28 Sep 2009
It’s not if an organisation will be hit with a disaster. It’s when and how large it will be. Organisations should be prepared for a variety of disruptions. The proven method to address this is with a business continuity management (BCM) programme, a widely practiced professional discipline with excellent results. Standards are managed by a number of international organisations, including the Disaster Recovery Institute International (DRII), based in the US and the Business Continuity Institution (BCI) in London.
Increasingly, institutions care deeply about the larger subject of enterprise risk management (ERM). For example, Gartner Group research in late 2006 showed an expanding investment in software in this emerging area, with revenue forecast to grow 24 percent annually through 2010 to $855 million.
Organisations are learning that BCM is key to a successful ERM programme, categorised by Forrester Research as (a) legal and regulatory, (b) strategic, (c) financial and (d) operational. BCM mitigates operational risk in areas they define such as information technology, people, processes, business relationships, physical assets, sales, marketing, supply chain, business interruption, health and safety, and fraud.
A standard definition for BCM is a holistic management process for the following activities:
- Identifying potential impacts that threaten an organisation.
- Providing a framework for institutional resilience with capability for an effective response.
- Safeguarding interests of stakeholders, reputation, brand and value-creating activities.
- Managing recovery or continuity in the event of a disaster.
- Managing an overall programme through training, rehearsals and reviews to ensure plans stay current.
Certified professionals, consultancies and solution providers are numerous throughout the world, with demonstrated abilities to protect the interests of their institutions and clients. Large numbers of organisations understand and invest in significant BCM programmes, as is demonstrated at numerous conferences and symposiums.
The benefit of a BCM programme is avoidance of significant risk through cost-effective, sound, operational risk mitigation steps. The benefit can be identified both subjectively and numerically.
Numerous audit requirements make BCM compliance logical and obvious. Business continuity insurance needed by large organisations generally requires these programmes. Listed companies in many countries now are required to show evidence of plans to pass their audit. Many industries also have special requirements, e.g, Gramm-Leach-Bliley and HIPPA in the United States.
The numbers are compelling. Research by Pretty and Knight has identified the consequences. Global 1000 companies have forecast a 40 percent chance of a catastrophe to their business in a five year period, losing more than 30 percent of its market value. Senior management must understand it is highly likely their company will eventually experience rapid loss of share value due to a catastrophe. Pretty and Knight’s research also shows prepared firms recover much more quickly.
In 2005, hurricanes Katrina and Rita caused $125 billion in economic damage across the Gulf States with insurance claims totalling over $60 billion. The Asia Tsunami of 2004 killed over 280,000 people in towns and villages along the Indian Ocean, with over three million survivors’ livelihoods destroyed. H1N1, or swine flu, has generated losses in the billions across multiple countries, with organisations such as Delta Airlines forecasting losses as much as $250 million in second quarter revenue for 2009.
Understandably, detailed examples of company losses are not often publicised. An exception shows how a mundane event can cause catastrophic loss. Although a minor fire caused little damage at a Phillips microchip plant in New Mexico in 2000, the consequences triggered an unforeseen but serious disruption in supply. One of Phillips’ two customers using parts produced at this facility – Nokia – was prepared. They quickly mobilised alternate global suppliers. The other key customer – Ericsson – was not prepared. They incurred more than $400 million in losses, and left the handset manufacturing business a year later. Although other events could have caused this supply chain catastrophe for Ericsson, a solid BCM programme in place would have avoided this sole source vulnerability.
Steps to take
So what should senior management do? First, a BCM programme needs strong management support. One-off BCM projects are inadequate due to constantly changing information. Reorganisations, divestitures, and acquisitions can cause breakdowns in dependencies between organisational units. Exercises surface problems requiring long-term improvement. Outside experts’ work ages rapidly. For large organisations, software specific to BCM programmes is a necessity to manage dependencies, changing data, and international scope (e.g, languages, currencies, etc) for comprehensive effort.
Second, ERM programmes should own the BCM process. In the early history of BCM, the focus was on IT-related disaster recovery (DR) programmes, reporting to the CIO. Although IT has remained a significant factor in a successful recovery strategy, other enterprise elements are now recognised as key, e.g, people, suppliers, facilities, etc. ERM programmes are now the preferred approach to manage cross-cutting risk issues on a large, enterprise scale. They are better able to deal with BCM programmes and accountability to senior management.
Third, management needs to invest commensurate with the high stakes involved. BCM programmes frequently lack funds and staff, becoming the victim of the ebbs and flows of budget cuts, people changes, and management whims. Only with sufficient ongoing resources will a programme be successful and a company be resilient enough to survive when disaster
Background of the authors
Chris Alvord is CEO and Founder of COOP Systems, a worldwide BCM software supplier. He has CBCP certification from DRII and has taught hundreds of students as an Adjunct Professor and NYU, USDA Graduate School and for DRII. His education includes a BA with Honours from Harvard College, MBA from Harvard Business School, and doctoral course work at Virginia Tech.
Frank Shultz is a Senior Analyst at COOP Systems with deep experience designing and implementing enterprise software systems. He has a strong background in BCM interface design, product management and training. He received dual BA degrees from Syracuse University in 2002, where he graduated Summa Cum Laude.