The challenges facing modern companies mean they need to be agile and decisive to provide effective business continuity
Business continuity is arguably one of the most fundamental objectives of the risk management function. Whatever the event or circumstance, enabling a company to operate without any perceived impact on customers or clients, is crucial to the existence of an organisation.
It is by definition an onerous task for even the most capable of risk practitioners, particularly given the diverse number of potential threats to continuity in the modern business world.
Of course the role does not – or at least should not – fall to risk professionals alone, but they do need to be at the centre of the inner corporate wheel, developing, maintaining and communicating an effective strategy that can cope with almost any conceivable eventuality.
In recent years resilience has become the buzz-word for business continuity. While opinions differ about the precise meaning of resilience it is in effect one and the same. A resilient organisation is one with the capability to provide continuity of business no matter the situation. Likewise, a company that excels in business continuity is one with inherent resilience.
The Oxford English Dictionary describes resilience thus: “The capacity to recover quickly from difficulties; toughness”.
This might be the essence of resilience, but use of the word “difficulties” within that definition when seen in the context of multinational corporate risk belies the enormous scope of threats faced by those charged with securing business continuity.
Modern business risk is a fast-moving, ever-changing kaleidoscope of interconnected threats and opportunities both visible and imperceptible, physical and intangible.
Traditional risks to business continuity such as fire and flood, storms and natural disasters remain relatively straightforward to mitigate and deal with strategically. Intangible risks, particularly those associated with cyber and technology, present inherently different challenges – not least because they are unconstrained by location or geographical boundaries and have the potential, theoretically, to undermine or destroy even the largest global multinational very quickly.
Add to this risks such as increasing political uncertainty, economic volatility and complex issues such as the pan-global multi-tiered supply chains that are now an intrinsic aspect of the functionality of even relatively small companies, and the enormous business continuity challenge facing risk professionals and their companies only starts to become apparent.
Even terrorism – hardly a new phenomenon – has changed in the 21st century. The widespread and often random threat posed by groups such as the so-called Islamic State remains difficult to deal with and continues to have a growing impact across many parts of Europe, the MEA region and beyond.
So how can businesses create a resilient structure that is both robust and agile enough to cope with the risks it might face and what is the role of the risk professional within this?
Across the next few pages of StrategicRISK we will examine some of these issues in a series of articles with insight and opinions from leading risk practitioners and business continuity experts from across Europe.
They offer practical advice and perspectives largely developed through their own hands-on experience rather than from a hypothetical or conceptual standpoint that aim to guide other risk professionals towards effective solutions to some of the complexities around business continuity.
What is clear throughout is the importance of applying a holistic approach to organisational resilience.
Developing an effective resilience programme
Ferma president Jo Willaert has a concise view of how an effective resilience programme can be achieved.
“You build resilience through the ERM process,” he says. “A professional methodology for creating a risk inventory and action plan are critical,” he says.
“Any business continuity plan must be tailor-made to the company, geographical location, client and suppliers’ portfolio. Good communication is essential and there must be a regularly updated organigram of key persons.”
While strategies for resilience are based on dealing with current and future risks, studying the experience of other organisations and how they have handled potentially ruinous difficulties can be a highly effective way of assessing successful business continuity approaches.
Nowhere is this more evident than Airmic’s Roads To Resilience study published in 2014 which, using expert help from the highly respected Cranfield School of Management, examines in forensic detail eight major businesses that recovered from the economic downturn a decade ago.
Roads To Resilience was the follow up to Airmic’s Roads To Ruin research examining the causes of 18 catastrophic failures of risk management. It concluded that, almost without exception, a “breakdown in risk governance exacerbated by board risk blindness” lay at the heart of each.
By cross-referencing Roads To Ruin, Airmic and Cranfield identified four distinct points that marked the Roads To Resilience:
Roads to Ruin: Poorly prepared for foreseeable and adverse events and unable to cope with crisis;
Risk Compliant: Prepared only for those adverse circumstances identified and evaluated in the risk register;
Risk Responsive: Ready to successfully respond to a crisis, but protection of resources and assets is inadequate;
Roads to Resilience: Robust precautions to protect resources and assets and rehearsed plans to use in a crisis.
