Disaster Recovery Journal

Business continuity professionals are often charged with preparing organizations for natural disasters, man-made events and technology failure (commonly known as availability-related risks). As a result, executive managers task the members of our profession with making workplaces, people, technology and equipment/supplies available following disruptive events. Some business continuity professionals tackle issues described as “operational risks”, such as supply chain issues. Interestingly enough, other risks with business continuity implications often remain unaddressed and untreated. These risks often lack the proper coordination in order to mitigate the risk or respond appropriately. But why?

This article is written to suggest a necessary expansion in business continuity expectations – from availability-specific risks and threats to broader operational risks with business continuity implications. To be clear, the ideas offered in this article are not meant to replace viable operational and enterprise risk management efforts, nor does it assume the business continuity professional is the solution to all operation risk. This article also does not advocate the business continuity professional address quality, efficiency and compliance-related risks (to name a few) that do not have business continuity implications. Rather, this article explores the causes as to why business continuity professionals often have limiting boundaries, and identifies possible solutions that increase the value that the business continuity professional provides to his/her organization.

New Threats Influencing Business Continuity
The last few years provided a myriad of unprecedented financial and operational events with significant business continuity implications. These events were far different from the issues traditionally addressed by a business continuity program. Here are just a few examples:

1. Credit Market Restriction – A lack of access to credit, with standards beyond the expected, forced countless organizations to shut down or declare bankruptcy
2. Government Intervention – A significant number of organizations source products from China. Most people that watched the 2008 Olympic summer games in China learned that the government forced manufacturers to stop producing product in order to improve air quality. But this decision had a direct impact on many organizations around the world that depend on product manufactured in China. The result – production interruption and missed expectations.
3. Commodities Supply and Pricing – In 2007 and 2008, businesses experienced unprecedented stress caused by commodities shortages. The global supply of oil was the most visible and gut-wrenching example of a commodity shortage – as was the associated market reaction. Another more unknown example was the global shortage of potassium acetate, a key ingredient in aircraft de-icing fluid. A mining strike threatened aircraft operations in much of the northern hemisphere in the early part of 2009.
4. Supplier Failure Due a Competitor’s Financial Distress – Nissan recently announced that 350 of its suppliers in the U.S. also supply GM, Chrysler and Ford. Toyota and Honda had the same issue and as a result, suspended some of their just-in-time practices in order to bolster the financial position of these suppliers and avoid a supply chain catastrophe. This story continues to play out, and demonstrates the fragile nature of many supply chains and how competitors are often interdependent.
5. Supply Chain Quality – The accused actions of Peanut Corporation of America (PCA) not only resulted in widespread death and injury, but it also called into question the reputation of a number of major consumer product brand names that purchased peanut paste from PCA. The failure of supplier and product quality assurance processes present catastrophic reputational risk to any organization in any industry.
6. Nationalization – On May 1, 2006, Bolivian leader Evo Morales announced plans to nationalize the country’s natural gas industry. Foreign-based companies were given six months to renegotiate their existing contracts or exit the market. In the past two years, Venezuela’s Hugo Chavez nationalized businesses including the country’s biggest telephone, electricity and steel companies.
7. Workforce Characteristics – A large number of organizations are finding it difficult to replace retiring members of an aging workforce. In some cases, the skills replied upon for decades no longer exist. In other situations, replacement staff are no longer seeking long-term careers and instead prefer a diverse array of experiences. As a result, training and retention programs introduce unexpected costs.
8. Patent Protection – Branded pharmaceutical companies are financially affected when key products are no longer covered by patent protection. In January 2009, Pfizer, already concerned about Lipitor which loses patent protection in 2011, announced a merger with Wyeth. Analysts comment that the number one reason was the strength of Wyeth’s product pipeline and R&D capabilities.
9. Political Perception – Imagine being in a relatively booming industry and then being cast as a manufacturer of the No. 1 symbol of corporate excess – business jets. How should your organization react when orders are cancelled and your product is viewed as expendable?

These examples highlight situations and events that go far beyond the scope of most business continuity programs. Some are difficult to predict, most are difficult to respond to. However, the business continuity professionals’ skills could be of great value in addressing the business risks associated with each challenge.

Why haven’t business continuity professionals considered or become involved in coordinating risk treatments specific to these type of issues – especially when no one else has taken a leadership role in managing the risk associated with these events?

Beyond Availability Risks
When evaluating operational risks, even those with business continuity implications (such as those above), many business continuity professionals automatically look to others for leadership. There are a number of reasons why the business continuity profession often focuses exclusively on facilities, people and technology availability. Let’s look at three primary causes of why business continuity professionals often avoid operational risks with business continuity implications.

Initiative and Inertia
“We’ve planned for business continuity like this for years. I have 20 years of experience and no one has complained so far.”
Unfortunately, many business continuity programs avoid many of the growing number of complex business risks facing their organizations daily. Many business continuity professionals fail to challenge themselves to identify better ways of adding value to their organizations by working on more challenging, unique risks. Many avoid thinking outside the box by not asking tough expectations-oriented questions of their executive sponsors. Others fail to ask probing questions of their peers in other organizations, with the objective of identifying sustainable, cost-effective and cutting-edge ideas to add business value.

“But that’s why we have an ERM program, they should identify these issues.”

Perhaps, but do these programs have the dedicated staff with deep risk analysis and control-based assessment experience? Some do, but many are involved in ERM as a part-time assignment. Additionally, many such programs identify business risk at a high level and then charter projects to explore issues more deeply. Unfortunately, ERM also views business continuity planning like many practitioners – focused on reactive strategies, addressing the huge natural disaster, fire or technology disruption.

