Issue Archive: November/December 2005

The Impact of Corporate Culture on Continuity

Corporate culture has a direct influence on the success of a continuity program. Culture impacts strategy design, maturity modeling, risk tolerance, continuity solutions, and tactical implementation. Each organization's culture is unique, which requires
unique solutions with unique methods of execution. Culture determines how decisions are made and carried out. C-level executives are the "stewards" of an organization's culture. This article will define "corporate culture" and subsequently explore commonly accepted culture characteristics  to understand how culture impacts a continuity program.
We will cover the most important considerations when Designing and implementing business continuity solutions. This article will also explore proven practices to take culture into account in order to increase the likelihood of program success. Note that the term corporate cultureis applicable to profit, not-for-profit, and governmental entities.

What is Corporate Culture?

So what is corporate culture and how does it affect program success? Corporate culture is the personality, philosophy, attitude, values, and behaviors that define an organization's style, policies, and working environment. Although it may be difficult to describe an organization's corporate culture, the issues to which management pays attention, how decisions are made, and the rewards accorded for success are often the strongest indicators. Because culture is an important consideration when developing solutions that will lead to change, some basic questions can be asked to help define a corporate culture, including:

1. What three things does the organization value most?
2. What 10 words would you use to describe your organization?
3. What's important thereat Company X?
4. How do employees get promoted and what behaviors get rewarded?
5. How does someone fit in here?
6. Do executive managers take risks?
7. How are decisions made and then communicated to enlist action?

Culture's Effect on Business Continuity

A recent client experience demonstrated the importance of addressing corporate culture. The client's management team emphasized that the organization valued its employees above all else. Management focused on making certain that employees knew exactly what to do and where they needed to be in a crisis. In management's opinion, the business continuity program had to give assurance to all personnel that their jobs would be safe in the event of a crisis. Less important to management was the creation of formal procedures to recover business functions and pre- positioned resources at recovery locations. The bottom-line is this: as an employee-centric organization, their corporate culture drove the emphasis the business continuity plan
placed on employee feelings and perceptions (and by the way, they hated the words "corporate" and "employees").
On Day One of our project, it was apparent that the company had a unique culture-something that had to be a cornerstone of any proposed solution. All experienced professionals would argue that every organization is unique and must be handled differently. "Out-of-the-box" solutions rarely survive, and the first step in customizing any best-practice or common approach is looking at the way the organization operates. In other words, culture is key. It can also be argued that all successful professionals take into account culture-formally or informally-when developing solutions to address availability risk. We must accept culture as it is, or we will never be a champion of change. Acceptance does not mean we cannot influence cultural change, for surely we must, or our program will fall well short of management-defined objectives. Based on the 10 commonly accepted culture characteristics detailed in the sidebar on page 34, it's hard to find elements that have little to no impact on business continuity program success. However, three of these culture characteristics truly have a direct impact on business continuity planning success: (1) risk tolerance, (2) direction, and (3) control. And each of these should be taken into account early in the design of a business continuity program in order to increase the likelihood of program success.

Risk Tolerance-Emphasis on Risk Management

Business continuity is a core risk management process. Although more and more organizations deploy business continuity strategies, the majority still do not have workable solutions. Why? Business leaders often fail to become directly involved in managing risk in order to reach a competitive advantage. This may be caused by a number of factors, such as a business history without continuity events, or simply a high risk tolerance. Many managers encourage risk taking, but do not equally focus on risk mitigation. But a shift is occurring. Today's business environment, with a renewed focus on corporate governance and risk management in general, is leading to experimentation with risk mitigation activities, ranging from more robust internal audit plans to business continuity and enterprisewide risk management processes. Overall, organizations that view risk management as more than insurance often have more robust, mature business continuity programs.We have worked with a number of banks in developing very robust business continuity programs. In each case, the (initial) primary driver was regulatory demands. Eventually, each program took on a life of its own, often driven by business leaders or internal professionals asked to manage the effort. In most cases, the projects also began in the information technology department, but in all cases, management eventually realized that availability
risk extends beyond the data center. In this industry, risk management is becoming a common cultural element and one that continues to evolve toward robust, mature processes.

