The value placed on organisational resilience is growing. Big business, government, institutions, professionals and insurers each strongly promote it, encouraging uptake of Business Continuity Management (BCM) across all sectors and scales of activity. This makes sense since no organisation wants to inherit the misfortunes of another.
Yet it remains a struggle to convince the myriad organisations that make up the global supply chain to embrace the concept. There are a number of reasons for this, but predominantly it’s down to risk and reward, and many simply see it as not worthwhile. Are they right? How can small and medium-sized organisations ever justify investing against the unthinkable when catastrophes are seemingly so rare?
Beyond basic insurance, the answer to the question is that most believe they can’t. Yet the possibility of extreme disruption is never far away, from cyber-crime to climate change, arson to ash cloud, power blackout to civil unrest. Most see investment in resilience at best as optional and at worst money wasted. They believe reaction will be enough, patching together skills, technology, resources, services and insurance in an optimistic knee-jerk response. This seems acceptable until something big happens, whereupon they’re faced with rebuilding a surprisingly delicate house of cards in a few hours or days as credibility and credit evaporates.
Unsurprisingly, insurers see business continuity as complementary, helping to reduce claims. If an office burns down, they recognise that management needs time to rebuild and protect the firm’s hard-won reputation, time that only comes from preparation and planning. They know that whilst cash plays its part it won’t stop word spreading, it won’t organise people and it won’t buy back defecting customers.
Continuity plans ensure that vital business activities can be restored in time if they are severely disrupted. Let’s say your power supply fails as you enter a critical period. For a time you can cope, but beyond a certain point the business will be permanently affected, with backlogs building and frustrated customers jamming your phone lines potentially for days.
If this scenario leaves you feeling uncomfortable (and depending on the cost), it might make sense to own or hire a generator now and invest time learning in advance how to operate it. You could take things further, avoiding all downtime by installing battery backup and maybe storing spare fuel. Undoubtedly, you’d want to know how to safely resume when mains power is restored, avoiding surges and dips to protect your equipment. And crucially, you’d want written instructions, everything properly maintained and tested and people trained so it works as it should in time of need.
Power loss is just one example but it shows how activity is split into A up-front preparation and risk reduction and B post-incident response. If you can’t be certain of acceptable recovery with B alone, then you invest in A. It also shows that you have choices over the risks you accept and the amount you spend on mitigation. You can apply the same reasoning for all serious threats to your business. As you do this, you’ll find there are overlaps, and that your responses resolve to a core set of provisions and activities. Collectively, these deal with everything up to and including so-called worst case situations and form the basis of a continuity plan that delivers true risk resilience.
Commitment to risk resilience is often a reflection of senior management’s perception, and unless a major disruption has affected them or someone they know, it has to fight for attention. It’s understandable. As an entrepreneur, if I can’t see percentage points on the bottom line, you have little chance in securing my vote for funding. My appetite for risk-taking acts as an over-ride and I’d rather see the cash invested in productivity or growth, or taken as profit. Ask me to budget for an annual sizeable sum with no apparent return on investment and I’ll politely decline.
However, despite this, my business does have a budget and we do assign resource for continuity. We don’t feel BCM is aimed solely at larger firms or that we’re wasting money because the risks are so low. We own a continuity plan that works and matures alongside the business. So how do we justify this?
In recent months, we’ve bid for several sizeable tenders, from global semiconductor manufacturer to national government, from public transport provider to international insurance company. At the earliest stages of each bid – without exception – we were asked to provide material evidence of business continuity capability as a precursor to any form of presentation or detailed discussion. We don’t get the chance to compete for their business unless we demonstrate a rock-solid defence.
So we implement BCM because commercially, we can’t afford not to. Denial would automatically disqualify us from tenders like these and our commercial budget pays for it, generating a measurable return. BCM contributes to our competitive capability and we use it to help win business. We include a slide about it in every sales presentation and we regularly permit clients to inspect our continuity provisions. Defence has become part of our attack.
Customer demand for continuity and resilience is an irresistible force. This became clear when a client asked us to supply an automated tool to self-assess their thousands of suppliers. They now use it to manage contractual compliance in both information security and business continuity, providing low cost oversight and intervention. It collects detailed evidence along the way and automatically initiates periodic reviews. Crucially, it requires each supplier to provide assurance that covers their own supply chain, creating a cascade of sound practice.
Maturity is an important dimension of this. The survey tool specifically asks for evidence over time, cross-checking the depth of capability in each area, seeking commitment, certainty and permanence as part of your business proposition. This means you need a track record – evidence that systematic investment takes place, that senior management is bought-in, and above all, that what you’ve built actually works and isn’t outdated. This means you need a BCM system or process that continually monitors and improves your capability.
Although there is no standard cost model for continuity, you can gain a sense of what may be required. Factors include scale, complexity, management’s risk appetite and the strength of external demand by regulators, customers and shareholders. For a small office-based business with long delivery times and tolerant customers, the cost can be low, limited to a basic analysis, planning and the commonsense protection of assets, processes and information. For organisations with multiple sites, many lines of business, large volumes of sensitive data and a demanding client base, the undertaking can be significant.
How to contain the cost
Some business continuity software tools can help you to contain this cost in each of the areas above, providing a ready-made start point with a roadmap, a planning framework and built-in guidance. They can accelerate data collection and reduce the time you spend creating a lasting capability. Tools like these are often delivered online so you can access information securely without relying on paper copies.
For the vast majority of smaller organisations, business continuity consultancy and training offers a way of improving their competitive position by investing in sound practice defences. It means that when you bid for business, there’s every chance you will hold a powerful card that others don’t, giving you a greater chance of success. Combine this with the commonsense desire to protect your hard-won assets and business continuity makes sense for even the smallest of enterprises.