Business Continuity Management

You could argue that trust is what holds our society together – without it we have no personal credibility, our companies have no value and our Governments no authority to govern.  We have been treated to a series of macro case studies over the past few months showing how the simple loss of trust from key stakeholders can bring down, or undermine an entire system.  The Greek, Irish and Portuguese governments have experienced this and so too, to a certain extent, has News International which chose to close down the UK’s most profitable and widely distributed daily newspaper following revelations about the use of phone hacking.

So it appears that trust matters but who decides when trust has been lost and how do we measure its impact before it goes?  The answers to both of these questions are absolutely fundamental to an organisation’s risk management arrangements, but are often overlooked in the risk assessment process.  I am frequently asked to review risk management approaches on behalf of our clients and I can count on one-hand the number of times I have found a good example of where reputational impacts are adequately measured.

It should not be hard but I guess it is easier to focus on quantitative data – hard financial figures, number of casualties etc, rather than engage in a debate that, unchecked, can become a little nebulous.  Perhaps this says more about the mind of the average risk professional. 

Risk management in many organisations has come to resemble an engineering process with strict rules and methods that are enforced from the centre and applied verbatim.  Where reputation is quantified you often see the impact being linked back to quantitative statistics – a defined amount of negative reporting in the press, sanctions imposed by a regulator etc.  Where do our customers come in?  Surely they deserve to be recognised for the ultimate dependence we have on them, rather than measuring a secondary or tertiary impact.  Ultimately, if you mess up, your customers will look elsewhere – the fines from a regulator or the bad press you receive are just symptoms of an impact that have already materialised. 

The problem with this is that risk management can too easily become a compliance exercise with risk registers being completed with little thought being given to the end result.  In addition, methodologies are often skewed towards measuring impacts, particularly reputation, that have occurred in the past meaning assessments can never really be adequately applied to address future risks.

I started this blog by talking about the inadequacy of many risk methods in addressing reputational impacts of risk.  However, the principles of much of what I have said can be carried forward to improve the measurement of other risk impacts.  By reducing the emphasis on a rules based, statistics heavy process and moving towards, and this may be unpalatable for some, the feelings of our customers and stakeholders to gauge the impact of reputational damage, risk assessments can become more real and finely linked to the needs of our customers.

James Crask, a contributor to the PwC Business continuity blog, was on BBC radio 5 and the BBC News channel. Hear his thoughts on the riots and how Business Continuity could have helped business'.

Listen to BBC radio five live interview

Download and watch BBC News interview

Or not as the case may be... 

This is a question that gets raised time and again in discussion with anyone involved in risk, crisis and business continuity. The last few years have hosted some of the most dramatic corporate and financial crises seen in generations, but still we have trouble getting to grips what “it” is.

It seems that everyone has a different answer or a slew of different ideas. So why can’t we, as an industry, put this one to bed and answer the question once and for all.

Well, we are trying. A british standard will go some way towards defining crises and crisis management, but no doubt there will be differences of opinion. Arguments and discussions will be had and then finally agreement-by-committee on some long-winded narrative that almost captures it. But still we’ll disagree between ourselves.

So why does this difficulty of definition even exist? Well there’s a lot of challenge in the varying use of words and language related to crises. Terms like emergency, incident, disaster, event, risk, high-impact and catastrophe are bandied about and many people use them almost interchangeably. In fact this industry is more guilty than many in attaching new buzzwords to old concepts and never addressing the core of the new idea.

To try and solve this, companies and practitioners have tried to define criteria for crises that can go from being overly simplified to being horrendously complex.  A lot of time can be spent, during an event, debating is it a “level 2 incident” or a “level 4 crisis” or even a “level 11 disaster” and that is time, frankly, wasted.

Both of these issues are bothersome, but they aren’t the real problem. The actual challenge is twofold; defining crises relevant to each organisation; and, recognising that not all crises are the same.

Tackling the latter first; not all crises are the same. Most people focus on the flash-bang, sudden onset event as a key characteristic of a business crisis. Fires, floods, earthquakes and the like. But the assumption that all crises are the same as these, neglects many of the major reasons companies find themselves managing poorly through other events. For instance supply-chain or IT disruptions bubble along in any business at a reasonably healthy rate; after all small failures in these realms are common and operationally managed. But the trick in crisis management terms is understanding when a small, but rising operational problem trips over into a more strategic crisis.

