Creating shareholder value through business continuity management

By Patrick Roberts, Needhams 1834 Ltd

There is an unfortunate tendency when promoting business continuity management to focus on negative outcomes, for example the old chestnut that “80 percent of businesses without a business continuity plan fail after a disaster.” I don’t know where this figure originally came from but, given the number of times that it has been quoted in various forms, one must assume that it is based on some valid research. Nevertheless, it is clearly absurd. The evidence, from both the Manchester bombing in 1996 and the 9/11 attacks, is that, despite little business continuity planning, the vast majority of companies did actually survive.

More generally, I believe that negative approaches to promoting business continuity management are fundamentally flawed for two reasons:

* It is bad psychology. Focusing on negative drivers will, at best, result in a miserly grudge-purchase but, more likely, just turn a potential customer off.

* It is quite unnecessary to focus on business failures. Business is not about surviving or not surviving; most businesses, particularly those that are publicly traded, are under intense pressure to grow year-on-year-on-year. Simply surviving is not considered success in this context.

As BC professionals we know that business continuity management can add real value to organisations so why do we end up focusing on negative outcomes?

Risk and return
Rather than concentrate on survival, I should like to look in this article at the more general issue of risk and return. Expected return is the anticipated profit, averaged over a suitable range of scenarios, on a particular investment for example:

* A savings account with a reputable bank has an expected return almost equal to the published interest rate (eg 5 percent per annum); or
* Investing in a friend’s start-up business might offer the prospect of either doubling your money in a year or losing everything; if these two outcomes are equally likely then the expected return is zero.

Risk in this context is defined as the variation in paybacks over the different scenarios. In the above examples, the risk of the savings account is almost zero (the bank is almost certain to pay the agreed interest and equally certain not to pay more) whereas the risk from the friend’s start-up is clearly considerable (even though you might make a lot of money, you might also lose everything).

Effective business continuity management will, by definition, reduce risk. BCM can, however, effect expected return in a number of different ways, for example:

* The cash costs of the business continuity management programme (such as the expense of maintaining a disaster recovery site) will reduce the expected return;

* Indirect costs of the business continuity management programme (such as lost working time through implementing stricter security procedures) may also reduce the expected return;

* Specific risk mitigation measures (such as flood defences) may increase or decrease the expected return, depending on the prevailing risk and the cost of the mitigation; and

* Being seen to be a resilient organisation represents a competitive advantage in dealing with customers so should increase the expected return.

The overall effect on the expected return will therefore be the sum of these (and a number of other components).

Portfolio Theory
Markovitz first formalised the link between risk and return with the publication of his ‘Portfolio Theory’ in 1952. This had two central themes:

* Investors expect an increased return for accepting greater risk; and

* Investors can maximise the expected return for a given level of risk by investing in a wide range of assets; this is called diversification.

The first point would appear to present a strong argument for business continuity management but begs the question: “How much reduction in expected return are shareholders willing to accept for a given reduction in risk?” As we shall see, this very much depends on the nature of the shareholders and the company.

The Capital Assets Pricing Model
The concept of diversification was further developed in the 1960s to produce the ‘Capital Assets Pricing Model’. This distinguished between two different types of risks:

* Systematic risks such as changes in the price of commodities, economic cycles and interest rates that effect all companies; and

* Non-systematic (or idiosyncratic) risks which are specific to individual companies.

Within the idealised assumptions of the model, the CAPM demonstrated that investors are not actually concerned with non-systematic risks as they can mitigate the effect by diversifying their portfolio. For example, oil exploration is very risky but, as an investor, I can reduce my risks by investing in a number of oil companies. It doesn’t matter to me if Shell has a good year and BP has a disastrous one (or vice versa) if I hold shares in both.

Public and private companies
Returning, then, to the earlier question of how much expected return shareholders may be willing to sacrifice for a given reduction in risk; the answer depends entirely on what kind of shareholders we are dealing with. Whilst the CAPM is not a completely accurate reflection of reality, it applies pretty well to the ownership of many large PLCs: investors are typically very well diversified and are therefore unwilling to pay for a reduction in the non-systematic risks in any particular company. Business continuity management spending must therefore be justified in terms of increasing expected returns. Importantly though, many private companies have important groups of shareholders who are not well diversified: for example family owners and management teams who have been granted shares. These critical groups have a very strong interest in reducing the risk to the company so should logically be prepared to accept a significant reduction in expected return to provide this.

From theory to practice
Once one moves away from the purely theoretical there are a number of additional advantages in reducing non-systematic risks. A business can be run much more efficiently if revenues and expenses can be predicted with reasonable accuracy: long-term planning demands a degree of certainty as to future cash flows. Some specific issues are listed below.

* Having to meet significant unexpected expenses denies a company the opportunity to pursue value-creating opportunities, such as expanding into new countries or launching new products, or, in extremis, may force the company to abandon ongoing projects. Equally, generating unexpectedly large profits is not necessarily of much use unless the funds generated can be usefully employed at the time.

* In addition to the above, the tax regime in many jurisdictions penalises fluctuations in profit from year to year. Progressive tax systems, where higher tax rates are levied on larger profits, mean that the total tax paid over a series of ‘good’ and ‘bad’ years exceeds the total that would have been paid if profits were averaged out.

* Finally, there are the serious costs of financial distress. Even a fairly minor loss may impact temporarily on a company’s ability to pay creditors and damage its credit rating leading to a higher cost of borrowing and straining relations with suppliers. In the case of more serious losses, triggering bankruptcy, huge costs are incurred in selling off stock and equipment at bargain prices.

Once again, one needs to really understand an individual business to quantify the benefits of good risk management.

Conclusion
Rather than frightening people with talk of survival, I propose that it is better to promote business continuity management in the less emotive terms of risk and return. What this means in practice depends largely on the nature of the company.

http://www.needhams1834.com/

•Date: 2nd Feb 2007• Region: UK/World •Type: Article •Topic: BC general
Rate this article or make a comment - click here