Mike Osborne believes that organisations are rethinking their approach to business continuity planning
When you mention business continuity, many organisations automatically think of IT. Of course business continuity management has been closely associated with IT disaster recovery for some years, and this aspect still dominates many companies’ business continuity planning. Indeed, recent research by the Chartered Management Institute highlighted this, revealing that 58% of businesses rated IT failure as their main fear for business continuity, and 40% of respondents admitted to having had a ‘severe disruption’ owing to a loss of IT in the last year.
However, we have been witnessing a real change in the perception and understanding of business continuity and what it means to the enterprise. Although IT professionals may have inherited business continuity as a legacy responsibility, it has become more widely accepted, particularly at boardroom level, that it concerns the whole business and requires a comprehensive, cross-company approach to be effective. Similarly, we have seen much better understanding of the implications of poor business continuity management and disaster planning, with stakeholders (from staff to investors) appreciating the catastrophic result of having poor or no contingency planning to cope with business interruption.
Businesses have been forced to rethink their business continuity approaches through legislation, with mandatory regulations in the financial services and public sectors in particular. Additionally, the changing political and economic world has done much to heighten interest in continuity planning. Many have learnt expensive lessons from the impact of adverse weather conditions, terrorism-prompted city centre evacuations and health pandemics, as well as the ever continuing IT attacks and network failures.
This change has occurred throughout the last five to 10 years, with the evolution of new business practices changing how we work and operate both alone and with our business partners. Most recently, the possibility of a bird flu pandemic created another huge shift in business continuity thinking, arguably providing for the first time a true realisation of the reliance of organisations on key employees. It could be said that the flu pandemic preparations of recent years have done for human recovery strategies what the so-called millennium bug did for IT recovery at the turn of the century.
So with IT and human threats having driven the evolution of business continuity to date, now comes a new threat – that of economic crisis. The economic meltdown has brought a new perspective. As well as disaster avoidance and business continuity plans, overall operational risk is now at the very top of directors’ agendas – and it is within this context that the role of the risk manager will need to develop.
In my opinion, the expanded role of the risk manager will now need to reflect the enhanced interest in business continuity provision from regulators, directors, stakeholders, clients and employees. With business continuity having come of age, we will see the requirements of a good risk manager expand also. No longer will it be sufficient for a company to have an employee designated a ‘business continuity manager’ as a sideline to his or her day job. Instead, we will see empowered risk managers working at board level with broader responsibilities that include ensuring compliance with regulations, physical security of facilities and staff, the robustness of the supply chain and integrity of networks. My own organisation has observed that among many of our clients the business continuity function has gone from being an operational add on to an accepted wisdom, with the role of business continuity manager, now often fulfilled by the risk manager, moving up to the boardroom.
This shift in the understanding and perception of business continuity is welcome. It makes perfect business sense to see continuity planning as an enterprise-wide concern with board level representation. IT will always remain central to the business continuity function but is now only an enabler for it, and not the all embracing focus that it may have been. Time has moved on, businesses have evolved and so too will the role of the risk manager.