And, it’s not just operational disruptions that cause headaches in terms of definition. Strategic or business model disruptions such as major regulation change or the “financial crisis” are slow onset events that arise incrementally and, akin to boiling a frog, no one realises the threat to the business until the operating model of the company is challenged. Lastly, let’s not forget hidden crises embodied by major frauds, corruption or breach of ethics which have a stratospheric increase in severity which might only become clear very late in the day and hence requires an even faster and more focused response.

So, how do we go about tackling this without getting tied up in definitions and criteria?

Let’s start by asking what is of value to the business; what drives our revenue, strategy or growth? And how could a crisis management capability be built around supporting those value generating activities?

Then let’s ask what are the values of the business; what do we stand for as a business, group or even as individuals? What do we have a reputation for and with whom does that reputation exist?

Only when those are answered can we start to organise a crisis management capability fit for each organisation. Not only this but when we have a series of values, and value generators, to protect we can identify and track predicative indicators to see if we are getting better or worse in the face of a potential business crisis.

So what is the message here? I suppose the message is that definitions and criteria somewhat miss the point. We, as an industry, need to simplify and integrate. Simplify by making crisis management relevant to each organisation and tailored to their needs. And, integrate with other strategic functions, including risk management, who are able to track the things which are important to us and tell us if we need to be more or less worried.

Back to the beginning then... when is a crisis a crisis?

Good question.

A friend of mine runs his own business.

Lately, faced with rising costs and a difficult market he has been thinking about the cost of his Business Continuity measures and at the weekend he asked me what I thought. So I told him a story.....

Like many people living in rural Britain I depend on my car. I need it both for work and for carrying out the essential day to day activities upon which my family depends. After all, my family, my colleagues, and my clients all expect me to be available when required.

When I first got my car, I knew that we were heavily dependent upon it, so I had to make sure it was always available. I was after all, a responsible husband, father and businessman. Naturally, I considered some of the reasons my car might not be available and I put some sensible measures in place to make sure we could continue to travel regardless of circumstances.

I set up a service plan with my local garage, they carried out a schedule of regular activity to reduce the risk of breakdown.  Reminding me when servicing/ MOT/ tax etc was due.

I got “gold” insurance to cover my car should it catch fire, get stolen, or perhaps suffer some kind of accident. A courtesy car was included, meaning I would have minimum disruption if something did happen to my car. I also joined a reputable roadside rescue service. Hence, if something did happen I knew I had a team of people who could respond quickly and get me on my way again without too much delay.

Although a little costly, all of these arrangements worked really well, and for a number of years my car never failed me.

As time went on circumstances changed. We'd moved to better accommodation and the family had grown. The economy changed and we were now faced with soaring fuel bills and an incredible grocery bill to feed our active kids.
The pressure was on for me to cut costs.

I naturally questioned the amount of money I was spending protecting my car. What value was this investment if I never seemed to get any return? Where else could I spend that money for a greater return?

So I decided to cut back. To make some savings... I cancelled my service package and even skipped a couple of interim services. I scaled back my insurance to the bare minimum required by law and I cancelled the roadside rescue.

My wife, whose job it seems, is to worry about everything, voiced some concern. She thought I was taking too big a risk. She pointed out all the things that could happen and how exposed we were if my car failed. 

"We'll be ok" I said. "If something happens we can just figure it out at the time. We don't need to keep paying for all this just in case something happens, we can just pay at the time. Besides, look how much we can save."
 
My car is now in desperate need of a service. It's still running, but it's been under a fair bit of pressure lately, getting used far more than I anticipated.  I'm nervous that at any minute something catastrophic could happen, because if it
does I will be faced with some serious costs and a lot of delay before we get back to normal. My family, work and clients will suffer and my reputation for reliability will be shot.

Not only that, but I'm putting my life at risk and that of my family if I don't get the car serviced immediately.  And let's not forget... if something does go wrong I will also have to suffer a long "I told you so" lecture from my wife...

The story gave us both something to think about..

Dichotomy.  I looked up the word and found "the splitting of a whole into exactly two non-overlapping parts, jointly exhaustive and mutually exclusive". 

BS25999 has two parts; one concerning primarily the Doing of the Business Continuity PDCA cycle, the other more about the Planning, Checking and taking Action.  Not at all a dichotomy, I know – but then why do many BC managers treat the concept of the BC Management System (BCMS) in part 2 as if it were superfluous to the delivery of  BC programmes?

Most practitioners build effective plans and create the mechanisms to ensure they remain current (change management, reviews, exercises, etc).  However, some see this success as the end point and shy away from establishing the controls called for by BCMS.

