Challenges and Opportunities for Business Continuity Within 21st-century Business Models

by David Kaye

First published: Journal of Business Continuity and Emergency Planning; September 2006 Henry Stewart Publications

This paper sets out to explore the new challenges and opportunities for business continuity within 21st-century business models. It illustrates why and how businesses are changing, demanding that traditional silos of risk thinking be broken down, and business continuity management (BCM) become a central and crucial tool for the board and its risk management team. The paper also sets out to explain an important need for traditional organisational barriers to be lowered among the risk community. As in all business change, there are drivers for that change. By exploring and understanding these drivers, it will be possible to fully appreciate why business continuity itself is changing, and why it must change further if it is to satisfy the needs and trust of its own stakeholders. That understanding will also help to forecast the challenges and opportunities for risk and continuity professionals that will evolve in years to come. It will also encourage some organisations to rethink how BCM is best skilled and positioned within their management structures.

INTRODUCTION

One illustration of the increasing importance of business continuity management was seen in a 2005 survey by AON (”Biennial Risk Management and Risk Financing Survey”), which placed business continuity as the second most important risk issue that concerns risk and business managers. The survey reported that the most important was stated to be the loss of reputation, an issue that is itself at the heart of continuity management.

Risk managers, of course, understand that the consequences of damage by a risk incident might not just be measured simply in terms of money, and thus measured just in the loss of assets, turnover, cash flows, or by destructive levels of litigation. They understand clearly that the consequences could involve the loss of life or the loss (or inaccessibility) of the operational dependencies necessary for the organisation’s very survival. These dependencies include a wide range of intellectual assets, brand values, effective business control, regulatory approvals, legality, the confidence of its various stakeholders, and what it needs to be able to continue to deliver urgent, contracted, products and services, on time and of the expected quality. The purely financial implications of an unpleasant surprise may indeed be sufficient to divert the financial business model sufficiently to render the organisation no longer viable. The non-financial impacts, however, are much more likely to bring sudden death to the organisation.
Furthermore, as the business continuity manager knows only too clearly, the consequence may be that the organisation has to step away from its marketplace and other stakeholders for a period of time, thus giving free reign to competitors to do lasting damage to customers, supplies or distribution.
The damage, of course, may not only be within the organisation. There could be destruction of the legal or physical environment on which the organisation depends. An urgently needed supplier or distributor, for example, may be the one directly affected by a disaster, but their failure to deliver as expected may have a devastating impact on the production line of the organisation expecting these urgent and key ingredients for their own products.
Within a 20th-century business model, the organisation managed most, if not all, aspects of the supply chain from within their own factories, offices, warehouses and workforce. They had a various ways of contacting their consumers, and stocks of finished goods and raw materials on site to keep them going for days or weeks in the event of a failure. They directly employed the workforce and thus had control over their day-to-day activities. They could also redirect that workforce to meet any new overnight priorities raised by a sudden risk incident.

The modern business model, with its just-in-time supply chain, compression of margins, direct communication via the web simultaneously to millions of customers at home and abroad, is much more brittle and subject to a single point of total failure. Furthermore, much of the contributing workforce is now employed by a third party to deliver intellect and activity only and precisely as previously contracted. Customers can move away so much faster — perhaps with just a click of the mouse — as indeed competitors can now upscale so much quicker by additional outsourcing, to steal customers.
It is not all bad, however. These models to enable the organisation itself to upscale and downsize much easier and quickly than before, and this ability offers an opportunity to manage a crisis too. The issue here is that business continuity management, unless it deals with these modern big-picture risks and their sensitivities, can be no more than window dressing, and the organisation remains vulnerable to sudden closure by a single risk incident.

BUSINESS IMPACT

While each business, and indeed marketplace, will have its own sensitivities, one example of an impact assessment that could be considered catastrophic could include the following financial and non-financial damage:

• loss of regulatory or licence approval;
• service chain fails for one day or more;
• delivery chain fails for one day or more;
• media attack;
• loss of confidence in brand name by the general public;
• loss of confidence in the brand name by significant stakeholders;
• financial loss of:
  • capital, say above $1,000,000;
  • group targets, say –25 per cent;
• credit rating fall one full level;
• unacceptable risk of life;
• loss of business or financial control.