It’s true that many business continuity professionals currently lack many of the skills necessary to fully analyze how financial issues, for example, could impact continuity. These same people also fail to fully understand the business’ strategy and approach to growing product or service delivery. And that’s ok! A key strength of successful business continuity professionals is their ability to facilitate a group of people toward a solution to mitigate risk to an acceptable level. It’s neither realistic, nor expected, to have an all-knowing business continuity program staff.

Management Expectations
“Our program was founded based on a regulatory mandate. That mandate said to address events ‘such as natural disasters, technological failures, human error, or terrorism.’ We do that and have received positive feedback from the regulators.”

Unfortunately, regulatory demands are often treated by many organizations as the definitive end goal, not the means to creating a business-aligned program that adds value to internal and external stakeholders. Unfortunately, many business executives are so busy that they often fail to see or ignore significant business continuity risks that have nothing to do with storms, terrorism or a data center fire. To their credit however they often object to business continuity professionals that fail to deliver assessment findings or structure recommendations based on business risk.

Training and Experience
“I was a former systems administrator that’s been focused on business continuity for only two years. How can I be expected to understand credit and liquidity issues and their effect on business continuity?”

Read. Attend the right conferences or training. Take a class. Talk to the appropriate business professionals in your organization. But most importantly, don’t make the assumption you need to be an expert. Rather, you need to know where to go for information, and you need to excel at building and leading teams of professionals than can contribute to the solution.

Solutions
Aligning your business continuity program better with risk management imperatives is not difficult. This article already introduced many of the keys to success. But to recap, three key activities are required to move your organization closer to excelling at managing business continuity risk.

Seek Input - Ask for input from your executive sponsors. This input should cover risk tolerance, areas of concern and unknowns. Discussions on risk perception, business strategy and trends should also become key aspects of moving beyond the traditional focus on natural disasters, fires and data corruption. It’s important to plan for these threats, but also ask your executive management team about other financial and operational risks that may not be receiving focused attention. Ask for their support and the involvement of representatives from select competencies throughout the organization. Offer to lead a more dynamic business continuity program.

Learn - Skip the “How to Perform a BIA” breakout session and other monthly association meetings that may not be meeting your expectations. Instead, pick up the phone and talk to other professionals that are:

• Engaging with their executive management teams;

• Taking a leadership role in strategic, enterprise risk management; and

• Contributing to solutions that address financial and operational risk.

Conferences can offer value, but also use the time to network and build relationships that can enable your program to add business value.

1. Get Engaged and Build - Get outside your comfort zone – move beyond executing methodology and begin learning the business, break down organizational barriers that get in the way of understanding all aspects of business continuity risk, get involved by building teams to address business continuity risk, and lead them toward a solution. Leverage your executive sponsor’s mandate and motivate people to contribute.

By executing these activities, your organization will quietly, and in a cost-effective manner, implement an organizational early warning system. This process – a process not based on technology or archaic methodology – must be grounded in communication and interaction amongst professionals that understand the organization and the environment in which it operates.

Again, the business continuity professional is not the sole source of the risk input or solutions. Instead, the business continuity professional can be a coordinator and a voice of the team to executive management.

More Information
The American National Standards Institute (ANSI) recently approved a new standard, ASIS SPC.1-2009, which outlines requirements and guidance for organizational resilience. This standard defines an organizational resilience management system as a “systematic and coordinated activities and practices through which an organization manages its operational risks, and the associated potential threats and impacts therein.”

This new standard is designed to offer a management system-approach to proactively address operational risk and define strategies to mitigate potential causes and enable resiliency where needed. It also establishes a link with the more reactive element of business continuity due to the recognition that risk mitigation and resiliency is not always achievable.

It is this author’s contention that the existence of this new standard supports the premise that leading organizations are becoming more attuned to proactively addressing a broad range of operational risks through defined processes, and business continuity professionals are positioned to partner with other risk management professionals to perform a value-added role, leveraging their collective body of experiences and organizational knowledge.

Consider downloading a copy of this standard (www.asis.org) and review the process recommendations that you may employ in your organization to address a broad range of operational risks with business continuity implications.

Conclusions
Become more value-added by rethinking your program’s boundaries and your contributions to business continuity management. Expand beyond traditional availability risks and begin to affect change by coordinating risk mitigation strategies and/or responses to a broader series of operational risks with business continuity implications.

Is this ERM, with a focus on business continuity-specific risks?

Somewhat. The concepts and ideas offered in this article highlight some of the key tasks and activities found in a successful ERM program. But by leveraging these key success factors and combining them with experience mitigating traditional business continuity risks, the results are much more strategic and value-added.

As a result, if your organization executes an ERM program, get involved and drive analysis and risk treatment activities. If your organization does not employ such a program, consider adopting some of the program characteristics and take a risk treatment leadership role.

It would be a true statement to say that it’s impossible to identify every possible threat with business continuity implications. It’s also true that you won’t be able to fix everything.

Reflecting on a number of the financial services firms that no longer exist, it’s obvious that a business continuity professional cannot offset mismanagement or run contrary to an extreme risk-taking culture.

However, if your organization is rethinking risk management and looking for fresh, value-added approaches, offer to participate in, coordinate and/or lead the effort. Build a team of professionals that may serve as your organization’s early warning system by digesting the myriad of threats in today’s business environment and analyzing how they may affect your organization and the execution of its unique business strategy.

Brian Zawada, MBCP, PMP, is the director of consulting services for Avalution Consulting, a firm specializing in event risk management and business continuity solution design, development, implementation and long-term maintenance. Zawada has actively managed internal business continuity programs and consulted with his business continuity clients for more than 13 years.