Business Continuity Management (BCM) has changed rapidly in recent years. Today, many BCM programs are a byproduct of enterprise risk management programs or part of customer-driven service level agreements. But BCM is still looking for a place to call home in many organizations, with BCM ownership all over the map. And the changing scope of risks and standards adds complexity, as well. Where will BCM end up? And what is it, really, anyway?
Growth, Change, and Growing Pains In Business Continuity Management
Wed, 05/04/2011 - 10:16am
For several years, the trend has been for BCM to move out of information technology (IT) departments, with IT retaining the IT Disaster Recovery program in most cases. Unfortunately, there also hasn’t been steady progress toward finding a new home for BCM that works for the majority of organizations. According to a 2009 survey by BC Management, it is almost equally likely that BCM will belong to risk management, operations, or a separate BCM program office on equal (or sometimes greater) standing as the traditional risk management department. Forward-thinking CIOs have lobbied for BCM to remain within their organizations as they have seen its profile rise and more board level interest in BCM.
The major challenges with the migration out of IT include finding the best fit organizationally and the right skills in the personnel charged with running the program. As intuitive as it seems to place the BCM program within risk management, it might not be a good fit. Risk managers generally deal with issues that are high frequency but relatively low severity, such as workers compensation and general liability claims.
But where should BCM report? There really is no right or wrong answer. In most cases, continuity risk is best managed by people closest to the risk’s impact. That means the business ultimately should own it. How the program is managed should mirror how the overall company is managed. Organizations with a decentralized management structure that try to manage BCM in a centralized program office will tend to struggle with implementation.
One development over the past several years has been to create standalone BCM program offices. These most commonly reside inside of a “shared services” group and report to its leader who typically reports to a chief operations officer (COO) or president.
“Where” is not the only change BCM has undergone in the past several years. “What” has also expanded to include different types of risks, and programs are becoming more influenced by standards of practice in addition to individual practitioner certifications.
With more high-profile catastrophes occurring, boards of directors have taken the management of these exposures more seriously, including more interest in BCM programs. For example, the trend toward improved pandemic preparedness (which began for many larger companies in 2005) opened the door for BCM programs to expand beyond traditional physical disasters.
Perhaps the most significant change is the rise in the prominence of standards governing what constitutes an acceptable BCM program. There are currently several standards vying to be the one that the most influential organizations coalesce around: NFPA 1600, BS25999 and a new standard designed by the American Society for Industrial Security (ASIS). As part of U.S. Public Law 110-53, the Department of Homeland Security must select one or more standards that can be appointed as the U.S. National Preparedness Standard. While the growing sophistication among the standards and their application will lead to more discussion about what constitutes an acceptable BCM program, if multiple standards remain in use it could create more confusion.
It is an exciting time to be responsible for BCM. When managed properly, BCM is an effective way to reach senior leaders with a new message around the importance of managing risk. The growing influence of standards, both in the U.S. and around the world, opens the door to discuss what kind of BCM program the organization’s leadership wants to have and how it ought to be governed. For example, while the content of NFPA 1600 and BS 25999 are similar, the flow of the documents and planning model they espouse are very different. Illustrating the differences in these two standards is an effective technique to help senior leaders and the board declare their intentions for the BCM program.
The proposals for creation of a super regulatory body to oversee all kinds of financial institutions will create additional opportunities for organizations to either benefit or be penalized by their BCM. In the U.S. today, the regulator of federal banks and thrifts (Federal Financial Institutions Examination Council or FFIEC) is seen as the “gold standard” of all BCM requirements. As the federal government groups more non-traditional financial service offerings with these long regulated institutions, it is much more likely that new organizations will be required to comply with these challenging rules rather than the existing set of requirements be watered down to reflect the broader group.
The relationship between BCM and insurance has never been as strong as many outsiders might believe. Even in areas where the connection seems obvious, such as the procurement of business interruption and extra expense insurance, only a small minority of organizations actually use the BCM program to forecast what their losses would be like by reconciling the insurance minded “probable maximum loss” and “maximum foreseeable loss” with the capabilities of the BCM program. The recent changes have created an opening for more organizations to align their approach to catastrophic risk better, even if there is not currently a tidal wave of momentum for it.
One connection that hasn’t been made as strongly as it may be in the future is not necessarily premium reductions as a result of BCM programs, but insurability at any reasonable price if a higher risk company does not have a BCM program in place. This is already the case with some high risk companies with an extremely high incidence of business interruption losses, but as underwriters become more knowledgeable about the differences between effective BCM programs and the paper tigers, they will be able to lower the bar as to what kinds of risks they may require BCM to cover. The movement toward third party BCM certification similar to ISO 9001 or ISO 14001 certification should serve to expedite that trend since it will give underwriters one more piece of objective data upon which to base their conclusions. Rather than a totally new concept, this could simply appear in the marketplace as an evolution of HPR risk.
