C-Level business continuity imperative

By Chris Alvord and Frank Shultz, COOP Systems

“Global 1000 companies have forecast a 40% chance of a catastrophe to their business in a five year period, losing more than 30 percent of its market value”
-European Business Forum, Rory Knight and Deborah Pretty, December 22, 2007, page 8

Despite a series of recent highly publicized, wide-scale disasters and disruptions most large firms are not prepared for a disaster. This article explores why C-level management should prioritize business continuity.

Standards
Consider 9/11, N1H1 pandemic, Madrid and London train bombings, Tsunami, Northeastern U.S. blackout, European flooding, and Hurricanes Katrina and Rita. It's not if an organization will be hit with a disaster. It's when and how large it will be. Organizations should be prepared for a variety of disruptions. The proven method to address this is with a Business Continuity Management (BCM) program, a widely practiced professional discipline with excellent results. Standards are managed by a number of international organizations, including the Disaster Recovery Institute International (DRII) based in the U.S. and Business Continuity Institution (BCI) in London.

Increasingly, institutions care deeply about the larger subject of enterprise risk management (ERM). For example, Gartner Group research in late 2006 showed an expanding investment in software in this emerging area, with revenue forecast to grow 24% annually through 2010 to $855 million[1].

Organizations are learning that BCM is key to a successful ERM program, categorized by Forrester Research as (a) legal and regulatory, (b) strategic, (c) financial and (d) operational. BCM mitigates operational risk in areas they define such as information technology, people, processes, business relationships, physical assets, sales, marketing, supply chain, business interruption, health & safety, and fraud.

A standard definition for BCM is a holistic management process for the following activities:

• Identifying potential impacts that threaten an organization.
• Providing a framework for institutional resilience with capability for an effective response.
• Safeguarding interests of stakeholders, reputation, brand and value-creating activities.
• Managing recovery or continuity in the event of a disaster.
• Managing an overall program through training, rehearsals and reviews to ensure plans stay current[2].

Certified professionals, consultancies and solution providers are numerous throughout the world, with demonstrated abilities to protect the interests of their institutions and clients. Large numbers of organizations understand and invest in significant BCM programs, as is demonstrated at numerous conferences and symposiums.

Business Benefits

The benefit of a BCM program is avoidance of significant risk through cost-effective, sound, operational risk mitigation steps. The benefit can be identified both subjectively and numerically.

Numerous audit requirements make BCM compliance logical and obvious. Business continuity insurance needed by large organizations generally requires these programs. Listed companies in many countries now are required to show evidence of plans to pass their audit. Many industries also have special requirements, e.g., Gramm-Leach-Bliley and HIPPA in the United States.

Numbers are compelling. Research by Pretty & Knight[3] has identified the consequences. Global 1000 companies have forecast a 40% chance of a catastrophe to their business in a five year period, losing more than 30 percent of its market value. Senior management must understand it is highly likely their company will eventually experience rapid loss of share value due to a catastrophe. Pretty and Knight research also shows prepared firms recover much more quickly[4].

Examples
Hurricanes Katrina and Rita in 2005 caused $125 billion in economic damage across the Gulf States with insurance claims totaling over $60 billion.[5] The Asia Tsunami of 2004[6] killed over 280,000 people in towns and villages along the Indian Ocean, with over 3 million survivors' livelihoods destroyed. H1N1, or swine flu, has generated loses in the billions across multiple countries, with organizations such as Delta Airlines forecasting losses as much as $250 mil in second quarter revenue for 2009[7].

Understandably, detailed examples of company losses are not often publicized. An exception shows how a mundane event can cause catastrophic loss. Although a minor fire caused little damage at a Phillips microchip plant in New Mexico in 2000[8], the consequences triggered an unforeseen but serious disruption in supply. One of Phillips' two customers using parts produced at this facility, Nokia, was prepared. They quickly mobilized alternate global suppliers. The other key customer, Ericcson, was not prepared. They incurred more than $400 million in losses and left the handset manufacturing business a year later. Although other events could have caused this supply chain catastrophe for Ericcson, a solid BCM program in place would have avoided this sole source vulnerability.

Steps to Take
So what should senior management do?

First, a BCM program needs strong management support. One-off BCM projects are inadequate due to constantly changing information. Reorganizations, divestitures, and acquisitions can cause breakdowns in dependencies between organizational units. Exercises surface problems requiring long-term improvement. Outside experts' work ages rapidly. For large organizations, software specific to BCM programs is a necessity to manage dependencies, changing data, and international scope (e.g., languages, currencies, etc.) for comprehensive effort.

Second, ERM programs should own the BCM process. In the early history of BCM, the focus was on IT-related disaster recovery (DR) programs, reporting to the CIO. Although IT has remained a significant factor in a successful recovery strategy, other enterprise elements are now recognized as key, e.g., people, suppliers, facilities, etc. ERM programs are now the preferred approach to manage cross-cutting risk issues on a large, enterprise scale. They are better able to deal with BCM programs and accountability to senior management.

Third, management needs to invest commensurate with the high stakes involved. BCM programs frequently lack funds and staff, becoming the victim of the ebbs and flows of budget cuts, people changes, and management whims. Only with sufficient ongoing resources will a program be successful and a company be resilient enough to survive when disaster strikes.

Background of Authors

Chris Alvord is CEO and Founder of COOP Systems, a worldwide BCM software supplier. He has CBCP certification from DRII and has taught hundreds of students as an Adjunct Professor and NYU, USDA Graduate School and for DRII. His education includes a BA with Honors from Harvard College, MBA from Harvard Business School, and doctoral course work at Virginia Tech.

Frank Shultz is a Senior Analyst at COOP Systems after holding a number of senior positions at Strohl Systems, with deep experience in business continuity training, systems implementation and product management. He received dual BA degrees from Syracuse University in 2002, where he graduated Summa Cum Laude.

References:

[1] www.gartner.com/it/content/498300/498334/risk_research.pdf, October 20, 2007.

[2] www.drj.com/glossary/drjglossary.html#b, October 20, 2007.

[3] European Business Forum, Rory Knight and Deborah Pretty, December 22, 2007, page 8.

[4] The Impact of Catastrophes on Shareholder Value, Rory Knight and Deborah Pretty, 1997.

[5] www.usatoday.com/money/economy/2005-09-09-katrina-damage_x.htm, October 20, 2007

[6] www.ciolek.com/WWWVLPages/AsiaPages/Tsunami-Analyses.html, October 20, 2007.

[7] atlanta.bizjournals.com/atlanta/stories/2009/06/22/daily7.html, June 22, 2009.

[8] Spectrum, MIT, Summer 2007, page 6.