The Total Business Metrics Special Interest Group met monthly to assist business continuity professionals connect, share challenges and best practices and improve their work, led by expert business continuity consultant John Robinson.
This was another purposeful and valuable debate, addressing questions raised by attendees and I’ll briefly summarise my interpretation of what we learned.
We heard about a large organisation who had succeeded in annexing business continuity management (BCM) to the CSR (Corporate Social Responsibility) agenda – a powerful corporate driver, lending it presence, traction and influence where previously visibility had been an issue. Similarly, governance is a known powerful customer-visible continuity driver, and I’ve seen all manner of alliances like this with varying degrees of success.
The common thread seems to lie in linking BCM to a complementary activity that is well-developed and already recognised as a corporate necessity, backed by policy. This allows BCM to inherit the authority, visibility and buy-in it enjoys. The fact is, people have a limit on the number of foci they can accommodate and this approach maintains the demand placed on them. This form of success by association could be an important principle, applicable to many organisations, but easier for some than others.
We moved on to discuss why boards of directors are uncomfortable in setting what we consider to be realistic risk appetites, because such statements imply they are willing to take risks that perhaps conflict with ‘optimum’ market messages. Yet we heard that in this case customers already sign up to SLAs that amount to quantified risk acceptance.
So maybe we should link business continuity risk appetite to SLAs wherever they exist, and wherever possible ensure agreements or relationship frameworks express some form of definitive statement that we can reflect in appetite statements. Managing this centrally could even help set tangible aspects of our risk appetite backed by legal declaration. The intangibles are of course harder to pin down.
As an aside, the likelihood element of continuity risk seems beyond most people’s realistic grasp, and any group we choose will have an inconsistent perception - is one in 10-6 greater or less than “Affects one in 10,000 firms in our sector globally”? Do we rate it 4 or 5? We typically adopt weak, unsubstantiated forms of quantification and attempts at simplicity can be even more misleading. Personally, I downplay risk appetite as a continuity metric and focus on impact tolerance, providing the organisation with a no-frills guide on what it should do or spend.
I will conclude focusing on an important issue that was also covered in our initial SIG, offering the board the means to engage with BCM in terms they are familiar with, expressing BCM achievement and adequacy using their KPI, not those we choose to impose. If we can do this quantitatively and periodically, set against investment, then we have the basis for a practical statement of ROI. You can read more about this in my blog for May 2015.
Taking it a step further, we might also choose to express business impact analysis and risk assessment in terms the Board can recognise. Doing this briefly and frequently would let us reflect market and strategic changes in the business, more relevant and an altogether more valuable expression of organisational BC status.