The last few months have changed so much about the way we perceive business risk. Compared to six or even three months ago, the likelihood of negative business disruptions, from process risks (reduced credit availability) to security risks (workplace violence), seems unquestionably greater. Where revenues are lagging, the impact from such disruptions has shifted from mild to severe — or, in some cases, become unsustainable. With each passing week, it seems we live in an ever more hostile and complex global business environment.
During these uncertain times, those responsible for managing business risks shoulder a heavy burden of expectations. Employees, shareholders, customers and even the general public expect the business to be up and running at all times, doing smart things to protect people and assets. And they are quick to anger if we are not.
In this belt-tightening climate, good-governance preparedness measures like crisis management and business continuity planning can bring both comfort and competitive advantage to the business — when implemented properly. Winning resources for preparedness planning has never been an easy sell, but there are quite a few strong leaders out there who, despite the economic crisis, still manage to do it. By contrast, many firms that, until recently, maintained large, mature internal business continuity programs have slashed headcount and, as a result, recovery capacity.
In the face of overwhelming pressure to cut operating costs, many business continuity programs have either failed to mount a convincing argument for their continued existence, or lacked an executive audience to which to present it.
What accounts for these divergent outcomes? The programs still standing have managed to deftly protect the corporate interests that matter most and also broadcast their value proposition in business terms for all to see. Those leading the charge have won a hard-fought struggle to become trusted advisors and strategic partners to the senior leadership team.
Relevance is key to the survival of any business effort in the current climate. “Radical relevance” in preparedness planning means not spending a dollar of corporate funds or a minute of management time unless the effort can be traced directly back to an agreed set of business-driven imperatives.
This requires bringing fresh eyes to preparedness each day as well as a healthy skepticism for programmatic inertia. It is time to approach spending on crisis management and business continuity planning with the same seriousness and rigor we apply when acquiring a competitor — either way, it is coming off the bottom line!
The Management Systems Approach to Preparedness
Let’s draw a key distinction between preparedness planning as an activity unto itself and the manner in which the firm successfully (or unsuccessfully) readies itself to perform that planning. The tactical and technical elements of good business continuity and crisis management programs are well-established; assembly instructions can be found in numerous reputable standards currently in print around the world.
What is less understood and, as a result, poorly captured in the current standards, are workable solutions for linking core business strategies and corporate preparedness efforts. Ensuring these two worlds align is one of the most valuable contributions an executive sponsor can make toward building a more resilient business.
As business management disciplines, business continuity and crisis management are still comparatively new. Knowledgeable practitioners still harbor reasonable disagreements as to the meaning of key terms, such as “disaster recovery.” But if one thing rings true, it is that implementing resilience programs in “stove-pipes,” as seen in years past, rarely achieves the desired results.
To counteract this, increasing numbers of organizations are adopting a management systems approach to resilience planning — and standards-setting committees, including ASIS Intl., are following suit. By breaking down silos and tying all planning efforts to a set of core business objectives, the management systems approach is the best solution for achieving “radical relevance” in business continuity and crisis management planning.
Nearly all businesses maintain a set of agreed, overarching strategic objectives. Usually five to ten in number, these objectives may include growth targets, quality milestones, control of new markets or the realization of envisioned products or services. The first challenge confronting the manager responsible for business continuity and crisis management is to understand the risks jeopardizing realization of these business objectives. Risk awareness — as revealed through rigorous and timely risk assessment — is essential for building relevant business continuity and crisis management programs that count for something.
Considering the immense value an enterprise risk assessment can provide, it is surprising to see how lifeless and devoid of creativity the process can become in many organizations. The executive sponsor must apply considerable energy keeping the widest set of stakeholders involved. And for the most successful organizations, risk assessment is an ongoing, living process. Just as our competitors make moves without regard for our annual strategic planning cycle, new business risks will arrive at all hours and from many directions.
