Mention Business Continuity to many managers in small and medium
sized enterprises (SME’S) and you may get a look of incomprehension.
Some still don’t know what it means, others vaguely relate it to
disaster recovery and even those that have heard of it may see no
relevance to themselves.
Those of us who are full time BCM professionals must share the
blame, we have not really got our message across to many people
outside the big global corporates. I am sure that I am not alone
in dreading the inevitable question at a party or social
gathering “What line of work are you in?” Do I say “Business
Continuity” and spend the next 30 minutes explaining and maybe
boring my fellow guest or do I vaguely state “Management
Consultancy” or something similar which keeps them happy? I know
many of our more evangelical believers in BCM take the first
option and hence don’t get invited to many parties. I often sit
on the fence with a phrase like “Consultancy specialising in
Risk and Crisis Management” which is not very accurate but seems
to be better understood.
Nevertheless we do have an identity crisis. Technical solutions
like Disaster Recovery, High Availability, Continuous
Availability and Covergence Technologies are banded around as if
that was what Business Continuity Management is all about. No
wonder that managers within SME’s have switched off, all they
see is more and more expensive technology which they neither
need nor can afford. Hence the idea that Business Continuity is
an expensive “nice to have” for big league players has become
the perceived wisdom.
This is about as far from the truth as you can get. Business
Continuity is about managing unexpected events that interrupt
key business processes, often those which are vital to
maintaining cash flows. The most quoted (and least validated
statistic) of our industry is the claim that 80% of businesses
that have a disaster go out of business within 18 months.
Leaving aside the lack of any definition of what is meant by a
disaster, even if we accepted the figure what would it tell us?
Probably that the worst managed companies with no spare cash to
spend on security and preventative measures suffer disasters
more often than well organised cash rich businesses. They may
well have been marginal businesses already and the disaster
pushes them over the edge. Generally speaking the only problems
that may bring a FT100 or Fortune 500 company to its knees are
PR disasters. Such corporates can almost certainly cope
relatively easily with any physical disaster that takes out
premises and equipment and even (with a little more difficulty)
loss of key staff.
Those who can’t cope with the traditional physical disaster
caused by flood, fire, explosion, transportation collision or
similar are the SME’s. Precisely the companies that need
effective BCP’s are those that do not have them and don’t know
how to get them.
A couple of examples from a recent BCI video illustrate the
point. Firstly a small company in the food processing business
had a severe flood with sewage contamination of their premises
and equipment. They lost their key supermarket outlets who
demanded JIT delivery, immediately hit cashflow difficulties and
by the time they received any insurance payment they were
effectively out of business. Even the remote chance they had of
re-launching themselves was made hopeless by the nature of the
incident; food and sewage mixed created the wrong image and they
did not have the PR resources to counter it.
Secondly a small plastics company had a minor fire which took
out their largest and most sophisticated injection-moulding
machine. It was a single point of failure and replacement of
such equipment can take many months. The only option was to
sub-contract the work to a competitor. This kept the immediate
cash flowing but introduced their most important customer to a
competitor with inevitable long-term results .
Ask yourself the question; would Unilever or Shell have gone
out of business if either example had happened to them?
Obviously not, and yet these two small companies did. Therefore
who needs the Business Continuity Plan the most? In fact the
value of a fully tested BCP to a business is almost directly in
proportion to the percentage of the business that could be
affected by an individual incident. The higher the percentage,
the most important the plan.
On one occasion I was asked by a medium sized organisation to
discuss their business continuity needs. The person who had been
designated responsible was their Security Manager. He had been
on a few BCM seminars and conferences and wanted to know details
of how my firm would undertake Risk Analysis and Business Impact
Analysis for his business. I told him we wouldn’t. When he
expressed surprise, I asked him if he knew of any physical
threats which could destroy the entire building we were in. As
we could see an elevated section of a motorway from our meeting
room window, a canal and railway line ran around the perimeter
of the site, we were on the flight path of a major airport and
the company were involved with animal drug testing, I had a good
idea that his answer might be “yes”.
I then asked him what percentage of his companies operations
took place in that location. Again I was not surprised when he
answered almost 100%. So, I concluded he had a significant risk
of the location being lost entirely and with it all of the
companies business processes. It did not need a detailed Risk
and Impact Study to decide he needed a BCP. He was not
convinced, hired another consultancy and 6 months later had a
set of detailed reports which proved a plan was necessary.
Unfortunately all the senior management were by then fed up with
BCM and his budget had been spent. He never developed a plan and
retired 2 years later; to my knowledge his successor has been no
more successful.
So the point of this story is that although SME’s desperately
need BCP’s, the traditional methodology for developing them does
not really work. It is too time consuming, labour intensive and
costly. In the second chapter of this article (to be published
in the next edition) I will discuss methodologies such as BCM
Fast Track, which can work for SME’s. At the risk of offending
some colleagues in the BCM world, I believe that the industry
has always been solution rather than problem driven. As
solutions for global corporates can have a large price tag, the
more modest solutions for SME’s are of less interest to the
vendors of such services. Hence the myth that BCP is too costly
for the smaller organisation. It simply is not cost effective
for many Disaster Recovery vendors to bother promoting their
services in this sector.
