Business Continuity and Crisis Management

MANAGEMENT QUARTERLY January 2003 RISK – OPERATIONS

Business continuity and crisis management

No organisation can have complete control over its business environment. It is therefore essential for companies to have a business continuity management (BCM) and crisis management capability, in case of crisis or disaster. Dr David Smith outlines various approaches that can help companies pre- pare for a business continuity ‘event’, and explains the BCM life cycle.

In August 2002, the Financial Services limit/prevent impact beyond the organisa- Authority (FSA) expressed deep concern over tion; Most the high percentage of its members who did demonstrate effective and efficient gover- organisations not have a business continuity and/or crisis nance to the media, markets and stakehold- face a management capability.1 They emphasised ers; business that a robust, effective and fit-for-purpose protect the organisation’s assets; and continuity preparedness is essential, and complacency is meet insurance, legal and regulatory ‘event’ at unacceptable, in the face of the challenges requirements. some point and threats that inevitably arise in today’s business climate. This warning is reinforced However, BCM is not only about disaster by the recently published research report of recovery. It should be a business-owned and the Chartered Management Institute.2 driven process that unifies a broad spectrum of management disciplines (see Figure 1 on Business continuity management (BCM) is page 28). In particular, it is not just about IT defined by the Business Continuity Institute disaster recovery. Too many organisations (BCI) as ‘an holistic management process that tend to focus all their efforts on IT because of identifies potential impacts that threaten an its mission-critical nature, leaving themselves organisation and provides a framework for exposed on many other fronts. building resilience and the capability for an effective response that safeguards the interests Because of its all-embracing nature, the way of its key stakeholders, reputation, brand and BCM is carried out will inevitably be depen- value creating activities’. dent upon, and must reflect, the nature, scale and complexity of an organisation’s risk pro- The BCI’s use of the term ‘business continu- file, risk appetite and the environment in ity management’ rather than ‘business conti- which it operates. Inevitably, too, BCM has nuity planning’ is deliberate because ‘plan- close links to risk management and corporate ning’ implies there is a start and end to the governance strategies. The importance of a process and can lead to unwanted planning holistic approach across these areas was rein- bureaucracy. BCM is, by necessity, a dynam- forced in the Turnbull Report (1998) ic, proactive and ongoing process. It must be kept up-to-date and fit-for-purpose to be As an organisation can never be fully in con- effective. trol of its business environment, it is safe to assume that all organisations will face a busi- The key objectives of an effective BCM strate- ness continuity event at some point. gy should be to: Although this simple reality has been etched in high-profile names such as Bhopal, Piper- ensure the safety of staff; Alpha, Perrier, Barings Bank, Challenger, maximise the defence of the organisation’s Herald of Free Enterprise, Coca Cola, Exxon- reputation and brand image; Valdez, Railtrack, the Canary Wharf bombing, minimise the impact of business continuity Enron, Anderson, Marconi, Landrover and events (including crises) on the World Trade Centre, experience also customers/clients; teaches that it is the less dramatic but more

FACULTY OF FINANCE AND MANAGEMENT 27 RISK – OPERATIONS January 2003 MANAGEMENT QUARTERLY

Figure 2 The unifying process

BUSINESS CONTINUITY MANAGEMENT Knowledge management Human resources Security Communications and PR Crisis management Environmental management Facilities management IT disaster recovery Risk management Emergency management Supply chain management Health and safety

frequent business continuity events that can blindly implementing so-called ‘best practice’ be even more problematic to deal with. business continuity techniques is not the best Unfortunately, it seems that many public and approach. As all organisations are different, private organisations still think, ‘it will not techniques which work in one organisation happen to us’. will not necessarily work in another. Most executives tasked with addressing business continuity issues are keen to achieve quick Changing the corporate culture wins, and the ‘tick box’ audit approach, which tries to copy successful strategies used Ignoring business continuity issues can hap- elsewhere, is often adopted without consider- pen for a number of reasons, ranging from ation as to suitability. denial through disavowal to rationalisation. A Many process of ‘group think’ can develop whereby Underlying the ‘tick box’ approach is the per- organisations an organisation genuinely starts to believe suasive belief that a structure, policy, frame- believe it will that their size, or some other feature, makes work and plan is all that is required. Whilst not happen to them immune to disaster. Or executives may these are critical enablers, relying on structure them. firmly believe that insurance will cover them, alone tends to overlook the key issue – that it without realising that insurance cannot is people who actually deal with business con- indemnify against lost market share, loss of tinuity and crises. reputation or tarnished brands. In this context, it is worth remembering (and Research shows that crisis-prone organisations reminding all senior executives) that ‘man- tend to exhibit these tendencies seven times agerial ignorance’ is no longer an acceptable more often than crisis-prepared legal or moral defence if a crisis is handled organisations.3 Whilst all individuals may badly. All managers should consider the fol- make use of such defence mechanisms from lowing key questions that are likely to be time-to-time, the key difference is the degree, asked in a subsequent inquiry: extent and frequency with which they are used. when did you know there was a problem? what did you do about it? Changing such mindsets is not easy, and if you didn’t do anything, why not?

