Business continuity manager; “What’s that?” was the response when the term was mentioned to someone who has worked in the IT and finance sectors for most of his working life.
He is someone who probably ought to know better. It may be that he just doesn’t take much notice of anything beyond his own nose, but it is also probably because business continuity management (BCM) is a role that, perhaps more than most in the risk management sphere, can go largely unnoticed until something goes wrong.
Origins and challenges
David James-Brown, a consultant on BC, says it is fairly well accepted that business continuity as a profession sprang from the shift to an almost absolute reliance on information technology for most sectors of the economy, and the need to have “workarounds” and contingency plans should those systems no longer be available.
“The smart CEOs then looked at the rest of the business and said well if I’m making my IT manager do this then the same could be said for my other dependent functions such as HR, supply chain, marketing, and R&D,” he says. “So why should I be limiting my mandate to just IT people.”
Dawn Jewell, senior business specialist in BCM at Telstra, says the role stems from a number of risk-related disciplines, including emergency/crisis management, IT disaster recovery, operational risk management and business contingency planning.
“Because of the close interdependencies of these disciplines, there was a need for a holistic view that encompasses all of this rather than treating them as isolated functions,” she says. Like many organisations, at Telstra, she says the role got its real boost in the late-1990s when the world was preparing its disaster recovery plans for the Y2K bug. The fact that it turned out to be a non-event perhaps says a lot about why BC doesn’t get the recognition it should. Nobody will know what might have happened if no preparations were made.
IT disaster planning is still at the forefront of the role. James-Brown says some companies in the 1980s began to see that it made sense to be formalising and centralising contingency planning for other areas in the business, but unfortunately, he says those smart CEOs remained in the minority for a long time and there is a much better understanding even today in the technology side of businesses about what BC and data recovery actually is.
When asked what some of her main challenges were now, Jewell confirms this sentiment by first mentioning convincing management that resources need to be set aside for the continuity of the business. “It can sometimes be challenging to maintain the enthusiasm of key business stakeholders when risks seem hypothetical and there are competing and changing priorities.”
She also says there are a large number of people that help coordinate BC management that don’t do it as a full-time job. “Often … their understanding of the [BC management]discipline can vary significantly. Ensuring there is consistency in the application of the [BC management] methodology can therefore be a challenge so training and relationship management are very important.”
Miles Pearson, BC manager at Centrelink, has a similar experience. He noted at this month’s Institute of Internal Auditors – Australia conference, that business continuity managers do tend to be the “doomsayers” in an organisation, and as such, from a risk management perspective, they can be put on the backburner when it comes to allocating funds and costing in contingency planning.
Pearson says at Centrelink, the effort in terms of time and resources that goes into forming a continuity plan means that if a business function can remain out of action for more than a week without affecting Centrelink’s work, they don’t need to make a plan – they’ve got better things to do.
However, he says there are still instances where the need to include BC as a cost of any major project or business system is overlooked.
Part of the rationale for BC planning is that risk management processes don’t deal with consequences very well, says James-Brown. As such, he says BC planning needs to take into account the consequences of risks actually coming to fruition across a broader range of areas.
“If you look at a risk management program and look at the risk registers particularly; they’re very good at implanting preventative controls and managing preventative controls to reduce likelihood. But when you look at the consequence reduction methods, quite often you just get directed to the business continuity plan. If that doesn’t exist then its smoke-and-mirrors,” he says.
Ironically, the allocation of resources to BC is based on management’s own internal risk assessment and this is usually on the basis that most hope events that will so hobble the business will never happen. This naturally means it can be an uphill battle to get a proper focus on the resources necessary, says James-Brown, especially as any risk assessment is usually based on past events.
“There’s quite some difficulty even among risk managers – and I don’t mean that as a title, I mean ‘risk managers’ as in auditors, internal and external and people who are there actively managing risk – there’s a still a little bit of a leap to be made in some instances as to what is the difference between managing the preventative measures and actually managing the cost of the event.
“With the best will in the world from a CEO needing to comply with regulatory requirements and so forth – unless [BC is] prioritised appropriately through the management structure – [BC] just occurs very slowly or sometimes just via a compliance approach or sometimes just not at all.”
Jewell at Telstra says many organisations, however, are becoming much more comprehensive in their approach now.
