Commentary: Continuity in Recession
These are turbulent times for businesses, tumbling from the realization of sub-prime into the credit crunch and now a sustained period of global recession. But what does it mean for business continuity? Is it now a dispensable overhead – a hygiene factor, a luxury that organizations can afford to forego, or are we missing something?
The following underpin the way we implement business continuity management and help understand how we might manage the effects of recession:
- Each organization has a unique, frequently changing and multi-faceted continuity risk profile. It typically includes a range of improbable but potentially catastrophic events, from climatic or weather extremes to technology failure, from civil unrest to terrorism.
- Each organization, knowingly or inadvertently through its actions, also exhibits a continuity risk appetite. This is usually stated via policy and sets out the exposure to continuity risk that stakeholders willingly accept and, by implication, requires mitigation of any risks that they are unwilling to take. Executives are then legally obliged to ensure that continuity risks are effectively managed against policy.
- Funding both facilitates, constrains and shapes risk management since there are typically many treatments available for any given risk condition at widely varying cost. None is absolute and all leave a residue, such as exclusions and excesses written into insurances. Best value and hence governance is achieved at the point where cost and residual risk are both acceptably minimized for stakeholders.
These basic paradigms are readily exercised under normal economic conditions; we are obliged to identify exposures that exceed the levels permitted by policy and to then implement best-value policy-compliant ways of treating them. Risk equilibrium is restored by allocating budget or resource to fill the gaps, buying insurance or accepting the increased risk.
So should recession change the way we interpret these basic concepts?
Clearly, if organizations are earning less money, they therefore have less to lose; and so it seems reasonable to assume that the system will self-adjust, automatically attaining a compliant level of protection simply by spending less on business continuity management.
This is a convenient but invalid assumption; the risk landscape has changed and while the rules continue to apply, we need to interpret them differently.
John Robinson, FBCI, is Managing Director of INONI Ltd.