“Business continuity has a really important place, but I want to focus more on building resilience and then, having built resilience, building response,” says Airmic deputy chief executive Julia Graham.
“In Roads To Resilience we said there were a number of resilience principles and business enablers. Business enablers building resilience are people and culture; business structure; strategy tactics and operations; leadership and governance.
“To deliver these business enablers you have five principles, which are:
- risk radar;
- resources and assets;
- relationships and networks;
- rapid response; and
- review and adapt.
“I would start with risk radar, because that helps to scan the horizon. Risk managers need reliable sources of tracking information: what do you look at rigorously on a regular basis that tells you what you need to know about the outside world? I would say that is somewhere between five and 10 [in importance]. That gives you your dashboard of what is happening in the world and that might be tracking something that an organisation such as Control Risks issues or you decide to read something that has been published by one of the ratings agencies. This might be supplemented from time to time by emerging or sudden events as diverse as Brexit or an emerging disease like Ebola.
“That would be my risk radar – or my meerkat radar. You are putting your head above the parapet to see what is going on.
“After that consider what you need by way of a framework and process for your business continuity system.” There are many standards and benchmarks to help the design of this, she says, “but fundamental is that whatever approach you choose it must fit with the culture of the business and be able to form part of the way the organisation manages its business through its business model. Otherwise there is a risk of not integrating the system and leaving it stuck in an isolated silo.
“Building the system is the same as building a risk management framework. You need a business continuity framework built on an enterprise-wide approach around the principle of: Plan, Do, Check and Act. Some people would also add Outlook to that. And this is not static – the whole system, the framework and the data it holds is dynamic and should be kept under review.”
She adds: “Having developed a structure the next thing is to work out what resources and partnerships and networks you need. What is your wheel of resource that you need to help you manage business continuity?”
Carl Leeman, head of risk at logistics company Katoen Natie, says that for any business continuity strategy to be effective risk managers must develop a risk culture.
“This is where people in every position are aware of the risk to the business and understand that while you cannot avoid all these risks you can mitigate against them and minimise them or, together, see a way around the risk,” Leeman says.
“That is the most basic requirement when trying to develop a programme for business continuity. However, it is still not something you see in every business.”
It is, Leeman admits, “sometimes easier said than done” especially in companies where key employees have a silo mentality. “Some still just do their own job and don’t care about anything else,” he says.
While this starting principle applies almost universally, Leeman says resilience strategies must be tailored to the needs of each individual business.
“At Katoen we are fortunate to have a broad global spread of locations so we are not in a situation where we have one big production facility where if something goes wrong at that location we are out of business. The only issue that could affect all our premises at the same time is a cyber issue, so we work on that of course.
“While we could be affected by an incident at one location we cannot be critically impacted so that the business would cease to function.”
Nonetheless, while bespoke strategies are important, most core essentials to resilience are universal.
“The basics are: how will I respond tomorrow to the demands of our clients?” says Leeman.
“How can I supply my clients? How can I continue to produce or execute my services? The basics are the same, only the execution could be more complicated depending on the size or type of business you are in.
“For example, I once produced a contingency plan for a store – just a one-page document for a simple bakery on the corner of a street. It is evident that with smaller companies, you have an emotional element that comes into play in the event of a crisis situation. This is less so in a big company than an SME where they are so connected to the company they are not always in a position to make decisions without too much emotion.
“This is something you don’t know up front, it depends on the situation and the reaction at that moment. Who do I have to call? Who do I have to inform? At least you should have the names and telephone numbers of the people or institutes you need to call and what you have to do to get a temporary permit, or whatever is needed to do repairs or continue your business. Because in some countries, if your business is burned down, you might need to obtain a new operational permit and that could take time.
“You really have to know all these things. In some cases you might find there is even a competitor business that is willing to help you, but that is something you should discuss up front and not when the fire brigade is still on your premises.”
Graham learnt this first-hand as risk manager at Royal Insurance when a terrorist bomb exploded outside its offices in Manchester in 1996. The building was badly damaged, and while the 34 staff working there at the time all survived, some suffered physical and psychological trauma. The incident took place at a time before business continuity had evolved into the sophisticated strategic practice it has since become. Graham cites the event as a “sobering experience” that shaped and defined the way in which she approaches resilience.