There is also a lot of confusion about whether or not the
international standards for BCM can be applied in the SME
marketplace. The answer to that lies in understanding why the
standards exist. The UK based Business Continuity Institute
(BCI) and the US based Disaster Recovery Institute Int (DRII)
agreed to a set of 10 standards which define the boundaries of
knowledge that a BCM practitioner should have. Many people have
mis-interpreted this as a methodology. It is not. What it does
require, however, is that any BCP produced will be based upon a
sensible evaluation of risk, a business understanding of
consequences should key processes be lost and a suitable
strategy to mitigate damage and ensure recovery. I suggest that
my one-hour meeting complied with all those requirements,
although sadly it did not generate any fees for my company. In
many SME companies the risks and impacts are all too apparent
but the technical solutions needed to overcome them are not so
available.
A serious attempt to switch the emphasis to the business
problem rather than the technical solution has been achieved
(unwittingly) by Nigel Turnbull and his committee. In focusing
on risk, they have brought into the equation the necessary
business drivers needed to fully understand why BCP’s exist. For
any risk you can:
- Transfer it via insurance
- Reduce it by less centralisation and more resilience
- Eliminate it by changing procedures
- Accept it if impact is relatively low
- Manage it
In many ways traditional Disaster Recovery is simply a form of
insurance (i.e. risk transfer). Business Continuity Management
is something different entirely, it is a different way to manage
businesses in that it recognises ever-present threats and
provides strategies, plans and procedures to counter them. Nigel
Turnbull belatedly recognised this and made the following
statement to the BCI:
“The Turnbull Committee Guidance for Directors on Internal
Controls sets out overall framework of best practice for
business, based upon an assessment and control of their
significant risks. For many companies, Business Continuity
Management will address some of these key risks and help them to
achieve compliance.”
I believe the messages from Turnbull speak directly to the
director/owner of a SME company. Nowhere are the relative
impacts so large as in this sector and nowhere else are the
funds so tight that even serious risks cannot be eliminated.
There is no real alternative but to manage the risks and hence
put proper BCP’s in place.
Turnbull, however, does not help very much in telling a new BC
Manager exactly what a plan should include. There are, of
course, textbooks on the subject but most authors shy away from
being too specific. In chapter 3 of this series I will suggest a
reasonable level of detail and a viable format for a SME plan
but I will also proffer a health warning with it. The reason for
this is that when it comes to BCP’s, one size does not fit all.
I know of companies with plans little more than the size of a
credit card – only including immediate contacts and initial
high-level tasks. Other similarly sized companies have plans
which I can only describe as “Victorian Novels” – every
conceivable threat is identified and wordy procedures written to
counter them.
Neither are my style of plan but I have found by experience
that my preferred style does not suit everyone else. I have run
workshops of plan building for SURVIVE for the past 8 years and
in the early years delegates came looking for a “fill in the
blanks” plan. Now most attendees realise that it is not that
simple, it is in many ways more important to do the thinking
process than to produce a perfectly written plan. What matters
is that the plan fits the culture and working methods of a
particular organisation, has been tested and sufficient staff
are familiar with it to make it viable if called upon. A plan is
a working tool, not an end in itself and the process which
guarantees the accuracy, currency and completeness of the plan
is of equal importance to the actual document. Sadly this is not
always understood by people who have the responsibility for
auditing plans. One of the main drivers for SME’s to introduce
BCM has been commercial necessity. Planning is imposed on them
by their clients, particularly if the clients are large global
corporations who are themselves heavily involved in BCM
disciplines.
Many commentators feel that the supply chain is the weak link
in the whole business continuity process and it is certainly
true that single source supplies do impose a high risk of
process interruption. Large corporates have long since looked at
every way of cutting costs and giving guaranteed single sourced,
high volume business in return for very low prices has been
around for years. The downsides of this strategy often only
emerged as part of the Y2K projects, which challenged the
viability of having a single supplier for key components. Rather
than solving their own problem, the corporates have simply
transferred it to their small (and largely defenceless)
component suppliers. Not only do they have to supply at
wafer-thin margins, they also have to guarantee the large
corporates will never run short of goods. Worse still, the
corporates will tell you what you have to do and come and audit
it to see you have done it. Hence the increasing demand for plan
certification, a subject which could be discussed for hours in
its own right. If this trend is left unchecked it could lead to
a BCP Audit tick-box mentality which leaves the typical SME with
additional costs of compliance without any of the real
advantages of proper BCM.
I understand the difficulties that a busy manager in a typical
SME faces if required to incorporate BCM into the organisation.
Hopefully this article and the two subsequent one’s will make
his or her job a little more enjoyable and easier to undertake
successfully. If not, at least, he or she will know they are not
alone. Return to
Menu...
|
