Worth the risk

There are many benefits of a well-conceived business continuity management (BCM) programme. Not only does it give reassurance that the business will respond quickly and effectively in the event of a disruption, it will also typically give regulators, customers, owners and the public reassurance that the business is well run. The analysis involved in a BCM assessment often gives organisations a better understanding of their processes and helps ensure they are focusing time and resources on their key risk exposures and concentrations.

Continuity planning is also fast becoming a requirement of the modern business, something that is essential in an increasingly interconnected and risky trading environment. A raft of regulations insist that companies have frameworks for identifying their risks and mitigating against them. The UK's Financial Services Authority (FSA), for example, demands evidence that companies which it regulates can restore their critical operations after a disruption. Even in the unregulated sectors, such as manufacturing, retail and communications, customers are increasingly demanding business resilience. Supermarkets, for example, often require their key suppliers to have a BCM plan so that in the event of a disruption the upstream impact is reduced as much as possible.

Despite these benefits, it can often be hard for risk managers to clearly quantify the value delivered from investing in resilience. It is only when something goes wrong that the benefit of a well functioning plan is properly understood. For this reason, many organisations often incorporate their BCM systems within a larger enterprise risk management (ERM) framework. These companies describe BCM as a form of risk treatment. By doing this it can be easier for them to demonstrate what the organisation could lose if a threat materialises, and therefore gain support for mitigation efforts.

Key hallmarks of a BCM plan

Most sensible organisations will have some kind of plan for recovering their critical operations in the event of a pandemic, flood, fire, explosion or some other disruption. Whether this is simply a document on the risk manager’s desk or a globally embedded programme depends on the sophistication of the organisation and its appetite for risk. Companies that ignore BCM altogether do so at their peril.

BCM recovery plans are linked to the recovery of a value chain, business process or site that has been disrupted, while ERM deals with the likelihood of a risk materialising and the impact of that event. The two processes can be linked. If the ERM system has identified a process or area of the business that has a high likelihood of being affected by a certain risk and this stands to adversely impact the business significantly, then the organisation may want to consider having a plan in place to respond to that event. On the other hand if there is a process that, if disrupted, is unlikely to have a big impact on the business then it is probably not the best place to start allocating resources. Rather than ending up with a continuity plan for everything, the organisation should target recovery efforts as a way of treating the risk that the ERM system has identified.

Therefore the first stage of BCM is a business impact analysis. By drilling down into the business processes themselves and identifying the value that is derived to the business and what other processes are dependent upon them, the organisation is able to define a maximum tolerable period of disruption (MTPoD) for each value chain or process, or even asset. With this knowledge the business can develop a pecking order to recover the processes over time. For example, a company may want to recover its payroll activities before it has recovered the marketing department.

The next stage is to decide what the organisation needs to recover. This could involve moving the process to a different site or using different people and data. A procedural document should be used to identify where the organisation will get the people, data and equipment in order to continue with the critical processes following an incident. Wrapped around these recovery efforts is a strategy for how the organisation will respond to the disruption event, in other words how it will deal with the fallout in terms of casualties and managing its reputation.

When it comes to handling the incident, the first thing an organisation should do is make sure its people are safe. It should consider how to deal with people that have been hurt or hospitalised. This will ensure that staff feel they are being looked after and it could also deliver significant reputational benefits in the eyes of the media. Organisations will also want to consider how they protect their property and assets. A business’s reputation is its most important asset, so dealing with key stakeholders, including the media, shareholders, customers and the public are all things that the organisation should consider in its BCM plan.

Risk based approach

Historically organisations conducted business impact analyses across every business process and department. Today, global businesses find this approach far too cumbersome. Instead, what they deploy is a risk-based approach. These organisations use their ERM systems to identify where they have critical exposures and in which areas it is essential that the organisation is up and running again quickly after a disruption. This enables them to focus their time and energy only on the areas that are business critical. The organisation considers where it derives most value and subsequently establishes a framework for recovery in the parts of the business that have the most to lose or have the highest risks attached to them. This top-down strategy is far more focused that the traditional bottom-up BCM approach. Many global businesses have failed to implement BCM on a global basis because they attempted to do everything at once.

Role of insurance

Insurance has a role to play in business recovery. Typically business interruption insurance will pay a chunk of money to compensate the company for lost revenue while it was rebuilding its operations. Insurance will not be able to replace any customers that have lost faith in the business and decided to go elsewhere, nor will it cover a business for the impact on its reputation if an incident is handled badly.

A good BCM plan can help the organisation reduce its business interruption claim. Insurance carriers have a vested interest in reducing the size of a claim. So while quality BCM arrangements rarely equate into premium reductions, they are often a necessary prerequisite for obtaining insurance cover. It is not unheard of for business interruption carriers to withdraw cover from companies that do not have satisfactory resilience in place.

Organisations will want to consider their insurance arrangements for another reason. They may be over-insured or under-insured depending on the wording of their contracts and the size of their exposures. A business impact analysis will help them understand whether or not the insurance that they have in place is adequate or over the top. The BCM team may want to conduct a business interruption cover review in collaboration with a forensic accounting team to make sure the right cover is in place.

There is also much less forgiveness in the business world and from regulators for poor business resilience. Some businesses have been threatened with fines for not having plans in place. A business with a sound understanding of the risks it faces will be able to target its recovery efforts more effectively, which means it will have a statistically higher chance of a lower impact if something adverse occurs. It’s no longer good enough to wait for a disaster to happen before thinking about BCM.