28 FACULTY OF FINANCE AND MANAGEMENT MANAGEMENT QUARTERLY January 2003 RISK – OPERATIONS

if you didn’t know there was a problem, Using good practice guidelines – why not? a different approach what would you have done if you had known such a problem could exist? Because of the caveats listed earlier, the BCI’s ‘Business continuity management good practice guidelines’ are not intended to be a Some sort of Avoiding planning bureaucracy restrictive, exhaustive or definitive process to continuity cover every eventuality within BCM. Instead, plan is There is no doubt that some sort of business they set out to establish the generic process, essential continuity plan is essential. The plan becomes principles and terminology; describe the a source of reference at the time of a business activities and outcomes involved; and provide continuity event or crisis, and the blueprint evaluation techniques and criteria. upon which the strategy and tactics of deal- ing with the event/crisis are designed. In par- These guidelines draw together the collective ticular, it can provide essential guidance on experience, knowledge and expertise of many damage limitation in those short windows of leading professional members and fellows of opportunity which often occur at the begin- the BCI and other authoritative professional ning of a crisis. organisations. In particular, the guidelines reflect the following BCM principles: Unfortunately, reputations and trust that have been built up over decades can be BCM and crisis management are an integral destroyed within minutes unless vigorously part of corporate governance; defended at a time when the speed and scale BCM activities must match, focus upon and of events can overwhelm the normal opera- directly support the business strategy and tional and management systems. goals of the organisation; BCM must provide organisational resilience A further and critical reason for having a to optimise product and service availability; planning process is so that the individuals as a value based management process BCM who are required to implement the plan can must optimise cost efficiencies; rehearse and test what they might do in dif- BCM is a business management process ferent situations. Scenario planning exercises that is undertaken because it adds value are a very helpful technique for destruct-test- rather than because of governance or regu- ing different strategies and plans. latory considerations; the component parts of an organisation Having said this, it is simply not possible to own their business risk; the management of plan for every eventuality, and if you try to, the business risk is based upon their indi- there is a great danger of creating ‘emer- vidual and aggregated organisational risk gency’ manuals that are simply too heavy to appetite; lift. A trade-off needs to be achieved between the organisation and its component parts creating an effective fit-for-purpose capabili- must be accountable and responsible for ty and relying on untrained and untried indi- maintaining an effective, up-to-date and viduals and hoping they will cope in an emer- fit-for-purpose BCM competence and capa- gency. bility; all BCM strategies, plans and solutions The spanning of the gap between the plan must be business owned and driven; and those who carry it out can be achieved all BCM strategies, plans and solutions Scenario by either formal tuition and/or simulations. must be based upon the business mission planning The well-known maxim that a team is only as critical activities, their dependencies and exercises are strong as its weakest link is worth remember- single points of failure identified by a busi- helpful in ing here. ness impact analysis; destruct- all business impact analysis must be con- testing The exercising of plans, rehearsing of team ducted in respect of business products and strategies and members and testing of solutions, systems services in an end-to-end production con- plans and facilities are the elements that provide text; and prove an effective and fit-for-purpose there must be an agreed and published capability. However, simulations are not easy organisation policy, strategy, framework to devise, and because of this, many organisa- and exercising guidelines for BCM and cri- tions do not venture beyond the develop- sis management; ment of a plan. They are, nevertheless the the organisation and its component parts best way to avoid planning bureaucracy. must implement and maintain a robust