“There is … more of a focus on risk mitigation in the broadest context – approaching with a range of mechanisms aimed at lessening the likelihood of the company being impacted by a serious disruption,” she says. “It is more common nowadays for organisations to be considering operational resilience as a mitigation strategy when developing products and services. Overall this means moving from a reactive focus to a proactive focus.”
“Across many organisations a more structured corporate governance of [BC management] and a more consistent methodology is being adopted, with endorsement from the top level driving buy-in throughout the organisation, rather than ad hoc adoption of [BC management] measures within different parts of a business.”
Pearson from Centrelink says crisis management planning has to include a response, continuity plan, and recovery. Central to those is “governance”, he says, by which he means that management understands the requirements to put this in place and what has to be done to do so. “The most important point is governance. If governance is not there, your continuity management will not be as effective as it could be and may in fact fail,” he says.
Less focus on IT
A recent survey of practitioners in Australia and New Zealand by the Continuity Forum, with the vast majority of respondents from the banking and financial and government sectors, not surprisingly still had IT disruptions as the major problem faced by close to 30 per cent of BC managers. However, IT was closely followed by two other areas: failure of utility services and natural disasters, which was the biggest disruption for a fifth of respondents.
Pearson from Centrelink confirmed following the pandemic threat from SARS and bird flu that hit the headlines a few years ago, the greater threat of natural disasters that appears to be looming caused by climate change will only increase the pressure for contingency planning that is not just IT-focused.
The other areas that BC managers had to contend with included a move to a new premises, human error, security breaches and mergers and acquisitions. But the fourth biggest area was ‘other’, so there are clearly a broad range of issues that BC managers now deal with.
Ultimately, the primary focus has inexorably shifted to people themselves, says Ross Piper, associate director, corporate risk business services, at Macquarie Bank.
“People think it’s all about IT, but without people, the infrastructure means nothing,” he says.
Even more fundamental than determining whether and how you are going to be able to keep people working, he said a plan needs to take into account the very first requirement for employees involved in a major disaster – the need to contact family members, and perhaps to leave work and see them. “Safety of people is paramount.”
Future challenges
Some of the factors that will be important in BC management in future, he says, include utilising new technology to allow greater flexibility in work arrangements, ranging from off-site data centres and work areas, to use of more powerful mobile devices.
He says this was also one of the biggest challenges. “Almost week-to-week for us, it seems there is a continual shifting of goalposts about options [for infrastructure and technology use].”
Jewell agrees, She says as new technology and communication tools become more advanced and widely adopted, this should provide more options for responding and communicating throughout serious incidents as well as improving the practicalities of teleworking when physical attendance is problematic.
She says BC management and education tools should also become more mature offering simple effective solutions to undertaking the administrative side of BC planning.
“Although it is a specific discipline, there will be more of a convergence with other related disciplines such as emergency management, critical infrastructure protection, risk management and service continuity,” she says.
Of the specific events that will tax BC now, most now point to a increased chance of natural disaster from global warming that seems to already be hitting home. In the absence of insurance cover for things such as flood, and the drain already apparent on insurance reserves, contingency planning will be ever more important.
James-Brown argues that BC management should go beyond the purely physical and encompass any event that threatens the viability of an organisation. And this can extend to financial disasters, like that of Société Générale and other banks before it. It will be different for every situation, but massive financial losses, for instance, raises questions about an institution’s reputation and how it handles that perception will be very important to future investment in the company, he says.
In the past business continuity has been seen as “being a chore” and detracts from the “top-end” rather than as something that ultimately will add to the bottom line and the long-term sustainability of a company, so it was mainly a compliance exercise.
“Having been in the industry a long time, people have often in the past relied on the best fit templates to do their business continuity planning which frankly, more often than not is a waste of time. And they’re being driven by pressure to comply – to have a paper document they can wave around.”
There is some change, though. He says when asked for a continuity plans at many organisations, they’d show you an insurance policy. “In the past often people have used insurance as a reason not to do business continuity management, whereas organisations now are using business continuity management and demonstrating that capability to leverage insurers to reduce premiums.
Now, he says many are realising the benefits of really concentrating on their risks, rather than just complying with some rules or trying to purchase mitigation. “It’s much more about the journey and the learning experience for the organisation than it is about the final documentation output.”
News