The increasing importance of this wide-arena operational damage takes the risk manager and the most senior strategic managers of the organisation into the world of business continuity management. It takes them beyond financial risk management, where, over many years, they have developed sophisticated financial risk models, and takes them into the much more amorphous and difficult arena of operational risk. It places continuity indubitably as an important risk issue, raising questions about which crucial dependencies enable an organisation to continue and grow as planned. What risk is more important, other than perhaps the loss of life, than the very survival of the organisation?
It undoubtedly takes the current business continuity thinking, which may be sat elsewhere in their organisation, a long way beyond its roots of replacing computerisation, and other workplace facilities. These roots, of course, remain important matters, but modern business dependencies are so much more diverse and complicated.

NEW BUSINESS MODELS AND SINGLE POINTS OF FAILURE

In spite of the huge wealth, scale and internationalism of many a modern business, it is in fact much more exposed to a single, organisation-wide, destruction than in earlier business models. These new business models have brought multinational empires that can best be described as ‘hollow’ companies. They have very few people ‘at home’ and consist of only a range of outsourcing contracts for both supply and delivery, the stakeholders, a brand, legality, positive cash flows, compliance, intellectual assets of many different types, and the overarching entrepreneurial and control mechanisms. Even some of these ‘assets’ may be rented and not owned, not least the intellectual assets and the brand.
Furthermore, these new business models not only allow the host organisation to be flexible to meet demand, they enable customers to move away wholesale. The models enable competitors to upscale astonishingly quickly to lap up business that has lost its erstwhile home, or perhaps just confidence in its erstwhile home. No longer do competitors need to build new factories or production lines to upscale; a few additional outsourcing contracts can be all that is needed.
The real business impact analysis therefore needs to address a whole host of exposures well beyond the internal hardware infrastructure of the organisation. It needs to address at least the criticalities above against a list of crucial and urgent operational dependencies.
These single-risk survival dependencies raise new and fundamental questions. Should the organisation approach the task of ensuring business continuity from the viewpoint of a range of likely scenarios; or should it approach the task from the viewpoint of identifying those dependencies and then ensuring, whatever happens, that they can be kept secure? Working from likely incident scenarios hardly has a successful track record when we remember Hurricane Katrina, September 11, St. Mary Axe bomb, Chernobyl, Piper Alpha, stock market falls in the late 1990s, South-East Asia Tsunami, Buncefield, Auckland power failure and so on.
The dependencies are as always those relevant to each business but, as a starting point, could include at least:

• marketplace machinery, technology and services;
• group-wide machinery, technology and services;
• departmental machinery, technology and services;
• loss of building workstations and equipment;
• failure within the supply chain or distribution chain;
• loss of legal, physical of technological access to intellectual assets;
• specifically, information on paper;
• loss of individuals and team intellect and skills;
• other stakeholder dependencies;
• ability to retain financial and business control;
• cash flow and revenue security.

RISK SILOS

In the same way that risk management has moved on from being the purchase of insurance products, business continuity is emerging from its own historical silo and sees itself as part of the much wider risk and strategic management framework. Business continuity risk management, when used to its full extent, as in all risk, is as much about opportunity as it is about damage. It is about good management, enabling the rewards made on risky activities to be assessed properly, an enabler when otherwise profitable opportunities are avoided because of an anecdotal fear of the risks that they may carry.
Business continuity needs to look forward to meet these challenges to its traditional thinking and certainly needs to recognise and take its place proudly alongside other risk disciplines within the organisation.
It also needs to be said that some risk managers need to move forward. Risk managers who fill their time arranging insurance portfolios are missing the crucial point that the most destructive of risks are not insurable. Financial services risk managers, for example, who fill their time with balancing currency and portfolio risks, are managing an exposure that could indeed affect bottom line by a few points, but, unlike business continuity needs, are less likely to destroy the whole organisation.
To push down operational and continuity risks as less sexy and less consequential is therefore avoiding the very thing that can bring the whole organisation to a close. These new business models, and their regulators and stakeholders, are increasingly driving boards to consider operational risk; especially low-frequency, high-impact risk, which is by definition much more difficult, and where they feel less confident.
As always, the responsibility for risk understanding and risk management rests firmly with those boards or their most senior managers. They may delegate the processes for achieving risk understanding and risk management, but they cannot delegate the responsibility. Once the risks and the potential consequences are explained, the directors cannot ignore them and must make decisions around the information obtained. This is not just a regulatory issue; it is simply good management, and business survival risks issues are no different at all.
The decision could be that the identified and measured exposure is acceptable, and is documented as such. This could easily be a reasonable decision if the carefully assessed worst-case consequences could not possibly have an unacceptable impact on their own people, viability, stakeholders and business models.
If the exposure is deemed unacceptable, however, then the organisation has further choices to make. The risk may be reduced down to acceptable levels; indeed in an extreme case, the board may decide to withdraw from a particular activity or location. Process re-engineering and/or duplications can often reduce the potential business damage; again down to commercially acceptable levels.
The decision may be to contract to transfer the risk to another organisation, whether a supplier or perhaps to the customer. The danger here though is that a contract that transfers a potentially destructive risk to a counterparty may actually destroy that counterparty. What value then if that failure of supply or distribution in turn destroys the risk manager’s own organisation?
Most financial loss can be anticipated by a range of financial instruments, of which insurance is just one. It is interesting, however, to see from the potential destructive impacts listed above just how few are insurable.
Business continuity management is another one of those choices; whereby the board considers that, with careful preparation, the organisation has the strengths and resilience to manage the incident through without potentially destructive damage. That ‘careful preparation’ is, of course, no less than a business continuity cycle; but a cycle that reaches way beyond facilities renewal and ensures also the identification, the impact measurement, and then the protection or duplication of all crucial dependencies.
The senior managers and their risk advisers could use just one of these tools, but in practice are more likely to use the most cost-effective and commercially realistic combination. It is extremely unlikely that there will be no value found for business continuity within that chosen package of risk management measures.

