New age disaster planning

In the face of global economic meltdown, Business Continuity Institute (BCI) Technical Director Lyndon Bird, asks whether Business Continuity Management (BCM) strategies will have to change?

“BCM has everything to do with understanding your business properly”
-Lyndon Bird

A senior BCM executive for one of the UK’s leading retailers has a comment he often uses when people like me try to make the subject too complex or too academic. He says BCM really should stand for “Basic Commonsense Management”. I have been reminded of this comment made by Steve Mellish, Business Continuity Manager of Sainsbury’s, many times during the past few months as horror after horror has unfolded in the world’s leading financial institutions.

I am not so naive as to believe better BCM would have prevented the financial meltdown in itself, but I wonder why basic BCM principles were not adopted by organisations as part of their risk management philosophy. The reason is, of course, must be that banks use risk management purely as a means of hedging financial risks whilst largely ignoring the context of those risks. After all, it takes very little financial expertise to understand that if money is loaned to people who have no means of paying it back and secure it against assets that have very little change of realising the amount loaned on them, there will be a problem somewhere down the line.

It also takes no great insight to understand that if you let highly intelligent but totally inexperienced mathematics graduates design a theoretical risk model that pertains to show that if you parcel up bad risk and move it around the world quickly enough it becomes safe, you might have a problem. Have top bankers, government regulators, central banks or even their political masters never played ‘pass the parcel’ or had to gently discourage their newly grown-up children when they suggest they should re-mortgage the house and gamble the proceeds on a spread betting website? Apparently not, because that is exactly what they have done in the professional lives.

Business continuity might not be as intellectually challenging as risk management or as boringly grandiose as much of the box ticking that claims to be corporate governance. However, if we believe Mr Mellish, it is doubtful if the application of basic commonsense (aka business continuity) would not have spotted these systemic problems and addressed them well before the dire financial consequences crystallised.

BCM is not a tangible commodity, so it can be difficult to understand the full benefits of the concept. To see these benefits you only need to look at examples of poor planning. In the 1993 World Trade Center bombing, out of the 350 enterprises affected 150 enterprises went out of business. Years later, after 9/11 some large businesses had learned lessons – Morgan Stanley, Cantor Fitzgerald and American Express were able to resume business quickly whilst other failed. However, what is generally forgotten about 9/11 that of all the companies affected the vast majority were small businesses relying upon the big name companies’ employees for their trade. It has been reported that of these small businesses, over 70 percent never opened again.

The same anonymous BCM global manager quoted earlier summed up an earlier attitude: “My current company is pretty enlightened in BCM terms but in one of my previous jobs at a large global investment bank, the Head of Treasury once told me not to waste his time on business continuity. Every deal we make is worth hundreds of millions. We could make or break but we know how to manage the risks. So please do not talk to me about business continuity. I know business continuity – when the building falls over, I’ll roll my dice and make a call then!” In a booming economy it is easy to think that sufficient resources are available to deal with anything that might happen. I don’t think many people assume that they can buy themselves out of trouble any more. When money is tight, you must not create situations in which unplanned large costs might suddenly occur. The best way to insure against that is to introduce proper business continuity, not pseudo-science risk models or the endless paper trails of corporate governance.