About Us | Search | FAQ | Contact Us
ISSN No:1470-5494 All rights reserved. No part or portion of this publication may be reproduced or transmitted in any form without the express, prior and written permission of the publisher. Whilst every effort has been made to ensure accuracy, the publisher accepts no responsibility for any person acting as a result of the content herein.
In the wake of the terrorist attacks in the US directors of organisations throughout the world have become aware that they are vulnerable to the unexpected. Many are turning to a new management discipline, Business Continuity Management, to help in their preparations for ensuring the organisation is protected. What exactly is it and why should a Board support the introduction of this discipline into their organisation? What are the issues driving the introduction of BCM and what is needed to ensure it's effective establishment? This article will seek to answer these questions.
Business Continuity Management (BCM) takes an holistic view of an organisation, and is defined by the Business Continuity Institute (BCI), "as the act of anticipating incidents which will affect mission critical functions and processes for the organisation and ensuring that it responds to any incident in a planned and rehearsed manner whilst the business recovers". It is worth examining this definition in more detail.
In the definition the term incident is used rather than disaster. Directors of organisations do not accept that their companies will be subject to disasters. 'It will never happen to us' is the retort still heard from directors even when confronted by the recent horrific disaster in New York. As always there will be a tendency to bury their heads in the sand, which leads to an ill prepared organisation unable to respond at critical times.
Research by Knight and Pretty of Templeton College, Oxford* has shown that the effect of disasters on shareholder value can be serious. They discovered that it is the lack of confidence in the ability of senior managers and directors to act quickly and professionally at the time of disaster that drives down share values. Knight and Pretty quote various examples of organisations that have lost the confidence of shareholders at critical times. The classic is Perrier who, at the time of the benzene contamination of their product, failed to respond adequately to the concerns of the market. Their market share was dramatically reduced and the value of the Perrier shares fell so seriously that the company became vulnerable and was eventually taken over by Nestlé.
If we examine the causes of major disasters it is found that there are several incidents or circumstances which combine together and lead to the eventual disaster. BCM is about prevention, not cure. It is about being able to deal with incidents as and when they occur. It has been found that this concept is more acceptable to directors.
The BCI definition calls for the identification of those incidents which will affect the mission critical functions and processes of the organisation. Too often assumptions are made that there are some areas of the organisation which cannot be managed without, but if the test of mission criticality is applied these areas may be found to be of a far lower importance.
Until the critical areas have been identified, work cannot begin to establish the degree of impact on the organisation if such areas are lost or disrupted. Should the level of impact be severe then an assessment must be made regarding the risk of an incident occurring that would cause the loss of the critical function or area.
BCM requires that effective plans are established to ensure the organisation can respond to any incident. But the process does not stop at the planning stage. Plans are worthless unless they are tested. In the Knight & Pretty study 5 organisations investigated suffered serious consequences as a result of poor disaster management. Some of these companies had business continuity plans in place but they failed because they had not rehearsed them. The rehearsal of plans is essential. There is not a plan created which will work first time, rehearsing ensures the disconnects and omissions in the plan are fixed before it is used in anger.
In the BCI definition the term Business Continuity Management is used rather than business continuity planning. This is deliberate as planning implies that there is a start and end to the process. BCM is a continuum; plans must be kept up to date as the organisation changes. External environments and influences are constantly in a state of flux and so the process, to be valid, must continue throughout the life of the organisation.
It is essential for the Board to introduce the BCM process. There are several key drivers which determine this. The highest is about delivering confidence to all stakeholders. Stakeholders are not only investors, customers and employees; but also include suppliers, the community and the environment. Surprisingly some protest should also be seen as stakeholders as they can exert considerable pressure on the way the organisation operates..
Industry regulations and legal requirements are having an increasing influence upon organisations. There is an increased awareness by the regulators that organisations should have effective BCM in place for the protection of customers and the community. In the UK, the Turnbull Committee Guidance for Directors on Internal Controls sets out an overall framework of best practice for business, based upon an assessment and control of their significant risks. Nigel Turnbull, Chairman of the ICAEW committee on the Guidance for Directors on Internal Controls stated: 'For many companies, Business Continuity Management will address some of these key risks and help them to achieve compliance."
Frequently directors turn to the insurance industry to help them manage business risk. It is not the physical loss that causes the greatest pain for any organisation but the loss of customers. Business interruption insurance is seen as a way of covering the revenue lost whilst the facilities are rebuilt. Insurance companies will have greater confidence in the management's ability to rebuild and hence be more inclined to provide adequate cover, if they can see evidence that effective business continuity management is in place.
Just as major customers have insisted that their suppliers have quality and project management processes in place they are now demanding that BCM be established to ensure continuity of supply. This is driven by their own need to achieve Turnbull compliance but also the need to maintain their market share. For some industries the supply chain is very complex, more akin to a complex supply web. The need for uniform controls across the supply network was highlighted by the UK fuel crisis of last year and the UK government is now sponsoring research to identify the vulnerabilities and to establish mechanisms which can be used to prevent future failures.
The speed of business has changed and there is very often little time to allow a gradual recovery. The emergence of e-commerce and the lack of loyalty amongst customers has changed the need for recovery to one of availability. Organisations for whom this is key have to ensure that their services are available 24x7x365. The BCM process includes an assessment on availability and how the BC plan should be structured to meet customers expectations.
