Business continuity is a discipline that ensures that an organization’s critical functions are available to stakeholders, not just during a crisis, but every day. There is a higher view, that business continuity should concern itself with organizational resilience, both short and long term. In other words, it works to ensure the survivability of an organization. That view projects the discipline well beyond the notion of protecting physical assets, data, communications, people and reputation.
Today most practitioners have allowed business continuity to be boxed in and side-lined. They may guide an organization to help them pass a BS25999 audit and tick the boxes but they haven’t grasped the resilience nettle. When one looks at business continuity budgets, it is obvious that data and communications resilience take the lion’s share. Practitioners do not penetrate to the core of organizational resilience. Resilience is an outcome from a number of disciplines’ better practice. The International Consortium for Organizational Resilience, a non profit, education and credentialing body, lists ten disciplines that it covers: Business Continuity Management; Crisis Management and Communications; Technical Infrastructure; Emergency Management; Facility Management; Legal Compliance & Audit; Organizational Behaviour; Risk Management & Insurance; Social Resilience; and Supply Chain, Logistics & Transportation Management. But even that broad set either does not go far enough or each individual discipline lacks the power in the organization to build resilience. Enron might well have ticked all the above boxes, as might have Lehman Brothers, Bear Stearns, Northern Rock, Royal Bank of Scotland, Citigroup, GM, Ford, Chrysler, and even Iceland (the country not the company). One could glibly say that you cannot protect against board level stupidity, but that would plainly ignore the fact that all of the above entities employed or still employ highly intelligent people working hard to grow the short term and long term value of their stakeholders.
Often the root cause of an organizations’ demise is deemed to be short sightedness, but that label is only useful in hind sight. One has to ask, what is at the root of short sightedness? Is it simply letting board level short term greed come in the way of long term greed, or is it a human’s innate belief that it won’t happen to them, that it is our very nature to discount risk? Look at the number of people who fail to save adequately for their retirement, or the high numbers of people without a will or those with inadequate life insurance. It won’t happen to us. That is probably a survival mechanism so we concentrate on the here and now. It worked well on the plains of Africa. It doesn’t work well when in an organization spread over multiple time zones or is at least significantly affected by external consequences that may be two or more steps removed from our normal daily perspective, such as was the case with the drop in housing prices in the US following an extended, too liberal financial regulatory regime.
Perhaps the problem is how we scope risk. Is it too narrow? Are risk issues too easily pigeonholed into Financial Risk Management which only looks at how to use finance instruments to manage exposure to risk? Or perhaps with other types of risks, we focus on those that are small, frequent and obvious – such as the risk that a server will fail. Servers fail all the time. The risk is measurable and the probability is high that every data centre will experience one or more during the course of a year, and we can take tried and tested steps to prevent or mitigate that risk. If our view of risk is broader, one cannnot mitigate it with finance instruments or by conventional preventative measures or disaster recovery. And with a broader view of risk comes a realization that threats are more numerous than we had imagined, as does the realization that something out of the blue will hit us for sure.
We are bound to get caught out by the improbable, as was pointed out by Nassim Nicholas Taleb in his book “The Black Swan, the Impact of the Highly Improbable.” He rightly argues that the improbable is more likely than we prefer to imagine. This tendency to be overly sanguine, lies at the heart of why business continuity lacks power, budget and scope and why large organizations fail in spite of their collective intelligence. Making the unlikely more likely is our tendency to take larger risks in groups than we would as individuals.
We do not build sufficient protection in our portfolio from the improbable, and paradoxically we also do not take enough gambles to be open to highly improbable rewards. Taleb does not argue against risk taking and in fact is an advocate of high risk. But, he argues high risk should be confined to a smaller proportion of an organization’s and individual’s investments and activities, and the rest should be more conservative. By increasing risk but confining it to a smaller part of a portfolio, an individual or organization takes advantage of the highly improbable, impossible to predict upsides. By adopting a more conservative approach to the vast majority of our assets, we build protection against the highly improbable and high impact downsides.
I would argue that there is a third issue that constrains our notion of resilience and that is our definition and view of assets. An organization has a broad range of off the balance sheet assets or risks that have nothing to do with derivatives or other financial instruments. They are soft intangibles. Though their relationship to tradable value is more indirect than, say, a deposit in a current account or a receivable, they are still measurable. Fluctuations in their values have direct impacts on shareholder value, though there are time lags. As such, they are useful leading indicators. Examples include:
- Customer loyalty
- Business partner loyalty
- Supplier dependence on the firm
- Customer dependence on the firm
- Channel power
- Customer permission
- Employee loyalty
- Employee drive
- Organizational citizenship
- Innovation behaviour
- Brand attributes and reputation
- Brand recognition
- Virtual distance
- Patents granted
- Carbon footprint
Many of these are inter-related and co-dependent. Many of their values are proprietary and thus difficult by outsiders to benchmark against other firms. Yet they all represent things that affect short term and long term shareholder value. If business continuity is to survive, it needs more than a re-branding exercise. There must be a new, separate discipline, one which is not an aspect of finance, IT, sales, marketing or strategy. Like all other disciplines, it assumes aspects of all the others, but it is distinct. It needs to be distinct to counteract our instinct. We need to call out our ostrich tendencies, and create a function that does nothing but own organizational resilience, defined broadly, on the board. It needs a name.