An additional angle that may be exploited in coming years is the relationship between BCM and Directors’ and Officers’ coverage. As BCM standards become more commonplace, it will be far easier for plaintiff’s attorneys to demonstrate that the organization owed its stakeholders a specific duty and failed it. This exposure will be more likely if the courts continue to hold Boards of Directors accountable for the specific content of their decisions as opposed to simply reviewing the process used to inform their business judgment.
As BCM standards gain prominence, insureds should also take greater notice of most property insurers requirement to mitigate losses. While it isn’t likely that insurers will require insureds to demonstrate BCM program effectiveness as part of ordinary claim activity on typical losses, it is absolutely foreseeable that insurers will become more interested in what BCM elements were used to mitigate large losses and where BCM programs were not present or were ineffective to use that during claim negotiations. Since the elements of an appropriately designed BCM program are well known, insureds cannot reasonably claim they mitigated a business interruption loss when little or no continuity capabilities were deployed.
The greater the adoption of BCM standards in the marketplace, the more likely they will be used to determine whether insureds met the threshold of commercially reasonably steps to mitigate a loss. If this trend develops, wise insureds would do well to establish with insurance carriers in advance the level of BCM program effectiveness that will demonstrate their commitment to be ready to mitigate any losses during renewal negotiations when their leverage is the strongest.
There is no shortage of articles indicating that lack of management support will doom a BCM program to mediocrity but in most cases the premise of this position is wrong. The reality is that most senior leadership teams will support initiatives that have a strong value proposition. BC program owners over the years who have explained BCM programs as “insurance” have done the program a disservice and in most cases seen their program maturity plateau or even decline. The reason for this is simple—senior leadership does not spend more than it has to on insurance which we see every year at renewal time. A poor value proposition for the BCM program is one reason it might never be good, let alone world class.
A similar reason for mediocre programs is a compliance mentality. When BCM is seen and managed like compliance rather than an operational capability, it is almost always seen as a necessary expense to meet a minimum criteria rather than an investment in a resilient operation. Not only do companies generally spend the minimum time and resource on these types of programs needed to comply with the requirement, they often lose sight of the spirit of the requirement altogether and end up “checking the boxes.”
Perhaps the most important difference between good programs and great ones is how focused great programs are on executing their programs during an actual business continuity event. Great programs consider all the stakeholders with roles in responding to an event and provide the panorama of tools necessary to do so effectively. Plans certainly comprise a part of that but BCM practitioners are wise to remember General Eisenhower’s well known quotation “In preparing for battle I have learned that plans are useless, but planning is indispensable.”
General Eisenhower knew what great BCM program managers have learned—more than the plans themselves, it is the learning that happens in the planning process that makes effective execution possible. This is a very good explanation of how so many organizations with bookshelves full of plans still struggle to deal with moderately small events as well as they should. Full time BCM staff and outside consultants can play an extremely helpful role in the development of a BCM program, but if the focus is on building plans or making sure plans have the “right” content rather than equipping those responsible for ultimately implementing them it will never produce the desired results.
Business continuity risk is a great example to use with Boards in ERM discussions because their backgrounds are so different there’s no guaranteed common reference point for risk discussions. Unfortunately, there have been enough large scale crises in the world recently that everyone can relate to something like a major hurricane, terrorist attack or product recall.
Consider the company that has a lot of high profile operations in a central location. When Boards have a hard time visualizing what we mean by enterprise risks worthy of their attention, it’s common for us to talk about a natural disaster wiping out their entire campus for an extended period of time. They can immediately relate to the business interruption aspects, but we also have the opportunity to bring in all the other consequences of that risk including new product introduction schedules, reputation hits, impacts to market cap from investor’s visceral rush to get out of what they think might be a sinking ship, etc.
Experienced risk professionals can use these decisions to show how potential risks actually interrelate like a series of dominos. For example, flooding around a key distribution center that could be reasonably mitigated with a non-union labor force or modern equipment can highlight the risks around human capital or freight capabilities. A pandemic in a facility with a high concentration of key personnel will highlight the obvious risk to people and key processes requiring special skills during a pandemic, but it also shows the weakness or strength of an organization’s day-to-day health and wellness programs, the effectiveness of personal time off policies and areas where segregation of duties (a type of fraud mitigation where an organization does not let one person have too much control over a process that involves sensitive issues like money or intellectual property) have gone too far or not far enough.
Another advantage of coupling BCM and ERM is that it can provide a filter for senior leaders to see which risk categories they want to address in ERM. When you can show them that events as different as an executive kidnapping and a major tornado can share enough similarities to be included in one category it can help them fashion other categories as well that prevent you from trying to manage a hundred different enterprise risks individually.
The opposite is also true. You can show how something like a product recall can fit both into a continuity risk category and a products design/reliability category if you wanted to. Since you never know which angles may most appeal to the board, it’s terrific to use a risk everyone has a basic understanding of in the exploratory discussions.