Jeffrey M. Dato, MBCP
Vice President, Risk Management and Corporate Real Estate
Pinnacle Airlines Corporation
Congratulations! By reading this, you are taking the first step along the journey to better understanding of how an effective business continuity program can affect (directly or indirectly) who you (as a company) are, how and with whom you do business, and which strategic direction to follow in order to minimize downside exposure to operational and reputational risk.
The recent SEC ruling requiring companies to document risk management issues with their proxy statement underscores the scrutiny offices and directors are under with regards to managing their business in a prudent manner. That venue is an excellent opportunity to showcase the lengths your organization is going to ensure operational resiliency and how you value all stakeholders when considering strategic decisions. Your resiliency vehicle, business continuity management (BCM), is just one component of managing enterprise risk, typically tied to an enterprise risk management (ERM) program. As with ERM, linking BCM to your corporate mission statement – who you say you are – can go a long way to ensure you are focused on meeting the expectations of your stakeholders no matter what unplanned mayhem may occur.
Historically, many executives have dismissed business continuity as another form of insurance. Do not be misguided. Insurance just replaces the financial losses incurred – not your business. As an officer or director, you are in a position of trust and obligated by the Uniform Commercial Code (“Prudent Man Rule”) and common law to manage the business to the best of your ability – which includes the consideration of risk (upside and downside) in all financial, operational and strategic decisions. This concept extends to all stakeholders – investors/shareholders, employees, business partners (customers and suppliers), etc. – who will remind you of your obligations and commitments at time of crisis.
Using the recent oil spill in the Gulf of Mexico as example, imagine your organization facing similar public outrage. How about the media frenzy surrounding the former energy giant in Houston or, more recently, New York-based global insurance, brokerage and banking conglomerates now only former shadows of themselves? There are multiple other examples where ill-prepared companies were not able to meet customer obligations due to key suppliers experiencing unplanned operational failure. In the end, the customer will not care if you chose to outsource a key component or process – it is your product, it was promised to be delivered on time, and it is impacting their reputation and financials. No excuses will be accepted and your company’s (and, likely, individual) reputation will be tarnished for the foreseeable future.
Unfortunately, in the aftermath, you will have a lot of time to ponder whether it was worth the cost savings realized by not implementing a proper business continuity program. No one wants their company to be the case study cited in either business schools or articles like this one. Studies have proven the value of being prepared. Take, for example, an independent study conducted by Oxford University where they analyzed the share price (post-impact) of organizations who faced a crisis. Results showed that those who responded well experienced a 5 percent increase in share price as compared with a 15 percent decrease by those who did not. A 20 percent return on investment variance is real money.
A well-designed and oft-exercised business continuity program encompases a wide array of processes, including Incident response, crisis management, business resumption, and IT disaster recovery. These components work hand-in-hand with your other ERM and risk management processes, including areas like insurance and occupational health and safety. Used appropriately, these processes can help to maintain your business, integrity and reputation while in the eye of a storm. While business continuity may not be the magic elixir to bulletproof your organization, the concept of managing risk effectively does apply.
What does this all mean to you? Take it seriously. Today. Read the articles included herein. Ask questions of your risk and business continuity groups. Listen to their answers and respond accordingly. Be prepared. The era of “It won’t happen to us” is forever gone. Sometime, somewhere – “it” can happen and “it” will. Godspeed.