Direction-Performance Expectations

A common question asked during the development of business continuity processes concerns the existence of service level agreements (SLAs). SLAs are the most defined level of performance expectation, and they are not reserved for a supplier/customer relationship. SLAs are becoming more common as an internal driver of performance. When SLAs are defined and aggressive, the organization has a performance benchmark because the existence of an SLA often is tied to a critical business element-and there are incentives to perform. Where the performance benchmarks exist, managers and business continuity professionals no longer have to guess in terms of recovery objectives. Overall, organizations withthe discipline to develop and document SLAs often focus on mitigating availability risk; therefore business continuity solutions are more common. For example, outsourced call centers often employ SLAs with their clients. Common metrics include customer wait times, dropped calls, or unanswered calls. Business continuity strategies that focus on communications and technology redundancy, as well as customer service representative separation, can be developed based on these metrics.

Control-Management of Employee Behavior

Controlling and affecting organizational behavior through governance structures, regulatory requirements, contractual measures, performance metrics, policies/procedures, and audits/assessments are the most ommonandstrongestbusiness continuity drivers. A primary cultural element that should be explored early  in a business continuity project is how  management sets the risk  management agenda and controlsemployee behavior through compliance structures. Related to this, the process to manage day-to-day business continuity activities is a critical element. Some organizations choose to manage and execute key tasks centrally, whereas others do so in a decentralized manner. This is a classic example of how culture (specifically the control element) affects business continuity program design. In nearly every business continuity program development project, one of the first activities is designing the program governance structure, which usually takes the form of a policy or initiative statement. Some organizations prefer a detailed policy to outline roles and responsibilities, whereas others prefer a high-level document just to set the tone. Regardless, the policy or initiative statement is critically important because it drives long-term behavior, particularlyrecurringbehavior beyond the initial project. Remember that your culture will determine successful behavior, so make sure your continuity program is within thealignment of your culture.

Taking into Account Corporate Culture

While serving as the "business continuity champion" for two Fortune 500 companies, the importance of taking culture into account became clear. One company was created as a start-up only two years earlier. The other company's culture was formed
nearly 80 years earlier, but experienced recent changes in C-level management. The companies' cultures were diametrically opposed to each other. What worked in one culture did not work in the other. What was surprising is that both companies were successful in almost every area of business-their cultures worked for them. What the business continuity team designed as an enterprise continuity program in the first culture surely would not be successful in the second culture without some adjustments. Almost everything about strategy, implemen- tation, and measurable matrices had to be modified. Becauseanunderstandingof corporate culture is key to developing, implementing,andmaintaining workable solutions, how does a business continuity professional  develop this understanding?  AskBeyond the seven general questions above, other issues may  include:

• Drivers- Ask what's driving the program, what led to the initial program development effort and what will keep it well maintained over the long run.
• Policy characteristics- Discuss how the organization documents and communicates the key characteristics of its risk management and other business processes.
• Metrics- Evaluate what drives employee performance, in other words, what incentives are in place to enable employees to focus on key initiatives such as business continuity (and what penalties exist as well).
• Solutions characteristics- Even early in the program lifecycle, asking initial questions regarding business continuity solution characteristics and the program's end- state can provide insight into the organization's culture.
• Risk appetite- Ask about risk mitigationorriskacceptance behaviors exhibited by the executive management team, and how risks are managed with suppliers and key business partners.

Observe

Although questions can beimportant,observationscanbe equally, if not more, important. What's said, and what's not said, during steering committee meetings, general data-gathering sessions, and business impact analysis interviews can shed tremendous light on the organization's culture and drivers. Pay attention to what works and what does not work within your culture and you'll be surprised by what you learn. Look around and listen to all the things people want to do within your company. Pay extremely close attention to those projects, initiatives, and ideas that are being accepted and implemented and find out why. Clues will begin to surface as to how to leverage and align your continuity program with what really matters to the company. Leverage your  corporate culture for greater impact. 

Evaluate

Discussing the way the organization employs, manages, and supports other risk management processes, to include insurance, internal audit, and other key control areas can help in understanding risk tolerance. Understanding how the various risk management disciplines interact is also an important indicator of how well the organization integrates to tackle a problem. For example, do insurance and environmental, health and safety professionals (EHS) work together to mitigate risk and minimize exposure?

Conclusions

Corporate culture has a direct effect on nearly all business functions, and business continuity is not an  exception. Since a how-to guide does not exist for business continuity solution design, and because each organization's program is unique, culture is a key element that drives customizationandeventually programsuccess.Asbusiness continuity professionals, we must work to understand key aspects of the rganization's culture,learn to identify the most important components of that culture, and learn  to leverage maturity design, tactical implementation,andlong-term maintenance strategy for greater success.