FACULTY OF FINANCE AND MANAGEMENT 29 RISK – OPERATIONS January 2003 MANAGEMENT QUARTERLY

exercising, rehearsal and testing pro- outsourced and/or internal sourcing of gramme to ensure that the business conti- products, services, support or data should nuity capability is effective, up-to-date and reflect these good practice guidelines. fit-for-purpose; the relevant legal and regulatory require- The structure and format of the guidelines is ments for BCM must be clearly defined based upon the most frequently asked ques- and understood before undertaking a BCM tions in relation to BCM, which are listed in programme; Figure 2 (below). The BCM life the organisation and its component parts cycle has been must recognise and acknowledge that rep- created as an utation, brand image, market share and The BCM life cycle interactive shareholder value risk cannot be trans- process tool ferred or removed by internal sourcing The BCI principles and frequently asked ques- and/or outsourcing; tions have been drawn together to create the BCM implications must be considered at BCM life cycle (see Figure 3, opposite), an all stages of the development of new busi- interactive process tool to guide the imple- ness operations, products, services and mentation of an effective BCM process. organisational infrastructure projects; The six stages of the life cycle in more detail BCM implications must be considered as are set out in Figure 4 (opposite). an essential part of the business change management process; The guidelines have been used to generate a the competency of BCM practitioners tool for evaluating the BCM process, which should be based and benchmarked against takes the form of a spreadsheet current state the 10 professional competency standards assessment (benchmark) workbook (see Figure of the BCI; 5, on page 32). The workbook enables and all third parties including joint venture facilitates good practice compliance evalua- companies and service providers, upon tion, current state assessment gap analysis, whom an organisation is critically depen- assurance and benchmarking (process and dent for the provision of products, ser- performance). vices, support or data, must be required to demonstrate an effective, proven and fit- Each organisation needs to assess how to for-purpose BCM capability; and apply the ‘good practice’, contained within the standard terms and conditions of any the guidelines, to their own organisation. They must ensure that their BCM competence and capability meets the nature, scale and complexity of their business, and reflects their Figure 2 BCM questions individual culture and operating environment.

GUIDELINE COMPONENT MOST FREQUENTLY ASKED HEADING QUESTIONS Crisis management

PURPOSE Why do we need to do it? The key elements of a crisis management OUTCOMES What will it achieve? framework are slightly different to the BCM lifecycle, and include those set out in Figure 6 COMPONENTS What do we need to do to it? (page 32), but the list should not be seen as What does it consist of? restrictive or exhaustive. There are many (ingredients) advantages to adopting a modular approach METHODOLOGIES AND What are the tools we need to a crisis or business continuity situation, TECHNIQUES to do it? not least that it can be easily and quickly modified to suit local, national as well as PROCESS How is it done? global requirements. How do we do it?

FREQUENCY AND TRIGGERS When should it be done? However, in managing any event it is critical to recognise that a successful outcome is PARTICIPANTS Who does it? judged by both the technical response, and Who should be involved? the perceived competence and capability of DELIVERABLES What is the output? the management in delivering the business response. The stakeholder perception should ‘GOOD PRACTICE’ How do we know if we have be seen as the critical success factor with an EVALUATION CRITERIA got it right? equal, if not more urgent priority over the

30 FACULTY OF FINANCE AND MANAGEMENT MANAGEMENT QUARTERLY January 2003 RISK – OPERATIONS

Figure 3 The business continuity management life cycle

Understanding your business

Exercising, Business maintenance 5 2 continuity and audit strategies BCM

Programme management

4 3

Develop and Building and implement a embedding BCM response BCM culture

Figure 4 The six stages of the life cycle in more detail

1 UNDERSTANDING Business impact analysis. 5 EXERCISING, Exercising of BCM plans. YOUR BUSINESS Risk assessment and control. MAINTENANCE Rehearsal of staff, BCM teams. AND AUDIT Testing of technology and 2 BCM STRATEGIES Organisation (corporate) BCM BCM systems. strategy. BCM maintenance. Process level BCM strategy. BCM audit. Resource recovery BCM strategy. 6 THE BCM Board commitment and PROGRAMME proactive participation. 3 DEVELOPING AND Plans and planning. Organisation (corporate) BCM IMPLEMENTING A External bodies and organisa- strategy. BCM RESPONSE tions. BCM policy. Crisis/BCM event/incident BCM framework. management. Roles, accountability, Sourcing (intra-organisation responsibility and authority. and/or outsourcing providers). Finance. Emergency response and oper- Resources. ations. Assurance. Communications. Audit. Public relations and the media. Management information sys- tem (MIS): metrics/scorecard/ 4 BUILDING AND An ongoing programme of benchmark. EMBEDDING A education, awareness and Compliance: legal/regulatory BCM CULTURE training. issues. Change management.