BOARD IN CRISIS

A board or senior management team that is facing meltdown is not only worrying how fast the technology and workstations can be reinstated. It is asking other urgent questions too; of which just a few are:

• Can we keep the confidence of all our stakeholders; even those now with conflicting demands?
• Will our suppliers and distributors stay with us?
• Will the suppliers be willing to respond to our urgent and changing needs?
• Will our best staff stay with us?
• Can we stay in control of our business?
• Can we stay legal and satisfy our regulators, not only with secured audit trails but during our activities while the crisis is unfolding?
• Do we still have all our intellectual assets (brains, paper, internal and outsourced databases, software, market positioning, licences, confidence, patents, research, contracts, etc) available to us and can we use them?
• Can we be effectively closed down because we are unable to deliver on time and in quality on existing contracted obligations?
• Can we keep enough of our presence in our marketplace and secure our position there before someone else steals it, probably forever?

And, by the way, let’s take time to look at whether this is an opportunity to re-engineer ourselves looking forward — four weeks in a hot site may be nowhere near enough.
Business continuity therefore forms just part of a much wider and coordinated risk management programme that sets out to understand clinically the exposure and its consequences. It then takes a view across the options available for managing any exposure, or any potential impact, that would be life threatening to the organisation. Discussion of the ‘recovery plan’ has not even been started yet.

REALISTICALLY MANAGING THE EXPECTATION OF RESILIENCE

Twenty-first century business survival is undeniably much more than just the rapid replacement of technology and workstations. It is also crucial to consider the foundation stones, and thus the vital dependencies, that enable an organisation to survive. These foundation stones are so much more than the hardware, and increasingly so. They include the wide range of intellectual assets, the supply and delivery chain, legality, regulatory approvals, control, skilled workforces, and brand values in their widest sense.
Even risk management of the supply chain is much more than being confident of its resilience or replacements. It is also about getting risk and continuity management right into the contract negotiations before signatures. It is also about managing the suppliers’ own reactions where their confidence of future payment is shaken by a receiving organisation that is seen to be facing difficulties. For example, knowing that the distribution database maintained by a service supplier is intact is useless if that outsourced supplier has lost confidence in the ability to pay for the service. It is also useless if they themselves have to withdraw for any reason whatsoever, as the contract wordings, mismatched software, or even the Data Protection Act will deny the counterparty’s ability to step in and use that database productively.
It is no less a crisis when the receiving organisation finds that its brand is being destroyed by a gradually diminishing service quality from a key supplier. But at what moment is a crisis declared; and what, legally, electronically and practically, are the choices? Certainly, ensuring all of the legal, physical and operational usability of that database and software; whatever happens to the principal/supplier relationship, is no less a business continuity issue.
The 1990s continuity manager relaxes until outsourcing contracts are negotiated, awaiting the instruction then to create further contracts for contingency workspaces and technology. The 21st-century risk and continuity manager is there at the beginning, right in the heart of the negotiations, ensuring that the organisation’s own critical dependencies are secure, replaceable and usable from any unwinding of that contract, not just following catastrophic external damage. Trusting the lawyers’ ‘don’t worry, if they fail us we can sue for damages under the terms of my contract wording’ is a corporate cry from the grave.

