New age disaster planning

In this changed world we all now face, Business Continuity Institute (BCI) Technical Director Lyndon Bird, asks whether Business Continuity Management (BCM) strategies will have to change?

“BCM has everything to do with understanding your business properly, how it works mechanically in terms of how things fit together, what are its vulnerabilities and in particular what ‘single points of failure’ does it suffer from”
-Lyndon Bird, Business Continuity Institute (BCI)

A senior BCM executive for one of the UK’s leading retailers has a comment he often uses when people like me try to make the subject too complex or too academic. He says BCM really should stand for “Basic Commonsense Management”. I have been reminded of this comment made by Steve Mellish, Business Continuity Manager of Sainsbury’s, many times during the past few months as horror after horror has unfolded in the world’s leading financial institutions.

I am not so naive as to believe better BCM would have prevented the financial meltdown in itself, but I wonder why basic BCM principles were not adopted by organisations as part of their risk management philosophy. The reason is, of course, must be that banks use risk management purely as a means of hedging financial risks whilst largely ignoring the context of those risks. After all, it takes very little financial expertise to understand that if money is loaned to people who have no means of paying it back and secure it against assets that have very little change of realising the amount loaned on them, there will be a problem somewhere down the line.

It also takes no great insight to understand that if you let highly intelligent but totally inexperienced mathematics graduates design a theoretical risk model that pertains to show that if you parcel up bad risk and move it around the world quickly enough it becomes safe, you might have a problem. Have top bankers, government regulators, central banks or even their political masters never played ‘pass the parcel’ or had to gently discourage their newly grown-up children when they suggest they should re-mortgage the house and gamble the proceeds on a spread betting website? Apparently not, because that is exactly what they have done in the professional lives.

Business continuity might not be as intellectually challenging as risk management or as boringly grandiose as much of the box ticking that claims to be corporate governance. However, if we believe Mr Mellish, it is doubtful if the application of basic commonsense (aka business continuity) would not have spotted these systemic problems and addressed them well before the dire financial consequences crystallised.

Misconceptions
You might ask why business continuity isn’t that just about ensuring we always have computer systems running and buildings for people to work in after a disaster or terrorist attack? Well the answer is ‘no’ and sadly it is amazing that senior executives still make that mistake after nearly two decades of the development of BCM as a critical business discipline. Perhaps the problem has been poor communication by BCM professionals, so adopting the Mellish rule I will try and spell out what BCM really is and why it really matters, particularly in a recession.

Firstly, BCM has little to do with the detail of threats, theoretical or actual. Secondly, it has even less to do with the likelihood of any particular scenario happening. Thirdly, it is not specifically concerned with the recovery of technology unless that is (as is usually the case) critical to business survival. BCM has everything to do with understanding your business properly, how it works mechanically in terms of how things fit together, what are its vulnerabilities and in particular what ‘single points of failure’ does it suffer from. I attended a conference in the US in which one speaker told us about her ideas for BCM in the healthcare sector. The presenter spoke only about recovery of administrative ICT systems, which was mainly about billing and managing cash flow. When challenged about patient care and medical service continuity, the presenter erroneously claimed this was not within the remit of BCM. Conversely, I heard a presentation last year in Singapore on a similar theme at which the entire focus was on keeping the core functions of the hospital running under any situation and this was achieved by engaging the commitment and interest of both the medical and administrative staff. Nurses in particular provided massive input to developing a holistic BCM approach for the hospital.

Applications
When we apply this to the financial world, BCM is not just about keeping the technology infrastructure up and running so that traders can make (or possibly lose) vast sums of money. It is much more about the long-term strategy and survival of the organisation, the application of good management judgment (or commonsense) and the elimination of single points of failure in the process itself not just in the technology. BCM is integral to proper corporate governance, in that it understands what processes are vital to protect and sets about formulating practical ways to provide that protection. It is true that in many cases part of that protection is related to the recovery of data and restoration of IT services – but that is the means not the end in itself.

Belatedly this message seems to be getting across to corporate boards, for years bemused by mathematical formulae that they had no chance of understanding. One BCM manager for a global bank (who does not wish to be named) told me recently that suddenly everyone has woken up to BCM. Why can you identify the business impact, plan for mitigating it and train/exercise all stakeholders in dealing with a terrorist attack, but not do the same for a liquidity crisis? The principles are the same, the strategies and potential solutions will be different but they still need the same rigorous practical approach.

A lack of fully embedded BCM might be a contributory cause to the difficulties we now find ourselves in, but perversely some organisations seem to see the solution as a further dilution of the BCM resources. Kenny Seow, a well-known BCM consultant in the Asian financial community told me: “When I was working for a stock exchange in Asia, getting a meaningful level of commitment to BCM from member stock broking firms always eluded me, no matter what the business conditions were. During the Bull Run, nobody paid any attention to BCM as the priorities were the pursuit of growth and profits. When the down turn came, the focus shifted to cost containment. BCM, classified along with other ‘overheads’, quickly became a casualty of austerity measures”.

Tangible benefits
This reaction is somewhat understandable. BCM is not a tangible commodity, so it can be difficult to understand the full benefits of the concept. To see these benefits you only need to look at examples of poor planning. In the 1993 World Trade Center bombing, out of the 350 enterprises affected 150 enterprises went out of business. Years later, after 9/11 some large businesses had learned lessons – Morgan Stanley, Cantor Fitzgerald and American Express were able to resume business quickly whilst other failed. However, what is generally forgotten about 9/11 that of all the companies affected the vast majority were small businesses relying upon the big name companies’ employees for their trade. It has been reported that of these small businesses, over 70 percent never opened again.

The same anonymous BCM global manager quoted earlier summed up an earlier attitude: “My current company is pretty enlightened in BCM terms but in one of my previous jobs at a large global investment bank, the Head of Treasury once told me not to waste his time on business continuity. Every deal we make is worth hundreds of millions. We could make or break but we know how to manage the risks. So please do not talk to me about business continuity. I know business continuity – when the building falls over, I’ll roll my dice and make a call then!” In a booming economy it is easy to think that sufficient resources are available to deal with anything that might happen. I don’t think many people assume that they can buy themselves out of trouble any more. When money is tight, you must not create situations in which unplanned large costs might suddenly occur. The best way to insure against that is to introduce proper business continuity, not pseudo-science risk models or the endless paper trails of corporate governance.