FACULTY OF FINANCE AND MANAGEMENT 31 RISK – OPERATIONS January 2003 MANAGEMENT QUARTERLY

Figure 5 The BCM process Maturity level STAGE 1: UNDERSTANDING YOUR BUSINESS Organisation strategy Critical business factors Business outputs and 1 Operational and (Mission critical deliverables business objectives activities) (Services and products)

STAGE 2: BUSINESS CONTINUITY MANAGEMENT STRATEGIES Organisation Process level Resource recovery (corporate) BCM 2 strategy BCM strategy BCM strategy

STAGE 3: BUSINESS CONTINUITY SOLUTIONS AND PLANS

Business continuity Resource recovery Crisis management plan 3 plans solutions and plans

STAGE 4: BUILDING AND EMBEDDING A BCM CULTURE BCM culture and Education and culture BCM training 4 awareness programme building activities programme

STAGE 5: EXERCISING, MAINTENANCE AND AUDIT OF BCM

Exercising of BCM Maintenance of BCM Audit of BCM 5

STAGE 6: BCM PROGRAMME MANAGEMENT

BCM programme BCM policy BCM assurance 6 management

technical solution. Consequently, the acid test is to convincingly demonstrate an effective Figure 6 Crisis management and fit-for-purpose business continuity and crisis management capability, and to continue business as usual. This is in contrast to the BUSINESS RISK CONTROL more familiar pattern of a fall and recovery of Monitoring. a business, which is more representative of the Prevention. outdated disaster recovery and business Planning and preparation. resumption approaches. Crisis identification.

ASSESSMENT Conclusions Crisis evaluation (including an evaluation criteria). An organisation consists of people, and people INVOCATION AND ESCALATION at the top who give a cultural lead. As a conse- quence, business continuity and crisis man- MANAGEMENT AND RECOVERY agement are not solely a set of tools, techniques and mechanisms to be implemented in CLOSURE AND REVIEW an organisation. They should reflect a more Formal closure. general mood, attitude and type of action Ongoing issues, eg investigation and litigation. taken by managers and staff. Post crisis review and report. Individual personalities play a crucial and crit- IMPROVEMENT ical role. It is the human factor that is fre- Implementation of approved post crisis review quently underestimated in BCM. This is of report recommendations. particular importance because the examina- tion of the cause of business continuity events

32 FACULTY OF FINANCE AND MANAGEMENT MANAGEMENT QUARTERLY January 2003 RISK – OPERATIONS

and crises usually identifies several warning appointing a BCM ‘champion’ at a senior level signals that were ignored or not recognised. whose role is to draw together, under a matrix The key to a successful crisis and BCM capabil- team approach, representatives from the vari- ity is to adopt an holistic approach to validate ous organisation functions eg human People are the each of the key building blocks of the BCM resources, together with key line of business key to life cycle and process. heads to ensure a co-ordinated approach. The successful key advantage of this approach is that it BCM The first task is always to identify the right builds on what already exists and has been people who are not bounded as individuals or done thereby enabling a ‘virtual capability’ within the corporate culture. It is on these cri- that provides cost efficiency. A further benefit teria that the success or failure of creating an is that it ensures ‘buy-in’ throughout the effective and fit-for-purpose BCM capability organisation. will be determined. Having identified the right people, they should engage in the BCM plan- In adopting this methodology and regularly ning process using the BCI Good Practice exercising, rehearsing and testing the organisa- Guidelines and training via the exercise simu- tion maintains an effective up-to-date and fit- lations of plans, rehearsal of people/teams and for-purpose BCM and crisis management capa- testing of systems, processes, technology, bility. When a crisis hits the organisation structures and communications. everyone knows what to do and a smooth invocation of the plan takes place ensuring The organisation can assist this process by that the impact on mission critical activities is