Building a continuity culture: the importance of measuring attitudes to risk

How to do you know which employees have an appropriate understanding of business risks? John Robinson explains.

In every organisation, there are those who through ignorance, opinion or choice belittle or deny the risks they face. They remain oblivious to how their own actions or inactions will transmit, become magnified and ultimately, impact upon the organisation. They may be an executive or a contracted-in cleaner; but either way, they are a component of the continuity culture and the organisation needs to know who they are and how they are likely to behave.

Continuity culture is high on the Business Continuity Institute’s (BCI) agenda, occupying an entire stage in the BCM Life-Cycle model and featuring again in the Good Practice Guidelines. Both offer valuable and definitive guidance; for example, the BCI’s Good Practice Guidelines state that:

"In managing any event it is critical to recognise that a successful outcome is judged by both the technical response and the perceived competence and capability of the management in delivering the business response. The stakeholder perception should be seen as the critical success factor with an equal if not more urgent priority over the technical solution."

Stage 4 of the BCI’s BCM Life-Cycle is dedicated to 'Building and embedding a Business Continuity Management Culture'. It reminds us that:

"Organisation (corporate) culture concerns the deep-seated and embedded beliefs and values held by members of an organisation and should not be overlooked and dismissed lightly."

and goes on to say that:

"...training and awareness must be undertaken to ensure that the entire organisation is confident, competent and capable. All individuals must appreciate and recognise the importance of BCM and their role within it."

The Life-Cycle Guide details how these conditions can be achieved. It also acknowledges that organisations are different and that continuity managers must effect their own interpretation of these guidelines.

It remains to emphasise that continuity culture is a real and significant organisational component, an indicator of soundness, longevity and investor confidence. It is a commodity increasingly scrutinised by financiers, shareholders and regulators, yet its value remains intangible and therefore capable of neglect by those who fail to understand it. Aligning so many hearts and minds is never going to be an easy ride. The recent study conducted by my organisation in partnership with Continuity Central has shown that wide variations exist in individual attitudes to risk. The following paragraphs summarise significant continuity culture-related findings that may affect organisations.

No size fits all
The most obvious finding arising from the study is that personal attitudes to risk are individual. Employees perceive their own and their organisation’s risk traits according to who they are, what they do, their time in post, their seniority, what they are told and the way they perceive the risk environment. This suggests that within an organisation, a one-size-fits-all approach may be counter-productive, where, faced with the apparent irrelevance and bulk of standard texts or repetitious training, employees switch off or decline to buy-in.

As continuity managers, we would benefit greatly from knowing where and how we should focus our effort. If we knew for sure that one group had fully grasped their responsibilities, then we could save their effort and our time, concentrating instead on groups where weaknesses are evident. Periodic straightforward assessments of views and beliefs might provide indication of this.

Anyone can take a risk
The study suggests that middle management provides the continuity conscience for most organisations, but that other employees – possibly those closest to the operation – exhibit a painfully weak risk culture. Granted, it costs less to educate a thin layer of middle management, but a few days training per year does not necessarily qualify them to pass on what they have learned effectively or spend their time identifying potential wrong-doers. The insulating layer also suggests that senior management may remain unaware of the condition, allowing it to persist.

We need a cost-effective means of penetrating beyond middle management, detecting cultural fragility at all levels and addressing it in an appropriate way. Online techniques such as those used during this survey have global reach and provide a means of quickly assessing the entire workforce and other contributing stakeholders in the organisation, such as suppliers and resellers.

Early warning
The survey suggests that situation, size and sector combine to produce unique company cultures and corresponding continuity cultures, each with its own distinctive safe zone or benchmark condition. Again, as the BCI is at pains to point out, there is no ‘typical’ organisation, and a homogenised, standard culture conditioning system is unlikely to fulfil anyone’s requirements.
Companies need to define their own benchmarks based on recognised industry standards and transmit these to staff at all levels, defining acceptable deviations from the norm for different job functions as necessary. Periodic monitoring against benchmarks such as those used in this survey provides a clear target for staff and an effective early warning system.

Company culture
The survey suggests that small companies have a reactive continuity profile and are highly aware of the risks they face. Medium-sized companies appear to devolve operational risk to line managers, separating commercial risk-taking roles from less adventurous staff who are appropriately charged with preserving corporate integrity. Large companies take a step further and devolve continuity to specialists. On the face of it, this potentially leads to reduced accountability and a weakened continuity culture. However, it is a pattern we are accustomed to; for example, when we travel by coach, we devolve responsibility for risk (and our safety) to the driver, in the knowledge that she/he is best equipped and trained to deal with any normal issue that might arise. If the coach is involved in an accident however, the driver may become irrelevant, with individual fortitude, knowledge and capability determining whether we survive.

