MANAGEMENT QUARTERLY January 2003 RISK – OPERATIONS
Business continuity and crisis management
No organisation can have complete control over its business environment. It is therefore essential for companies to have a business continuity manage- ment (BCM) and crisis management capability, in case of crisis or disaster. Dr David Smith outlines various approaches that can help companies pre- pare for a business continuity ‘event’, and explains the BCM life cycle.
In August 2002, the Financial Services limit/prevent impact beyond the organisa- Authority (FSA) expressed deep concern over tion; Most the high percentage of its members who did demonstrate effective and efficient gover- organisations not have a business continuity and/or crisis nance to the media, markets and stakehold- face a management capability.1 They emphasised ers; business that a robust, effective and fit-for-purpose protect the organisation’s assets; and continuity preparedness is essential, and complacency is meet insurance, legal and regulatory ‘event’ at unacceptable, in the face of the challenges requirements. some point and threats that inevitably arise in today’s business climate. This warning is reinforced However, BCM is not only about disaster by the recently published research report of recovery. It should be a business-owned and the Chartered Management Institute.2 driven process that unifies a broad spectrum of management disciplines (see Figure 1 on Business continuity management (BCM) is page 28). In particular, it is not just about IT defined by the Business Continuity Institute disaster recovery. Too many organisations (BCI) as ‘an holistic management process that tend to focus all their efforts on IT because of identifies potential impacts that threaten an its mission-critical nature, leaving themselves organisation and provides a framework for exposed on many other fronts. building resilience and the capability for an effective response that safeguards the interests Because of its all-embracing nature, the way of its key stakeholders, reputation, brand and BCM is carried out will inevitably be depen- value creating activities’. dent upon, and must reflect, the nature, scale and complexity of an organisation’s risk pro- The BCI’s use of the term ‘business continu- file, risk appetite and the environment in ity management’ rather than ‘business conti- which it operates. Inevitably, too, BCM has nuity planning’ is deliberate because ‘plan- close links to risk management and corporate ning’ implies there is a start and end to the governance strategies. The importance of a process and can lead to unwanted planning holistic approach across these areas was rein- bureaucracy. BCM is, by necessity, a dynam- forced in the Turnbull Report (1998) ic, proactive and ongoing process. It must be kept up-to-date and fit-for-purpose to be As an organisation can never be fully in con- effective. trol of its business environment, it is safe to assume that all organisations will face a busi- The key objectives of an effective BCM strate- ness continuity event at some point. gy should be to: Although this simple reality has been etched in high-profile names such as Bhopal, Piper- ensure the safety of staff; Alpha, Perrier, Barings Bank, Challenger, maximise the defence of the organisation’s Herald of Free Enterprise, Coca Cola, Exxon- reputation and brand image; Valdez, Railtrack, the Canary Wharf bombing, minimise the impact of business continuity Enron, Anderson, Marconi, Landrover and events (including crises) on the World Trade Centre, experience also customers/clients; teaches that it is the less dramatic but more
FACULTY OF FINANCE AND MANAGEMENT 27 RISK – OPERATIONS January 2003 MANAGEMENT QUARTERLY
Figure 2 The unifying process
BUSINESS CONTINUITY MANAGEMENT Knowledge management Human resources Security Communications and PR Crisis management Environmental management Facilities management IT disaster recovery Risk management Emergency management Supply chain management Health and safety
frequent business continuity events that can blindly implementing so-called ‘best practice’ be even more problematic to deal with. business continuity techniques is not the best Unfortunately, it seems that many public and approach. As all organisations are different, private organisations still think, ‘it will not techniques which work in one organisation happen to us’. will not necessarily work in another. Most executives tasked with addressing business continuity issues are keen to achieve quick Changing the corporate culture wins, and the ‘tick box’ audit approach, which tries to copy successful strategies used Ignoring business continuity issues can hap- elsewhere, is often adopted without consider- pen for a number of reasons, ranging from ation as to suitability. denial through disavowal to rationalisation. A Many process of ‘group think’ can develop whereby Underlying the ‘tick box’ approach is the per- organisations an organisation genuinely starts to believe suasive belief that a structure, policy, frame- believe it will that their size, or some other feature, makes work and plan is all that is required. Whilst not happen to them immune to disaster. Or executives may these are critical enablers, relying on structure them. firmly believe that insurance will cover them, alone tends to overlook the key issue – that it without realising that insurance cannot is people who actually deal with business con- indemnify against lost market share, loss of tinuity and crises. reputation or tarnished brands. In this context, it is worth remembering (and Research shows that crisis-prone organisations reminding all senior executives) that ‘man- tend to exhibit these tendencies seven times agerial ignorance’ is no longer an acceptable more often than crisis-prepared legal or moral defence if a crisis is handled organisations.3 Whilst all individuals may badly. All managers should consider the fol- make use of such defence mechanisms from lowing key questions that are likely to be time-to-time, the key difference is the degree, asked in a subsequent inquiry: extent and frequency with which they are used. when did you know there was a problem? what did you do about it? Changing such mindsets is not easy, and if you didn’t do anything, why not?
28 FACULTY OF FINANCE AND MANAGEMENT MANAGEMENT QUARTERLY January 2003 RISK – OPERATIONS