New Danger

The recent troubles in the financial markets offer a fresh perspective on business continuity management, says Lyndon Bird, Technical Director of The Business Continuity Institute.

“It is everything to do with BCM if an ‘out of the ordinary’ event triggers a situation in which an organization cannot meet its primary business mission”
-Lyndon Bird

In the second half of 2007, the world woke up to a whole new set of rules. The ‘easy’ decade was over and credit crunch became the word on everyone’s lips. Terms hitherto the exclusive property of the financial world were suddenly in common currency. Following the crash in the US sub-prime mortgage sector, we began realising that things we had never heard about were impacting our lives, business and personal finances. We were all soon familiar with such esoteric concepts as LIBOR rates, lenders of last resort, securitization, K adequacy and systemic risk. We quickly learned that the interplay of these factors resulted in a shortfall of cash availability globally. Commercial banks were sitting on their funds and governments, regulators and central banks were almost powerless to influence them. Without liquidity in capital markets, many businesses big and small suffered badly and not all survived.

Whilst thinking about this, I pondered on how many financial executives would consider such things to be a business continuity issue at all. I would guess very few. So why is this type of crisis not yet seen as a concern of Business Continuity Management (BCM), whereas losses resulting from computer failures, pandemics or terrorist attacks are?

I can only conclude that this is due to the traditional distinction between legitimate business risk and operational risk. To most executives, taking business risks is a good thing. Although excessive exposures need to be hedged and closely monitored by middle offices procedures, the whole point of them is to make profits. Although recent events in France suggest that controls could be better at times, no one suggests you can run a successful investment bank without taking managed risks.

On the other hand operational risk is about avoiding problems and is always seen as a cost. Either you spend money to reduce the risk or you have much greater costs if the risk is realised and you haven’t. In other words it is a sort of insurance, a drain on the bottom line, not a potential profit generator.

I am firmly on the side of those who claim BCM does not cover normal commercial problems. It is certainly nothing to do with BCM if your products are uncompetitive or your management is uninspiring. However it is everything to do with BCM if an ‘out of the ordinary’ event triggers a situation in which an organization cannot meet its primary business mission. If I am a mortgage broker, surely lack of available mortgages in the market is a bigger threat to my business than loss of a computer system or head office building.

An example from the UK serves to illustrate my point. Northern Rock, a reasonable sized domestic bank specializing in providing private mortgages, finds that its lending policies unsustainable as sources of credit dry up. News of this triggers a run on the bank, during which the UK government has to make guarantees to deposit holders and ultimately nationalize the bank to save it from administration.

If this were a BCM area of concern many things would have been in place. Single points of failure would have been identified (limited sources of funding), operational resilience would have been implemented (more diverse and less risky trading activities) and a clear recovery strategy developed and staff trained should the threat be realised. This would not have changed the global financial reality in which this happened, but it would have given the bank, its employees, and its shareholders a much better chance of surviving reasonably intact.

Many organizations either do not have a full-time BCM function in place or, if they do it is well hidden in some specialist area like IT or Risk Management. Yet surely no one would disagree that the decisions covered by these questions are the most critical, far-reaching and business threatening if they go wrong. In other words they put your Business Continuity at risk much more than loss of an office block, a data center or even critical personnel. They can ruin your reputation, market share and credibility overnight. So the conclusion is that most companies use Business Continuity to protect against operational problems, but not to provide input to strategic decisions.

Many board members might choose to ignore the views of the BCM professional, assuming they will be risk averse and non commercial in their thinking. It is easy to see why this might happen. BCM traditionally looks to eliminate single points of failure, to spread activities around so as to improve resilience and have adequate resources to deal with unexpected contingencies. This is not a message likely to be popular with many managers, increasingly eager to embrace business partnerships and single sourcing, larger and larger fully automated distribution centers and just in time delivery. This perception only occurs because business continuity managers are generally not operating at the correct level. If they are part of the senior management team with clear strategic responsibilities for inputting to and ultimately implementing board policy then their vision has to be wider. Your current BC Manager might not be viewed as of the right caliber to make this step up, but that is only because you probably have the not defined the job correctly and therefore not resourced it appropriately.

Even at a more basic level there is much that BCM can do to help reduce the risk of failure when we make strategic changes. For example, the risks involved with ‘single points of failure’ are almost entirely preventable and only occur because of lack of a good business impact analysis. Knowing your critical products, services and dependencies is vital. It is then often possible to design out the risk by changing the design or the specification. Don’t be surprised when things go wrong but make sure that your process can manage the unexpected. BCM is not really about clever technical solutions or documented procedures. It is about process reliability and continuous improvement – topics close to the heart of any serious manager.

Oddly, I am often asked about the role of BCM in managing the impact of climate change on business. BCM is traditionally about dealing with serious but unexpected incidents at a very short notice with limited available resources and confused sources of information. Climate change is anything but unexpected or unpredictable, it will take many decades for its worst consequences to happen and it has potentially the entire resources of the world to solve it. Better still, if scientists are to be believed we could take actions now that would solve the problem, or at least mitigate the impact and prevent the worst consequences happening.

However, if we accept the cliché that every problem is an opportunity, companies that provide imaginative solutions will become the successful companies of the future. Technology might have caused much of the problem, but it is only technology that can solve it. When you are talking business change on this massive scale you are also talking serious Business Continuity Management.

Lyndon Bird is Technical Services Director of The Business Continuity Institute, with primary responsibilities for BCI international developments. Bird has worked exclusively in Business Continuity since 1986 and has published nearly 150 articles on the subject and contributed major sections to a number of authoritative books. He was voted Business Continuity Consultant of the Year in 2002 at the BCI Awards and given the prestigious BCM Lifetime Award in 2004.

4 key BCM questions

1. Should all types of risk be managed consistently in an enterprise wide framework?
2. If BCM provides a solution for IT and many other operational risks, why cannot the same principles work for business, strategic or reputational risk?
3. When something unexpected happens, do you not need to have anticipated something similar and planned what you might do?
4. Why do financial firms invest hugely in training staff and exercising procedures to deal with physical disasters but ignore other crisis situations?

3 vital questions for top managers

1. When you are considering a major strategic change to your business (e.g. outsourcing, off-shoring, rationalization of locations) whom do you involve in the decision process?
2. When you are considering a major strategic change to your products and services what is the basis for your decisions and how are the risks evaluated?
3. If you have a Business Continuity Manager, where does he or she fit in the organizational structure?