Armed with a clearer understanding of business risks that threaten corporate goals, the executive sponsor must carefully scope the business continuity and crisis management planning efforts. As risk treatment activities, business continuity and crisis management fall squarely in the category of mitigating controls and stand shoulder-to-shoulder with insurance, risk acceptance and other risk management approaches. Ultimately, business continuity and crisis management scope has direct implications for relevance. Clearly, these programs should be scoped as tightly as possible to ensure maximum real preparedness per dollar spent.
Some leaders have found it useful to prepare a business resilience “strategy map” that charts key risks to corporate objectives at the highest level, mitigating business resilience programs at the middle level, and specific actions at the operational level. Maps like these are incredibly useful for demonstrating relevance — especially during budgeting — since they show a clear connection between resource allocation, action planning, and ultimately, corporate strategic aims.
Scope in hand, it is time to build (or refocus) the business continuity and crisis management programs themselves. This is where the current crop of standards, and BS2599 in particular, really shine for business continuity management. All the major continuity standards embrace a “lifecycle” approach for constructing a business continuity program, and most contain useful guidelines for practical implementation as well. Although there are subtle differences between standards in the number of steps and how they are titled, the core elements of technical best practice are unquestionably well-documented. Crisis management planning is arguably underserved in the world of standards (an oversight that is rapidly coming to an end), but has a longer history in common practice.
The build phase of any planning effort can be tackled many ways — using in-house resources, external consultants or a combination of the two. In coming months, it is likely that we may see increased demand for external vendors, given the recent cuts in in-house capacity. Quite a few newly-unemployed sole practitioners have entered the market as consultants, as well. Firms should take care to carefully vet prospective service providers to ensure they have the requisite skills, experience and business-first perspectives, as well as sufficient labor resources available to complete key tasks within agreed timeframes.
From a management systems perspective, the process of assembling business continuity and crisis management programs should flow from the strategic to the tactical. Ideally, a high-level, interdisciplinary steering committee will confirm planning strategies and provide its blessing at key lifecycle milestones. Goals should be clear. Resulting operational plans should be monitored and adjusted over time to ensure they produce the desired effects. If the planning team suspects that a component of the business continuity program is not having the desired impact, the team should take quick action to fix it (not wait until the end of the year).
When setting criteria for monitoring program effectiveness, the executive sponsor should strive to ask tough questions, including “How well have we protected corporate reputation this year?” and “What have we saved the business in terms of operational losses?” Simple dashboards and status report cards can be a gateway to bureaucratic inertia and frequently say little about the overall relevance of the business continuity or crisis management program to corporate aims.
People and Technology
In the radically relevant business continuity program, compensation becomes a powerful tool for influencing key behaviors. Executive managers should think very carefully about the compensation structure for resilience professionals. Is there a way to tie a portion of salary to demonstrable reductions in annualized loss, enhanced reputation or measurable support to other strategic goals? Ultimately, compensation can (and should) encourage managers to maintain a near real-time appreciation for business risks as they arise each day — rather than sleepwalking through a year-long program of maintenance and testing activities. The key difference here is whether a resilience professional is viewed as an essential strategic advisor to the business or a target for cost-saving cutbacks.
Recent events also remind us to critically examine the best use of technology in our business continuity and crisis management programs. Technology should enable communication, empower people and reduce complexity. There are endless creative applications for technology in resilience programs, such as: communicating strategies, gaining feedback, modeling scenarios, highlighting variances, enabling investigations, forecasting trends, summarizing data, correlating performance with objectives and more. However, many firms become trapped by the very tools acquired to simplify business continuity and crisis management planning.
At the risk of speaking heresy, executive managers seeking radical relevance should seriously re-evaluate the current role of technology in supporting what is, at its core, an inherently qualitative management activity. Are spreadsheets driving your firm’s planning methodologies? If so, it may be time to get back to basics!
Brian Kaye is National Practice Leader, Business Continuity, for Control Risks North America, a global business risk consultant. He is responsible for developing, implementing and managing business continuity solutions for Control Risks’ client base, including Fortune 100 companies. He also chairs the company’s International Business Continuity Working Group. Before joining Control Risks, Brian served as an Intelligence Analyst with the Central Intelligence Agency (CIA), specializing in terrorism.