An internal survey carried out by a global financial company over the past three years has found a changing view of why BCM is important. Initially the need was to ensure compliance with regulatory requirements; it then changed to one of protecting their customer's interests. Today it is about ensuring that corporate value is maintained. Without that value, underpinned by the confidence of their investors, the company would be vulnerable in their highly competitive market.
If organisations are to implement BCM they need to build on what is already in place. It is essential that the Board of the organisation gets fully behind the principles and practice of BCM. Without their commitment it will not be possible to get the degree of focus and enthusiasm from the organisation. However middle managers have become increasingly frustrated as new initiatives are adopted at the top and cascaded through the organisation. It is essential therefore to 'sell' the importance and build on what is already in place across the various functions.
Risk Management has been practised within organisations for many years, initially focused from an insurance viewpoint but increasingly covering the operational activities of the business. Detailed risk assessments will have already been undertaken in many areas. Some of the skills and techniques required to develop the BC plan will exist in this function.
Large organisations will have a PR department who have established good working relationships with the media. They have the ability to manage the media communications at the time of crisis. Working in conjunction with the HR department, communications can be used to keep the employees informed at the time of crisis. Customers and suppliers also have to be kept informed which involves the marketing and purchasing functions.
Disaster recovery has traditionally been the prerogative of the IT departments. They will have considerable experience in the development of IT contingency plans and testing processes. There is a need to ensure that the plans developed by these departments are focussed on the business needs and not driven by technology requirements. With the increased use of e-commerce the IT department has a vital role to play in the protection of the systems on which the organisations 'public image' is displayed. The loss of a key website for an e-banking operation brings instant condemnation from the press. If IT has been outsourced it is essential that BCM been built into the contract?
Some businesses have managers whose responsibilities cover the emergency management of dangerous processes (oil & chemical industries) or the maintenance of essential services (public utilities) at the time of disaster. They will already have plans to deal with major incidents but not always how to re-build the business. It is essential that they are included in the BCM process as their actions at the time of an incident can affect the subsequent speedy restoration of business.
There is also a group of emergency planners working in local authorities, who can provide an essential source of information for the BCM manager. It is vital to know what actions the 'blue light' services and the local authorities will take to contain any wide spread emergency, actions which could also affect the organisation's ability to continue its business.
Security of the organisation, its people and knowledge is often vested in a separate department or even outsourced. In the financial sector the security function is responsible for preventing fraud and may also have to protect the IT systems from external hacking. This can conflict with the role of the IT department.
Facilities managers have to ensure that the premises and basic office requirements of the business are maintained. Often they have responsibility for the principle interface to the outside world; the telephone system. Without the essential supplies and communications the business will not be able to operate. Under health and safety rules a building could be closed because of the lack of water supplies or adequate sanitation. Their recovery plans should be integrated into the overall BCM plan.
The logistics/supplies department have considerable experience is overcoming regular difficulties which threaten to disrupt the normal operations of the business. For some industries their expertise is vital, to stop a production line in a major assembly plant can be very expensive. They have a role to help spread good BCM down through the supply network to ensure the continuity of the business.
The human resource department has a key role; people are vital to the organisation. It is disturbing to find that in many organisations this part of BCM is overlooked. If it is essential to move to a back-up site what arrangements are being made for the staff? If there is a major incident which causes loss of life and serious injury, have arrangements been made for trauma counselling to be available to those in need? What arrangements are being made to ensure that the knowledge contained in the employee's minds is protected? Perhaps there is a policy of succession planning in place but is it integrated into the overall business continuity plan?
All these departments have a role to play in the overall BCM process yet in most organisations their actions are not co-ordinated. The Board of an organisation can assist this process by appointing a BCM Champion at senior level whose role it is to draw together, under a matrix team approach, representatives from the various functions, together with key line of business heads, to ensure a co-ordinated approach to BCM.
This builds on what has already been done and ensures that a 'buy in' is achieved throughout the organisation. By following this approach and regularly rehearsing the plan the organisation is prepared. When a crisis hits the organisation everyone knows what to do and a smooth invocation of the plan takes place ensuring that business interruption is minimised.
There is help available to enable organisations to establish BCM. This is in the form of The Business Guide to Continuity Management. Details can be obtained from the BCI website at www.thebci.org
*.The Impact of Catastrophes on Shareholder Value - Rory F Knight & Deborah J. Pretty, Templeton College Oxford - 1997
Chief Executive Officer
The Business Continuity Institute
John Sharp was appointed as the Chief Executive Officer of the Business Continuity Institute in August 1997. He is responsible for delivering services to members through-out the world and working with all facets of industry, commerce and government to enhance the understanding and commitment to business continuity as a key management discipline. In the last 4 years John has been speaking at and chairing Business Continuity Conferences in the UK and abroad.
Business Continuity Institute
The BCI promotes the highest standards of professional competence and commercial ethics in the provision, maintenance and services for Business Continuity Management (BCM). It provides an internationally recognised Certification scheme for BCM managers and practitioners. The BCI Professional Recognition Programme creates a benchmark for the assessment of best practice in the field.
There are now over 1100 members of the Institute working in 31 countries across the world. Members are drawn from all sectors including Finance, Government, Health, Transport, Retail and Manufacturing.
For further information contact the Institute on +44 (0)870 603 8783
|Home | About Us | Search | FAQ | Contact Us|