"Coping with Disruption" is the first in a series of guest blogs to discuss disruptive innovation in the run up to our Convergence Summit on the 7th November. We start our series with a piece on Business Continuity Management by John Sharp, Principal Consultant of Kiln House Associates Ltd and one of our seminar speakers:
COPING WITH DISRUPTION
We live in a world of uncertainty and increased threat levels. In recent years the UK has been subject to major incidents that included civil unrest, severe winter weather, flooding, drought and public sector strikes. Supply chains have been disrupted by earthquakes, tsunami, radiological contamination and flooding. Ongoing threats can come from climate change, terrorism, disease and computer hacking. Today business, voluntary groups and the public sector are under increasing threat of disruption which impacts upon their ability to deliver services and products. In a complex society, such as ours, where interdependencies between organisations is high it is essential that key players have the ability to maintain continuity of operations at all times.
The affects of a disaster are real; research results from AXA Insurance finds that almost one in five small to medium-sized firms had been hit by a disaster in a 12 month period. For those who are not prepared failure waits. The research shows that one in 12 of the companies suffering a disaster said it took them more than six months before they were up and running again and it took one in 20 of them more than a year to get their businesses back on track. Many failed. In the UK major organisations, whether public or private, rely heavily upon the ability of SMEs to service their needs so it is essential they also can survive business disruptions.
This is where Business Continuity Management (BCM) can help. It was developed in the 1980s as a new way of managing business risks, viewing the continuation of business functionality in all circumstances as the key responsibility of company directors. It grew out of the requirements to provide disaster recovery for information systems. In general disaster and emergency plans are written on the basis of recovery after an event. During the last 30 years BCM has developed to incorporate crisis and risk management. It is now concerned with all assets of the organisations, both tangible and intangible. It seeks to protect the reputation and image of the organisation as much as the physical and technological infrastructures and its employees.
BCM takes a holistic approach to organisations, which goes beyond recovery from a disaster, to establish a culture that seeks to prevent failure and crisis. Business Continuity is about identifying that things are beginning to go wrong and taking planned and rehearsed steps to protect the business and it’s stakeholders. It is about co-ordinating and integrating across all departments and presenting a confident image to the outside world. The basic principles that were established in the 80’s still hold. What has changed is that BCM is now used across a broader scope of business activities.
The new international standard for BCM (ISO 22301) published in 2012 defines Business Continuity Management as ‘holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities’
Examination into the causes of most major disasters has found that there are several incidents or circumstances that combine together which lead to the eventual disaster. BCM is about prevention, not cure, it helps to identify existing weaknesses in systems. It is about being able to deal with incidents as and when they occur and thus preventing a crisis and subsequent disaster.
BCM is applied to key services, their supporting critical activities and resources and any single points of failure. It identifies the impact of failure on the organisation and the likelihood (risk) of disruptions occurring. The most important question that is applied in BCM is ‘What if?’ What if key staff are not available, suppliers fail, systems and plant breakdown or buildings become inaccessible.
Having gone through this process then BCM strategies and plans can be established to ensure an organisation can respond to any disruption. But the process does not stop at the planning stage. Plans are worthless unless they are exercised. In the UK research by the Chartered Management Institute in 2013 shows that 61% of those organisations with plans exercised then on an annual basis. The exercising of plans is essential. There is not a plan created which will work first time, exercising ensures that disconnections and omissions within the plan are fixed before it is used in reality and staff involve rehearse their roles. Plans must be kept up to date as the organisation changes. External environments and influences are constantly in a state of flux and so the BCM process, to be valid, must continue to evolve throughout the life of the organisation.
Many accept that BCM is of value but have yet to ‘get around’ to implementing it. Some managers claim it is not essential ‘disasters never happen to us’. External drivers are increasing however and organisations will be forced to provide evidence of the BCM capabilities in future. The UK Civil Contingencies Act requires local authorities and emergency services to implement BCM. Financial regulators expect organisations to have effective BCM in place for the protection of customers and the community and international pharmaceutical regulators are demanding BCM in certain areas.
Insurance companies will have an increasing influence. It is not the physical loss that causes the greatest pain for any organisation but the loss of customers and cash flow. Business interruption insurance is seen as a way of covering the revenue lost whilst the facilities are rebuilt. Insurers will have greater confidence in the director’s ability to rebuild and hence be more inclined to provide adequate cover if they can see evidence that effective BCM is in place.
Just as major customers have insisted that their suppliers have quality and project management processes in place they are now demanding that BCM be established to ensure continuity of supply. This is driven, not only by their need to achieve compliance with regulations and the law, but also the need to maintain their market share. The public sector has a key role in driving BCM down the supply chain. In England and Wales the public sector makes up 40% of expenditure, in Scotland this increases to 50%. The Civil Contingencies Act places the responsibility on the public sector to ensure they deliver vital services to the community at the time of disruption. If they are dependent on key suppliers/partners they must ensure the suppliers have effective BCM in place.
Each major crisis raises the awareness of organisations to their vulnerability. Organisations have become more exposed to threats, both internal and external. The adoption of lean supply chains, JIT supply and flatter organisations has removed the resilience essential to absorb failures. The focus on failure by the media and protest groups expose and exploit any weakness or mistake very quickly to the wider world. Investors and funding bodies are looking closely at the performance of boards and regulation is forcing organisations to introduce better risk management.
The publication by the International Standards Organisation of the new standard for BCM (ISO 22301) last year sets out the basis for a uniform approach across all sectors of this important discipline. Only 7% of responders to the 2013 Chartered Management Institute survey stated that they will use the new standard to assist their BCM activities, a high percentage of organisations stating they have BCM in place do not use any standard as their benchmark..
Aware of their vulnerabilities, the major organisations have made use BCM, to build greater resilience into their operations. But BCM is not just the preserve of the large multinational companies and government departments; it is also of value to any organisation, private, public or voluntary but many of these organisations need help to understand and implement BCM. British Standards Institution (BSi) have published a step-by-step guide to assist smaller organisations establish effective BCM. The Route Map to Business Continuity Management (ISBN 978 0 580 74341 2) is based on ISO 22301.
As recent incidents around the world have demonstrated, it is not possible to predict events that can seriously affect an organisation’s ability to maintain continuity of business. Because the unexpected will always occur there is a clear need to protect organisations by forward planning. Business Continuity Management is seen as a vital tool to help in this process and organisations have a duty to the community and their stakeholders to implement the process.
Kiln House Associates Ltd
- Innovation and Technology