MANAGING THE CONTINUITY RISK

Now that business models themselves have been changing so dramatically, the true business continuity package or cycle particularly needs to:

• Ensure that no business-survival dependency can possibly be lost — it must be possible to tolerate any possible threat to those dependencies, whether the potential loss is sudden or is unfolding gradually.

• Trust the promises to replace (supplier or internal) technology, data and workstation equipment quickly enough to avoid unacceptable damage to the organisation. How often are service level agreements (whether internal or external) that document the service levels being guaranteed during a primary failure? In addition, how often are these catastrophe service level agreements formally signed off, not only by the facilities staff but also by the managers of all the departments, suppliers and distributors that could be affected?

• Have continuity plans that establish beforehand incident management teams that are known and fully authorised, skilled and resourced adequately to retain effective control, communicate widely, deliver urgent products and confidence, and thus keep the organisation alive among all the many new, urgent and conflicting demands on them.

A business continuity cycle that delivers only the latter two has dangerous exposures, and without looking at this wider strategic exposure of dependencies is just lip-service to the need for continuity. It creates a risk in itself, because it will raise expectations of resilience among its stakeholders, and as such is more dangerous than having no ‘business recovery’ position at all.
Above all, a continuity process that reports to the IT manager or to the facilities manager should cause some early warning bells to be rung.

CREDIBILITY

There are benchmarks produced by various organisations and regulators, and some of their guides and standards still need to recognise the changes that are taking place under their feet.
The exercise too is proffered as a route to confidence, but is it really, if it only exercises the ability to call out the gold team and rebuild an internal workplace? An exercise that will offer confidence is much more difficult to do and will also entail the exercising of decisions around the whole of the risk environment, as it will around workplace renewal. Does the organisation have all that it needs to ensure survival?
The tick boxes that say an organisation has ‘exercised its recovery plan’ are a genuine worry, not least when critical, urgent suppliers tick such boxes. How many of these supplier recovery plans will not work, and if they do, protect the interests of the supplier, not individual customers. How many exercise debriefs and executive summaries list things that have not yet been exercised, and thus where there still are uncertainties?

CONCLUSION

If it were necessary to choose between effective risk management of business critical dependencies and a sophisticated recovery plan, my choice will always be for the former. The risk otherwise is that the latter could become no more than an expensive weapon to beat an already dead horse. Critical and urgent dependencies still in place will at least give the managers half a chance of staying alive.
None of what has been said is intended to suggest that workplace, technology and communication replacement is not important. It is, of course, crucial. The point, however, is that it is by no means the whole picture of credibility in a modern organisation.
To achieve such a position requires some fundamental rethinking about the role of the business continuity manager, and thus necessarily the skill base required, the credibility that needs to be achieved of the person and the subject, and not least the positioning of the function within the organisation.
The continuity risk manager of the 21st century has, normally, not exceptionally, the ear directly of the board. They will provide a valued input in the overall business strategy setting of the organisation; not be a back-room functionary whose job it is just to prepare a recovery plan and contingency workplace and workplace tools replacement. A more difficult challenge, certainly, but one that would be more challenging and in turn be much more useful

=========================================================

About the Author

David Kaye FCII FRSA FBCI MIRM Chartered Insurer was a divisional director of a large multinational responsible for risk management, with hands-on experience of operational risks world-wide. He now writes, lectures and guides a wide range of business and public service clients on risk related management issues. He is the Institute of Risk Management’s lead examiner on business continuity and the author of the Chartered Insurance Institute’s examination textbook, ‘Operational Risk Management’. He has also co-authored A Risk Management Approach to Business Continuity, published by Rothstein Associates Inc, which brings together risk management and business continuity thinking. He is a Fellow of the Business Continuity Institute, a Fellow of the Chartered Insurance Institute, a Fellow of the Royal Society of Arts and a Member of the Institute of Risk Management.

A Risk Management Approach to Business Continuity: Aligning Business Continuity with Corporate Governance, by David Kaye and Julia Graham is an important resource to address these issues.