I suggest it has to do with maturity.  Consider a BC programme maturity model defined as:

• Low maturity - without effective plans (an organisation at risk);
• Medium maturity - plans in place to bring about a successful recovery (an organisation considered a competent performer).   This can be achieved without being BS25999 certified or aligned (though without the benefit of  formal BCMS the level of assurance may be quite low).  This represents an alluring false ceiling.
• High maturity – effective BCM is wrapped in a BCMS allowing the organisation to embed the understanding of the discipline in the organisational management, deliver greater assurance to customers / clients and improve the targeting of investment. (an organisation with competitive advantage and optimised investments).

Does a mature BC programme necessarily mean greater expenditure?  Absolutely not, and we need to dispel that myth!  The BCMS protects the investment we have made in BCM.  This allows our business leadership to understand risks and determine where best to place investment and to align recovery capabilities with the business risk appetite.  Maturing from medium to high can lead to savings.

The two parts of the BS25999 standard do not represent a dichotomy, but more a sign of growing maturity. They should be treated as complementary.  Close alignment with part 2 brings real benefits and certification provides independent assurance that clients recognise. 

The 79th Le Mans 24 hours race took place the weekend before last, and the balance between speed and endurance created an iconic spectacle once again.

The glamorous Le Mans Prototypes (LMP1's and LMP2's), took centre stage, with the intense rivalry between Audi and Peugeot highlighted by their starting positions. Audi held 1st, 2nd, and 5th, Peugeot 3rd, 4th and 6th. The atmosphere intensified as the expected 249,500 spectators crammed into the stands, set up their camping seats near big screens, or climbing ladders to garner a better view from hills and mounds around the track. Camera's poised ready, as at 3pm in glorious French sunshine the race began, with an ear-splitting roaring rolling start.

But within less than an hour Allan McNish, a driver for Audi, was spinning off across the gravel pit, at 120mph, hitting the barrier, flipping airborne before shattering into what seemed like a 1,000 pieces and ending up on its roof.  As news spread around the track, safety cars and emergency services scrambled to the scene. The crowd held their breath, as replays showed the power and severity of the accident and watched as safety officials rolled the remains of the car over to gain access to the driver.

Miraculously, Allan McNish stepped out of the wreck virtually unharmed, and thanked his team for creating a car that can "have an impact that is enormous and the driver pops the door and gets out perfectly well."

The Audi R18 team, not only built the car for speed and endurance, but designed it with safety in mind. Planning and designing safety features that would minimise any injuries to the driver, "just in case something happens" has ensured the Le Mans race and its drivers can continue to race with faith and in relative safety.

Watching the race got me thinking about the similarities between business and Le Mans.  It seems a little simplistic to consider business and motor racing as analogous.  However, the race teams and businesses that can claim the greatest success often have the endurance and vision to carry on when times are tough and respond efficiently and effectively in the face of a crisis.

We could all learn from what I witnessed at Le Mans and other high reliability organisations where safety considerations force a level of pre-planning often not considered in other sectors.  When the consequences of failure are high prior planning, and a timely response will be key to survival.

It was around 12-months ago that UK airspace, and that of most of Western Europe, was closed due to an eruption of an unpronounceable volcano in Iceland.  You would be forgiven for thinking that someone or something is not happy with Iceland as a further eruption, this time at a different volcano, has enlivened the debate as to whether it all could all happen again, or sitting on the other fence, that it poses no threat and the last response was in fact an over-reaction.  Who should we believe?

I think it is worth pausing for a moment to consider the role of scientific advice in a crisis.  How can we ensure our strategic decision makers are able to make decisions based on the latest science without becoming overwhelmed by the range of hypothesise and data available?

The key issue that strikes me, having seen how scientific advice helps to inform a crisis response at the national level of UK Government, is that scientists operate in a world of probability whereas senior decision makers want definitive information upon which to base their decision.  Of course there is flexibility, what makes a good strategic decision maker is the ability to give direction based on the best information available at the time.  But a crisis forces an acceleration of the normal decision-making process, so there will be less time to consider different scenarios before a decision is required.

The pressure on those providing scientific advice can be immense.  Often, the crisis is the first time their views will have been sought by decision makers and the pressure to provide advice that conforms to the views of senior management must be significant.  Is it right that we ask these individuals to provide advice that may be diametrically opposed to their normal approach to scientific study?  During a crisis there is no time to robustly test a hypothesis, or seek peer review from the wider scientific community – why then do we expect these individuals to be definitive with their advice?

