On October 18, 2008, Dr. Thomas Phelan and the Elmira College graduate class in Emergency-Disaster Preparedness Management conducted a telephone interview with David Kaye, FCII, FBCI, MIRM, FRSA, co-author (with Julia Graham) of “A Risk Management Approach to Business Continuity: Aligning Business Continuity With Corporate Governance.” Sadly, Mr. Kaye, who was well respected in his field, passed away some time after the interview.
At the time of the interview, Mr. Kaye was working on another book, in which he planned to bring together the functions of risk management, business continuity management, and a host of other areas of management which he felt were greatly interrelated. Risks, according to Kaye, don’t fall neatly into various departments, thus the need for bringing various departments together and integrating risk management and business continuity. As the business world is rapidly changing, the field of business continuity is evolving as well. There are now so many factors affecting the resiliency of an organization, so many important things that an organization must depend upon, that Kaye expressed concern that many organizations would be out of date.
Mr. Kaye told us a little about his background. He began his journey into the field of business continuity as a CEO in a multi-national financial services insurance business. In 1993, his world-wide office experienced the first of a number of varied disasters including bombings, floods, and several murders and suicides, and he was asked to lead a recovery team. He found himself in a real-life crisis without a plan. Over time, he brought together people who were involved with all aspects of multi-national risks, who represented a whole range of risk functions, and who reported directly to him.
We wondered whether Mr. Kaye always practiced the philosophy of having back-ups two- or three-deep behind him. “Yes,” he replied, “I always took the view that if I had done my job properly, they did not need me during the disaster. Organizations should be self-sufficient during a disaster.”
We then asked Mr. Kaye what he thought of tools for virtual emergency operations centers. He responded that he worried about [the reliability of] technology in disaster situations. We can do anything, he said, with software design, and we’ll use it as our first layer. But there’s nothing like having some older technology built into a plan. For example, it is still useful to incorporate a staff notification plan which involves having the staff call in and get a recorded message. He feels most comfortable when there is also a non-technology option because the technology itself could fail as part of the disaster; there are a whole range of things that could take out the recovery technology during a disaster. According to Kaye, we pretend we can be ready for anything that could possibly happen, but that is a dream. When we look back at the most damaging events (the World Trade Center, the tsunami, and so forth), we find that none of those scenarios were built into the planning at the time.
One of the first lessons Kaye learned is that insurance is not a panacea for risk management. Sometimes we think insurance can take care of everything, but we must remember that insurance is a financial risk instrument. While insurance is very valuable, it is the non-financial dependencies which hurt us. Most companies can soak up several financial hits without being destroyed, but if a company has lost its database, for example, the insurer can only reimburse for the cost of rebuilding the database, not the information itself. Insurance companies give you money – they can’t do it any other way. Since the most destructive damage comes from non-financial risks, we asked Mr. Kaye about some of the non-financial risks at hand. According to Kaye, a company’s important (non-financial) assets/needs are many, and include: 1) the ability to deliver on promises sufficiently and on time; 2) the need to continue to supply support to stakeholders; stakeholders include customers, regulators, suppliers, investors, the board, bankers, and even competitors; 3) a concern for our brand and reputation, and the legalities (for example, environmental and statutory law) during a disaster and recovery, as always; and 4) the mechanisms which will enable us to remain in control of our organization: a concern with palliative cash flow, our ability to communicate with stakeholders, and the intellectual aspects of our business. One important point to remember is that a disaster for one company is an opportunity for a competitor. And, because times have changed, competitors can act very quickly to take your business. Whereas in the past they needed time to build larger facilities, hire and train new employees, and so forth, all they need to do now to compete very quickly is sign a few outsourcing contracts.
The question was asked, how can we (as employees) convince a reluctant company to invest in a business continuity program? Kaye pointed out that risk management and business continuity management is not technically difficult. The human dimension, the interpersonal skills dimension is difficult. It is hard to convince someone to invest resources in something that may not happen. Embedded within an organization’s risk culture we need: (1) a clear, realistic, consistent, documented plan; (2) someone at board level to be a risk czar, someone you can work with who will ensure that your priorities and deadlines are met, who can create a group-wide endemic risk responsibility; (3) to ensure (at the main board level) that risk disciplines are integral to routine governance, and not just bolted on; we need to know how much we can spend without board approval; (4) to be concerned with soft issues – a risk manager needs to be respected by the board as a business strategist; a risk manager should not call turkey too often, or the board will turn away emotionally; (5) to work with auditors and an external audit committee on the state of risk in the organization; (6) to recognize that there is a legal issue involved at this point: once the board has been formally advised of the risks, they no longer have the option to do nothing – they must accept the risk, do something about the risk; (7) to focus on just those things the organization needs to survive; use the board’s own language and you’ll keep them with you. According to Kaye, the risk analysis should not be a desperately long list – it’s unachievable and the board’s eyes will just glaze over.
As businesses, we have supply dependencies; therefore, an important aspect in the field of business continuity and risk management is supply chain risk management. Often to demonstrate the principle of supply chain risk, Kaye refers to a photograph of a cat walking past a line of police dogs. According to Kaye, that cat hasn’t the slightest interest in which of those dogs is going to tear out its throat; the cat’s concern is in maintaining his lifestyle by keeping his throat intact. Though Kaye had seen a number of books on the logistics of supply chain management, he felt that with the increased dependency on the external supply chain (during disaster and recovery), that supply chain management should be viewed as a strategic issue. We need to get risk management in the design of our business relationships. We need to inquire, and be sure that our suppliers have business continuity management which will enable those suppliers to survive, so they can help our business survive. We can’t sign the contract first, and then try to pull in the risk management concerns; the damage has been done. We need to get the supplier involved before the contract has been signed.
We asked Mr. Kaye how he anticipated the legislative environment would change as a result of the current financial crisis. He said that, to a degree, we are in uncharted water. The first step, he said, is to determine which players got us into this situation. We need to focus on such players and factors as arrogant and greedy bankers, corporate bonus systems, short-term results on long-term loans, regulators who are merely ascertaining that procedures have taken place and not on whether good decisions were made, the interdependence among banks, stock exchangers who have lost sight of their proper role, and so forth. Now that we’ve had the disaster we need to measure the costs and bring the ship back. But we don’t want to return to the “norm” because that’s where we got in trouble in the first place. We asked Mr. Kaye what he was hearing from business continuity and risk planners about their role in the financial crisis. He said he has heard very little that is meaningful, but it’s not their fault. We have raised our expectations of business continuity managers, to assume that the business will never fail. That’s an unrealistic expectation of their job, since they operate in a world of operational risk.
We asked if Mr. Kaye could point out any major differences in business continuity management planning between the U.K. and the U.S. His perception was that statutory requirements in America focus on technology continuity, rather than on business continuity.
Finally, commenting on what he felt is often forgotten, Kaye pointed out that the skills and resources of business continuity planners are massively valuable in many different types of situations. In a host of unexpected incidents and situations (natural disaster, crime, fraud, and more), a business continuity planner could be invaluable in carefully structuring a response before we go crashing in to address the problem.
Carol Lenhart, Ph.D., is assistant professor of criminal justice at Elmira College. She counts emergency-disaster preparedness and risk management among her many interests, and will be teaching a new course on disasters and crime.