By John Robinson, FBCI.
These are turbulent times for businesses, tumbling from the realisation of sub-prime into the credit crunch and now a sustained period of global recession. But what does it mean for business continuity? Is it now a dispensable overhead - a hygiene factor, a luxury that organizations can afford to forego, or are we missing something?
The following underpin the way we implement business continuity management and help understand how we might manage the effects of recession:
• Each organization has a unique, frequently changing and multi-faceted continuity risk profile. It typically includes a range of improbable but potentially catastrophic events, from climatic or weather extremes to technology failure, from civil unrest to terrorism.
• Each organization, knowingly or inadvertently through its actions, also exhibits a continuity risk appetite. This is usually stated via policy and sets out the exposure to continuity risk that stakeholders willingly accept and, by implication, requires mitigation of any risks that they are unwilling to take. Executives are then legally obliged to ensure that continuity risks are effectively managed against policy.
• Funding both facilitates, constrains and shapes risk management since there are typically many treatments available for any given risk condition at widely varying cost. None is absolute and all leave a residue, such as exclusions and excesses written into insurances. Best value and hence governance is achieved at the point where cost and residual risk are both acceptably minimised for stakeholders.
These basic paradigms are readily exercised under normal economic conditions; we are obliged to identify exposures that exceed the levels permitted by policy and to then implement best-value policy-compliant ways of treating them. Risk equilibrium is restored by allocating budget or resource to fill the gaps, buying insurance or accepting the increased risk.
So should recession change the way we interpret these basic concepts?
Clearly, if organizations are earning less money, they therefore have less to lose; and so it seems reasonable to assume that the system will self-adjust, automatically attaining a compliant level of protection simply by spending less on business continuity management.
This is a convenient but invalid assumption; the risk landscape has changed and whilst the rules continue to apply, we need to interpret them differently.
In this example it helps to visualise the full range of unmitigated risks affecting the organization as a kind of graphical risk landscape, with peaks representing areas of high exposure. Some of these may directly threaten business continuity, whilst the remainder are managed operationally. The illustration also shows how stakeholders are able to set a working level of continuity risk via policy. This is symbolised by the red line and reflects an overall risk appetite and budget. Some risks rise above the line; these exceed tolerance and require treatment to become policy-compliant.
When sound practice measures are applied, most of the risks are mitigated and this is represented by the greyed area in the second illustration. The darker region now represents remaining or residual risks, all of which lie below the acceptable level defined by the red policy line, with the exception of the exposure labelled ‘A’. This exemplifies an area of risk that cannot be mitigated within budget and which, after consultation with stakeholders may be accepted.
This landscape therefore represents the organization’s risk managed status quo under normal economic conditions. It is a flexible and powerful construct, allowing budgeted improvements to take place at any time within policy limits. It also allows us to explore the effects of recession.
Recession amplifies risk
Two important recessionary effects threaten to change our risk landscape. Firstly, in an ironic twist, recession may cause cash and resource to be diverted away from continuity as the organization focuses on survival. Disaster recovery contracts may be allowed to stagnate, continuity staff may be redeployed and key assurance activities postponed or cancelled. These all save money but erode carefully positioned defences, causing previously below-the-line exposures to resurface in a kind of seismic upheaval. The situation is not helped by the fact that some hazards, such as theft, fraud and supply failure may be intensified by recession.
Secondly, reducing liquidity and earnings may mean the organization’s resilience is reduced. It can now withstand fewer major shocks, elevating previously inconsequential exposures to continuity risk status. For example, a risk event costing £1m may prove painful but not catastrophic to an organization earning a £10m surplus. However, if the organization only breaks even because of the downturn, then the same event could lead to bankruptcy in the absence of credit. It means we may need to respond faster than our BIA suggests if we want to survive.
Combined, these two points have the effect of artificially boosting the organization’s risk appetite and this is reflected in the illustration below. It causes tolerance to fall and, like a receding tide, this elevates potentially many previously inconsequential risk islands to continuity-threatening status. In this sense, recession acts as a risk amplifier.
There is a human analogue to the condition described; in recession, many individuals instinctively focus on income and cut back on their outgoings, possibly buying less or cheaper food. However, it makes sense to consume at least the levels of essential nutrients needed to keep our bodily systems working properly, including our immune system, if we want to stay intact. In business, indiscriminate cost-cutting is similarly damaging, offering firstly, a progressive downgrading of the corporate immune system and secondly, legal breach by misleading stakeholders through inaction. The implication is that whilst we can spend less on continuity, we must continue to invest in key areas to ensure we don’t succumb to the equivalent of a common cold.
To do this we may need to balance our expanding risk appetite against a healthy but slim-line mitigation diet, identifying, then treating, exposures using lower-cost substitutes or blends whilst avoiding the easy temptation of blanket acceptance. Business impact analysis and risk assessment lie at the heart of this, offering relevant factual diagnosis. They jointly reveal the location and significance of any newly-exposed continuity risks faced by the organization, and propose alternative forms of treatment. Thus armed, executives and stakeholders are in a position to offset the effects of financial and resource constraints, providing authoritative direction.
In the light of this, we may decide to reconsider, reposition and regroup, making more of what we have at our disposal and changing the way we approach continuity. Possible steps toward this include:
• Review what we know to ensure it accurately reflects current conditions.
• Encourage directors to understand the situation fully so they can act.
• Be proactive. Anticipate change and plan to preserve capability.
• Continuously seek alternative solutions.
• Use tools to leverage resource and provide fast BIA updates.
• Become agile. Ensure that business continuity management is capable of recognising when circumstances change and of reacting quickly enough to make a difference.
Many of us will acknowledge the fact that our organization is probably less resilient than it was a year ago. Yet, in a crisis we may now need to respond faster than our BIA suggests but with less funding, less organizational focus and less resource. We need to be more aware of the new risks we face and ensure we have the information we need to negotiate them. The recession has major implications for BCM, and we need to become better informed, more agile, and more persuasive, delivering value through tough times.
Author: John Robinson, FBCI, is managing director of INONI Ltd, a provider of specialist business continuity software and consultancy services. www.inoni.co.uk
INONI has recently launched INONI Pro, a software package which enables organizations to manage the complete business continuity lifecycle. See http://www.continuityshop.com/software.htm for details.
At the very beginning of the credit crunch collapses I challenged the readers of this site with the argument that in each of the previous recessions BCM has been seen as a ‘nice to have’ and has seen budgets cut, managers made redundant and projects stopped. I asked whether we think this time we are mature enough to be considered a requirement and would we survive. I see John Robinson’s detailed article this week on a similar line and I wonder now, with the cancellation of the BC Expo this year, if this is a signal that our industry is still not the requirement we would like it to be.
•Date: 16th January 2009• Region: UK •Type: Article •Topic: BC general
Rate this article or make a comment - click here
UPDATED 21ST JANUARY