I don’t have any immediate answer to these questions.  However, perhaps part of the solution would be to involve the scientific community much earlier in the lifecycle of a crisis?  By bringing decision makers and scientists together before an event to help define realistic worst case scenarios, risk assessments are likely to be more realistic in their description of probability and impact with greater alignment with an organisation’s risk tolerance.  More crucially, by following this approach both parties could share expectations and requirements helping to make the response a great deal more efficient by removing the time required for a discourse on defining scenarios.  Of course a decision will always need to be made with the best information available at the time - the challenge in many crises for decision makers is interpreting the myriad of information available to understand which options present the least worst scenario.

By the way, we will be at the CIR Awards this Wednesday (25 May) supporting our colleague Faye Whitmarsh, who has been short-listed for Business Continuity Management Consultant of the Year.  We hope to see you there.

Find five willing team members to support you, and compete in the Business Continuity Institute's BC24 game. Register your score to see where you come on the leadership board, or even spread the word with non BCM peers, to see what they score. The game's start has been aligned with the start of Business Continuity Awareness Week 2011 (21-25 March) , which has been launched to raise and improve awareness of the need and benefit of effective Business Continuity Management. The rest of the BCAW 2011 is full of new webcasts, roundtables, research and papers, for more information go to the BCI website, or play the game here.

A few years ago I was approached by a BBC journalist who wanted to speak to a professional ‘doom-monger’.  I was a little put out, to be honest.  But his programme turned out to be in praise of the unseen and unsung (often derided) people who prepare for disasters, even if their work, like the Second World War pill boxes across England, is never needed.  In the last few days we have watched with horror and amazement the pictures from Japan, shocked by the appalling loss of life. This disaster follows close on the heels of the floods in Queensland and South America and the earthquake in New Zealand.  Rarely has the calamitous power of nature been so graphically illustrated.

The usual response from our business continuity community to emergencies and disruption, for example, following the recent problems with snow, is to point out the shortfalls in the planning and to berate those affected for not being better prepared.  And I do not doubt that there are many lessons to be learnt from these recent disasters.  We might reflect on the knock-on effect of one disaster triggering another and the challenges of recovery when an entire infrastructure has been incapacitated.

However, I was struck by the relative lack of panic in Japan.  As the earthquake struck, people sheltered in doorways or under desks, as they were supposed to.  They understood what was happening and what to do. Emergency teams returning from New Zealand commented on how well organised the rescue and relief had been.  Colleagues in Australia told me how their electricity companies had shut down power as the floods rose to avoid damage and were able to restore power as they receded.  This was down to preparation.

So on this occasion, I simply want to pay tribute to those unseen and unsung people who had prepared for disaster, without whose work, the disaster and the loss of life would undoubtedly have been far, far worse.

Two emails from international colleagues caught my eye this week. 

1. “As you may be aware, Australia is knee deep in snake-infested flood water just now. As a result we are currently attempting to pull together a coordinated series of communications for our clients around how to deal with this catastrophe.
   
   We are assuming that not everybody will have a business continuity plan in place. Have any of you seen or produced any materials that advise clients on the steps that they should be taking in response to a major natural disaster?”
2. “The recent news coming from Egypt has caused many of our clients with operations in that country to activate their Crisis Management Plans. Some clients have found that this has gone well and some have had to make it up as they went along. This situation has caused many of our clients at the Executive and Board Levels to begin to question the completeness of their organizations' existing Crisis Recovery and Business Opportunity Plans as relates to any aspect of their business.
   
   In a situation like this it becomes quickly apparent that these plans must address delicate personnel issues, complex asset protection issues, broad based business continuity issues as well as information recovery and management issues. “

When something goes as badly wrong, as it has done in both these countries, conventional business continuity and crisis management is usually found wanting.

There is an increasingly strong case for raising our game to look at how we would or could respond to unthinkable events. 

At times like this there is no substitute for effective leaders who understand what needs to be done and who lead with vision and clarity about what the future should look like.  These leaders will look beyond the usual boundaries and hierarchies and respond with the unthinkable. 

I recall one client responding magnificently to Hurricane Katrina – hiring aircraft and flying in generators; and housing, clothing, and feeding their employees.  This was not planned for, although the business continuity plans did help. The response was based on empowered local leadership who understood what they were doing, and who were capable of thinking outside the box.