“I had no idea how many people were in my wheel of stakeholders – it was enormous,” she says.
“You get the obvious ones, such as insurers and loss adjusters, but it had not really occurred to me [at that time] about all the other people I might need such as security consultants, salvage advisers, and occupational well-being.
Obvious and not so obvious
“I had staff with post-traumatic stress and I needed people I could rely on to talk with them and help look after them. Then there are all the obvious things, such as where will we go and what IT do I need when I get there? All those physical things seem quite obvious, but there were also lots of other things that weren’t really obvious to me at all.”
She says building that network of stakeholders was absolutely critical.
“In terms of response, you need to distinguish what you are going to do in the first few minutes of an incident: what’s my emergency response? Then, what am I going to do if it continues and becomes a crisis? Then, what am I going to do when it plateaus and becomes a recovery? You probably need different teams when dealing with each of those different stages of an event, because they are related but also different, and that is why people often put emergency management, crisis management and business continuity management in different buckets.
“But they are all related, because they are potentially a continuum. You might not want the same people responding to all of them, but they are definitely a continuum and you need a core governance group to manage through those phases.
“Two other major lessons emerged about the power of technology and agility. A new scanning solution being used by claims allowed us to recover that part of the business with staggering efficiency by pumping work to other claims centres – we lost just 12 hours of post. We had a great team who had the authority and ability to act outside the plans and we changed the plans to suit the circumstances of having empty space in Liverpool and a board room that became a temporary switchboard.”
Graham says that when the switchboard was opened as usual the following Monday, “many customers thought we had been unaffected – in reality more than 700 staff had been displaced from their usual offices.
“That is almost like the rapid response. The big difference today is that often the plans are not actually responding to what I had in Manchester, which was a bombing, they are probably responding to data breaches or reputational issues, where somebody in your company has done something that has been published on social media. So the whole idea these days of rapid response is completely different to what it was 20 years ago at the time of the Manchester bombing. You have to run your plan from the assumption that people will probably know you have a problem before you do yourself.
“I applied the lessons we learned from Manchester to plans in place prior to 9/11, when the company was materially affected in Manhattan, the US and globally. Technology and the use of this by the media had changed dramatically. It took some while in Manchester to work out what had happened; I stood aghast in my chief executive’s office on 9/11 and watched the second jet hit the Twin Towers, live.
“The whole ethos of how people respond to an incident is completely different today. All the principles are true but they look different in today’s world compared with 20 years ago when things moved much more slowly and they were far easier to control.”
Reacting quickly to a changing situation
So how do you build genuine resilience into this rapidly moving context?
“You have to remain agile, you have to take fast decisions,” says Leeman. “You should not be in a situation where you have to go and talk to 200 different people at meetings before you can take a decision. It is not the big ones who eat the small ones – it is the fast ones who eat the slow ones. If you have a slow-moving organisation, I doubt you might be in good shape to handle a crisis.
“On the other hand, a huge organisation might be considered ‘too big to fail’, so again there are advantages to being a big company. The ideal situation is to have a large spread of risk and still be in a situation where you are able to take decisions quickly.”
The precise role of the risk professional within this is a moot point. Leeman believes strongly that it is “to assist the chief executive – nothing more or less” because ultimately it is the CEO who has the final say, depending on the board or structure of the company.
“As a risk manager you should be in a situation where you can provide the CEO or other decision makers with up-to-date information and be aware yourself of what is going on,” Leeman says.
“That will depend on your situation as a risk manager in your company and the added value or reputation you have in your company. That is not something you can build overnight.”
James McAlister, vice-chair of the Business Continuity Institute and a former police officer and government adviser, believes risk managers should be resilience co-ordinators.
“Within a lot of organisations there is too much focus on business risk only and they think of physical risks, either to do with health and safety or security risks, as a different issue,” McAlister says. “One of the things risk managers can do is to try to bring all of this together. The new vision of organisational resilience is a multi-disciplined managerial approach that encompasses everything – this is the way forward for risk managers.
