Corporate Responsibility

Writing a short piece highlighting the developments in Business Continuity is a challenge mainly due to the breath of the subject and the varied interests of those involved. Should the article concentrate on the IT and Infrastructure dimension, should it concentrate on issues such as Brand and reputation, the risks in the supply chain or on Turnbull and Corporate Governance. The scope can be huge and therefore a challenge to summarise in what has to be limited space.

You spend ages thinking about the various topics you could cover only to realise after the 3rd rewrite that the problem with the article is very similar to problems faced by companies in coming to terms with this rapidly developing business issue of Business Continuity - the scope and breadth of the subject means defining the starting point is the most important part of the entire process of both Business Continuity and writing this piece.

For some of you reading this you will already be Continuity planners with considerable experience, others, the majority in all likelihood, will be just starting on the road and with this in mind will concentrate on the Big Picture through a brief examination of the commercial drivers behind the development of Business Continuity and what it means for companies today.

Firstly, and to dispel a developing myth Business Continuity is not new, the principles have developed out of many fields which have proven their worth over the years countless times. Often. Continuity Planning and Management is cited as developing from Contingency Planning or Disaster Recovery; some would include other disciplines such as Crisis Communications, but the underlying principles are much simpler. It’s learning from previous experience and, importantly, applying that experience proactively throughout organisations with one aim; to make sure that the organisation is able to continue its core activities no matter what happens.

Over the years we have seen companies suffer in the public eye through the media, some of the causes are natural, attacks from Mother Nature which ahs been affecting much of Europe the Rest of the World causing disruption on a large scale. Others are social, such as the fuel crisis and still more are technological, IT failures or Hacker attacks and some are reputation based (remember Ratners and Perrier?).

The common theme that runs through these events is, for most organisations, that the disruption caused has impacted directly on their capability to conduct “business as usual” and that in many cases the organisation responds reactively to the situation generated often adding to the impact of the initial event. This leads to higher costs and a drop in productivity and even for relatively minor events the costs can mount alarmingly.

Business Continuity is an established practice that reduces this impact and tries to ensure that the organisation is available for business - no matter what.

For a company hit by a major disruption to cope ‘effectively’ what is the better position for the management to be in:

• To react to situations without a plan as they arise?

or

• To have developed and tested a range of planned measures geared to resolve the situation quickly and cost effectively with the least disruption to customers and personnel?

The answer is obvious and in today’s fiercely competitive markets the cost of getting it wrong can be huge, but I prefer to look at this way - the advantage of getting it right can be huge.

In research we have conducted we can show that for companies prepared the effects of similar events (ranging from Floods & Fire to IT failure) the difference in impact can be as much as 90% - so what’s the difference? Planning!

When companies are hit by events we often hear expressions such as ‘unforeseen’ or ‘surprise’, but what does this mean? It means they hoped it wouldn’t happen to them - but it did.

The vast majority of business disruption is caused by foreseeable events and failure to appreciate this single fact is the root cause of much of the commercial losses incurred. If it can happen it will happen, maybe not today, maybe not tomorrow but it will happen.

The difference between losing £1,000,000 and a business completely unaffected can be the development of effective Continuity Planning. As proof of this, in our Continuity and Recovery research, we found that for the average large company a major event occurred every 2.3 years. For those that had tested and maintained plans the figure was closer to 9 years and while numbers alone can be misleading that’s still 2 out of three events AVOIDED completely.

WHY?

Business Continuity is closely linked to professional management and ‘best practice’ principles, organisations that adopt Business Continuity are demonstrating a commitment to their business and customers which entails hoping for the best but also preparing for the worst. Through this process companies have highlighted where the risks for business interruption lie within their operations and taken preventative measures to reduce their risk profile and also ensure that measures are maintained to ensure service can continue during any event.

"53% of companies recover less than 25% of the total losses incurred via Insurance"

It doesn’t have to cost a fortune either the principle benefits can be gained from a Business Impact Analysis (BIA), which should highlight the Business Critical Paths to protect in your organisation. This should be firmly connected with the products, services and revenues of the company not focussed on internal issues that may have little bearing on the financial impact of the event.

What is the point of having protecting your financial records if all your customers have moved to other suppliers to fulfil orders you cannot meet? And recovering customers can be a time consuming and expensive process. Indeed our industry figures show the sales and opportunity cost to be the highest of any, post event.

The impact of business disruption is an important topic at strategic levels within regulators, legislators, investors and companies. Increasingly, failure to demonstrate ‘Risk Awareness’ is a sign of poor management standards. Through the ‘Combined Code’, FTSE companies are now required to demonstrate their Risk Awareness throughout the organisation though imbedded systems, which includes the supply chain, and report on this aspect of their operations in the annual accounts.

With businesses increasing reliance upon technology it is vital that organisations examine their operations to highlight the measures will be effective in reducing or eliminating the potential for disruption or the risks posed as IT disruption causes well over 60% of recovery invocations. Don’t just concentrate on the core Finance Systems, consider the effect of disruption and the revenue earning connections with all the IT and Voice Systems in the organisation. In the last few years we have seen a tremendous growth in the use and importance of E.mail and E.commerce systems and alarmingly these systems are most often not included in the recovery or continuity planning. Perhaps the most overlooked area is Voice Communication with even Call Centres not having effective plans or measures in place in over 75% of sites.