’t business sense.
The best laid plans go awry, so the saying goes. Of course, this might create a minor annoyance when a family picnic gets rained off. But when your company’s database disappears down the tubes because you didn’t asses the risks? Well, that’s a different story – you might as well unlock the window and jump. According to Ernst and Young, over 75% of organisations have experience unexpected availability with critical business systems. It’s also come to light that just 53% of organisations have sufficient business continuity plans in place.
Business Continuity Planning
It’s taken a while for the private sector to accept that IT security was actually a business responsibility rather than a technician’s task. Traditionally, the IT department comes along and corrects the problem. But that isn’t good continuity planning. Even with today’s accelerated technology and its increasing vulnerability to calamity and sabotage – it’s likely that the able bodies in your IT department could cope. They’d probably be capable of resuming some semblance of normality. But with all due respect to your operations manager, entrusting the providence of your company to just a handful of techno-wonks simply isn’t business sense. IT operatives aren’t employed for their commerce diplomas. Sure, they understand the business technical infrastructure down to the last byte. But developing a back-up plan dependent on departmental productivity and areas central to business profitability? Well, you might as well ask the tea lady! But that’s only the half. If for any reason the man with the plan isn’t available the day your system dies, your chances of recovery begin to sink faster than your chances of an early retirement.
Many companies keen to cut back on expenditure still rely on their operations department to implement the recovery plan. To ensure that they achieve the optimal solution, bring in some help. Ideally, with the aid of the big public consultants like Veritas or Ernst and Young. Alternatively, a reputable independent consultant with the ability to tailor a contingency plan to suit your needs of your organisation. COOP Systems based near London with offices around the world offer full service solutions to business continuity. The golden rule is eliminating human error. Certify that the crisis solution is simply formatted and can be easily understood. Most importantly, that it can be implemented by all significant operatives. The best way to do achieve this is by eliminating any manual tasks which are susceptible to error. Less reliance on technical skills reduces the risk of Disaster Recovery failure. The business continuity plan is the foundation of your company’s security, but developing it is a lengthy and time-consuming process. Document your finalised strategy and develop software that ensures the continuity plan is executed smoothly.
Recipe For Disaster – six essential steps to shore up your operation against the rising tide of problems.
The first step is to understand the possibilities that a certain event will present and understand the impact it will have on your operation. Only by charting the risks your business faces can your Continuity manager steer a course around them. From power failure to cyber attacks, some will be obvious, others will require investigation and a degree of lateral thinking to guard against.
Business impact analysis
The next step should determine what kind of an impact each individual potential hazard creates. Business impact analysis should assemble the risks in order of importance and probability. ‘Critical risks’ can be recognised and investigated, while lower grade risks can be isolated, addressed, and prioritised accordingly.
It’s important for business continuity planners to concentrate their efforts on reducing the likelihood of any threats and establish the best way to protect against them. Pitch probability against protective measures and establish the quickest route to steer your business back to normal procedure. Remember that automation simplifies the disaster recovery process.
Document your finalised strategy and develop software that ensures the continuity plan is executed smoothly. The business continuity plan is the foundation of your disaster recovery; certify that the crisis solution is simply and easily formatted and can be easily understood and can be implemented by all significant operatives. Less reliance on technical skills reduces the risk of Disaster Recovery failure. Eliminate human error by eliminating those manual tasks subject to error.
Testing and rehearsal
Perhaps the second most crucial part of disaster countenance, rehearsals determine whether the organisation will sink or swim. There are two main categories of risk rehearsals. The ‘tabletop’ test simulates a disaster scenario, but stops short of activating the business continuity plan. Real-life exercises test the staff and systems in real time for all eventualities which may occur in a disaster. Analysis of results and rehearsals can be used to fine-tune the continuity plan.
The business continuity plan is as organic as your company. As the business evolves your plan must grow with it. Regular updates need to be conducted with constant risk analysis and assessment. If disaster recovery is viewed as an occasional nuisance, rather than an important part of day-to-day activities, testing is prone to failure. Disaster recovery should be assimilated into the company as part of day-to-day performance.