“Risk managers need to think: what is coming? How can my position impact on that, because normally the risk manager or chief risk officer has that direct line to the board? They are in a really prominent position to influence what the organisation does. But it means looking slightly outside the current risk comfort zone and thinking about engaging a wider group of people, understanding what they are doing and what they feel are their tangible threats and risks, and then being a conduit to bring people together, to co-ordinate an approach that works towards organisational resilience.
“Many people and businesses are very silo-focused, which makes bringing together some of the major players crucial to help develop a far more holistic approach to this.”
Horizon-scanning is also vital “Risk managers also need to look externally to see what is happening to other people,” says McAlister who also runs organisational resilience consultancy Crisis Prepared. “The threat that is going on in another country to a similar industry today is going to get you tomorrow. You cannot bury your head in the sand, you have to think.
“The world is such a crazy place at the moment: geopolitical instability; terrorism; Brexit - so many things are happening. Just look at the US and the issues with Donald Trump. It is a wild world, but you have to think what might happen if you mix some or all of these things into a cocktail of risk, how is that cocktail going to impact on your organisation?”
Getting the board’s attention
Better board engagement is a key goal of many risk professionals, so how do they get the attention of boards, especially when there are still companies that are so introspective at board level? It is widely accepted that many UK businesses ignored the Brexit threat because their boards believed it would “never happen”.
“Risk managers need to be savvy about this,” McAlister says. “I have gone into businesses and tried to scare them about an issue and it might work once, but it will never work again because every time they see your face they think you are a harbinger of doom, a Horseman of the Apocalypse entering the boardroom and it can be a complete turn-off.
“I get brought into boards regularly because they won’t listen to their own risk people or business continuity people, so they then bring in an external party to deliver a reality check on what it is really like in the big bad world. Externals work not by shocking the board, but by bringing them to a point of: ‘This isn’t an internal telling us – this is an external who works with lots of different companies globally’.
“If I get brought in by a company to run an exercise with the C-suite/Gold team, I will pick something that is incredibly current, but try and push it a little further into something that could happen in the future. So they get a lot of value out of that. I might take part of an event that has happened in one part of the world and tie it in with another from somewhere else and bring it to the board.
“It is stimulating, it does grab the imagination and potentially does get their hearts fluttering – so they are forced to think that, if an event like this did happen to them, what would they do?
Making senior managers uncomfortable
“I want them to be uncomfortable,” says McAlister, “because when they are uncomfortable they have to be realistic. It is like watching a really good film and you keep talking about it afterwards. Running a good exercise with a great scenario has the ability to do that even with the big hitters on the board or high up in an organisation.
“If you bring somebody in who can capture the imagination, keep it real and make it so they keep talking about it afterwards, then you will actually see results.”
He says that some companies suggest an exercise around a particular event that is either unrealistic or not risky enough. “People will often give me a ridiculous scenario that they want me to unfold and I will normally pull back from this and say it is not realistic, or they don’t dare go for something that is a little bit risky. It needs to engage people’s imagination and make them think – what if this really did happen?
“A lot of people still expect the government will come in and recover for them. They don’t realise that the government is not going to [do that], the government is going to recover for the public and critical national infrastructure, but it is not for the benefit of an individual business, it is for the benefit of life. A lot of organisations worldwide are still wrongly under the impression that governments will do things for them than they actually are doing or are capable of doing.”
While McAlister operates as an external consultant, he strongly advocates that companies develop their own resilience and business continuity expertise from within.
“I am a strong believer in growing your own. I wouldn’t bring in consultants unless you didn’t have them internally,” he says.
“Organisational resilience now is looking right across the board at physical security, information security, data security, health and safety, business continuity, facilities management, vehicle, fleet, IT and HR - most corporate departments that don’t actually produce a product or service, but help everyone else recover and help everybody do what they do.
“All those departments need to be linked together to become organisationally resilient: people such as the risk manager, the business continuity manager and the chief resilience officer, which at the moment is a term that is used in the public more than private sector. Somebody who brings all that together would make a massive impact in terms of a joined-up approach to organisational resilience,” McAlister says.
“I go to a lot of companies where it is the only time that these people have ever sat around a table together, but once you get them working together, the results and the dividends that brings are massive.”