Appointing an individual to become a department or company’s continuity conscience appears practical and efficient under normal business conditions; it makes little provision for individuals who deny the importance of continuity capability under extreme circumstances. Audit functions have a major role to play in assessing the adequacy of departments’ continuity capability. They are again faced with the large company pattern where a trained individual represents the department, masking the underlying continuity culture.

Personal culture
On a personal basis, the study suggests that risk awareness is similar to disease resistance; those familiar with handling minor disruption seem averse to risk and become innoculated against it. Conversely, desensitisation may affect individuals who experience major disruption on a frequent basis, and whilst they may be adept at dealing with recovery, the survey suggests they have an atypical risk profile, treating it as an acceptable everyday occurrence.

These findings suggest that all staff might benefit from rotation through areas where minor disruption must be managed (e.g. help desk) during their career. It also suggests that accident-prone operations become desensitised to risk and instead of striving for perfection, may instead expose the company to further and increasing risks.

Compliance
Compliance with any standard requires measurement and control, fast feedback, a means of identifying discrepancies and driving conditions toward a predetermined position of acceptability. This sounds straightforward until we realise that to manage continuity culture we are faced with somehow measuring intangibles such as acceptance, pro-activity, competence, awareness and understanding.

Most of the culture-building tools at our disposal currently comprise ‘push’ techniques such as training, required reading of policy and procedure, and other forms of direct involvement. But these are only part of the story; to confirm uptake, we need to measure the success of these initiatives and find out if the messages got through. We can achieve this through auditing, appraisal and testing at an individual or team level, although the system begs a number of important questions:
* Do auditors have the time or wherewithal to consistently diagnose the ‘embedded and deep-seated’ continuity beliefs of individuals or teams? Are they equipped to target corrective action meaningfully? Do people act normally during an interview with an auditor?

* Are performance appraisers capable of recording a consistent and insightful assessment of individuals’ continuity culture? Can they be relied on to offer consistent advice to bring their people into line? Are their own views appropriate and consistent?

* What will this cost and how long will it take?
The chances are, we will not commit the necessary skilled resource to complete the task to the required consistency and depth. And if we do, then change may well have occurred before the cycle is complete.

Automation
The survey suggests that in some areas automation can bring significant benefits. For example, an on-line monitoring and advisory system can:
* Provide the control feedback needed by BCM practitioners
* Reduce costs, saving time and reducing business interruption
* Finish sooner, by addressing many individuals concurrently
* And so accommodate rapid rates of change
* Reach everyone, wherever or whoever they are
* Inject consistency, delivering even-handed expert advice to all participants
* Provide a clear focus for management during appraisals
* Support benchmarking and year-on-year trend analysis
* Present an overview of continuity culture by statistically processing and presenting results
* Deliver targeted expert advice to where it is needed, not just to managers and IT
* Report exceptions to management as they arise, allowing rapid response

The survey has brought to light how people in organisations view the continuity issues and risks they face. The variances shown contrast starkly with the black-and-white directives contained in most organisations’ risk and continuity policies, perhaps highlighting the need for a closer form of control. Internet and intranet technologies offer a ready and beneficial basis for achieving this.

The author would like to thank continuitycentral.com and David Honour in particular for the support shown during the completion of the Attitudes to Risk survey. We would also like to express our gratitude to all those who took part and invite appropriate questions regarding content, methods used and findings.

JRCPL is currently seeking organisations who wish to participate in the INONI 3.0 Beta programme, through which some of these benefits may be realised. The INONI on-line survey facility is presented and described at www.jrcpl.com. Alternatively, please email inoni@jrcpl.com for further information.

FULL SURVEY RESULTS
Part one: Introduction
Part two: Does continuity culture vary by region?
Part three: How does experience of disruption affect attitudes to risk?
Part four: Are larger organisations more exposed?
Part five: Which sectors exhibit the best continuity culture profiles?
Part six: How much does continuity culture affect site proximity?
Part seven: Do people in different roles perceive risk and continuity differently?
Part eight: Does familiarity breed contempt for risk?

•Date: 23rd April 2004 •Region: World •Type: Article •Topic: BC general
Rate this article or make a comment - click here