– KNOWLEDGE CENTER –

Business Continuity Management: From Risk To Resilience

A terrorist attack, a pandemic threat and production line shutdowns all point to the need for Business Continuity Management (BCM). The authors share five lessons learned from real case study examples.

Editor’s Note: This is the first of a two-part story

BY:

Dr. Daniel Gozman, Henley Business School University of Reading | Andrew Craig, The Outsourcing Unit, LSE, CEO, Rame Associates | Marko Kovacevic, CEO, Trizma | Professor Leslie Willcocks, London School of Economics and Political Science

Business risk is the probability of something happening multiplied by the resulting cost or benefit if it does. With Business Continuity Management (BCM),  we are particularly interested in: the  likelihood of an adverse event occurring; the size and impact of that adverse event; and how the risk hazard can be mitigated, and converted into a favorable outcome through BCM practices.

 

One primary task of our work on BCM is  “precaution advocacy.” To put it bluntly, where hazard is high and perception/outrage low, we need to alert those who are insufficiently informed about serious risks. This is particularly needed when encouraging companies to adopt more resilient BCM practices. Our most recent research finds organizational understanding of contemporary business and global sourcing risks, especially their systemic nature, is very underdeveloped. This becomes a serious problem because it means that if companies do not fully understand the risks they are facing, they also will not fully appreciate the benefits from adopting BCM practices.

 

In 2017 we undertook business continuity management research into regulations, case studies, practices and outcomes, with a primary focus on the global sourcing industry.  In this two-part article, we discuss five key emerging lessons that apply directly to the world of global sourcing as well as business itself. The lessons are formulated to assist managers seeking resilient operations, and needing to assure key external stakeholders (customers, suppliers, shareholders, regulators and auditors) that business processes are stable, and that product/service delivery will be consistent across the supply chain.

 

Lesson 1: Develop a Holistic Strategy. Rehearse Responses.

 

Case example: On Saturday, June 30, 2007, on the second busiest day of the year for summer travel, a Jeep Cherokee 4×4 vehicle was driven into the main terminal building at Glasgow Airport and deliberately set on fire. There was a well-rehearsed emergency plan that could be put in place quickly. It was established that it was indeed a terrorist attack. The attackers were quickly arrested. The building was evacuated and the fire dealt with.

According to management, Glasgow Airport had a holistic strategy based around “7 R’s”.  The global sourcing industry can learn from this case. Here is our version of the 7-R’s framework:

Pre-emption: (These steps occur before a disruptive event)

  • (1) Risk: Identify and evaluate risks across the enterprise

  • (2) Resilience: Put in place plans to mitigate and prevent risks from crystalizing where possible

  • (3) Rehearse: Drill responses to assess effectiveness of BCM plan and related responses

Reaction: (These steps occur immediately following a disruptive event)

  • (4) Response: Respond immediately prioritizing safety issues and evaluating the extent of disruption. Trigger BCM plan.

  • (5) Recover: Put in place practices to return processes, products and services to a stable state

Reflection: 6-7 (These occur after the business has returned to normal state)

  • (6) Review: Assess how well the business responded to the disruption and incorporate lessons learned into BCM plan

  • (7) Reputation: Evaluate the impact of the disruption on business reputation and formulate appropriate responses (e.g. press releases, personal engagement with major customers, reports to regulators, compensation to customers).

Lesson 2: Assess underlying outsourcing risks across the supply chain. Document plans and outcomes to industry standards.

 

Case example: B-Source SA provides bank back office and IT services to insurance and private banks in Switzerland and selected other countries. As a Swiss service provider for the financial industry, B-Source does not, in fact, require a specific authorization, as the financial supervisory body mandates that clients remain fully responsible for the outsourced activities, “as it would operate themselves.”

 

Therefore, a major challenge for a client with multiple outsourcing service providers is to ensure best practice internal controls, risk management, security and a business continuity framework are in place. Key to this is a common global language/framework that is communicated at all levels and interested parties (international regulators, boards of directors, auditors, other stakeholders).

 

In response to a recent pandemic threat, B-Source SA undertook a review and risk/compliance analysis of its BCM readiness, which included its stakeholders and suppliers. As an international multi-outsourcing service provider relying on a variety of sub-contractors and vendors this proved to be very challenging. A widespread use of a standard benchmark like the BS25999 would have helped immensely in evaluating the state of readiness of its suppliers and subcontractors. As a direct result of a detailed BCM review, plans were made to enhance and improve communication around BCM involving all staff.

 

For B-Source SA the H1N1 pandemic provided the opportunity to adapt their crisis scenarios, in order to avoid disruption to services due to the physical nonavailability of a potentially great number of key people. Following the publicity and the official announcements around this crisis, it was difficult to hide problems behind a contractual “force majeure” clause, as the unforeseen nature of the event was not relevant anymore.

 

From a reputation point of view, it also could have been very damaging not to have been prepared for this pandemic. Therefore, the impact on the company of the loss of key people was reviewed and the most common mitigation measure implemented. As in many other companies, the solution was to provide remote access working places to ensure a certain level of business continuity for certain processes, at the same time avoiding contacts between staff.  A staff sharing concept was implemented for the most critical processes.

Business Process (BPO) and IT Operations (ITO) service companies require efficient and standardized processes based on widely recognized frameworks. This is especially true for the financial industry, where internal control, risk management and compliance must be formally and extensively implemented and audited. A service provider such as B-Source is obliged to communicate regularly on the adequacy and efficiency of its internal control activities.

 

Today, most of the service providers have adopted the Statement on Auditing Standard (SAS) 70 reports. Thus the controls performed can be officially audited and communicated to a large audience of stakeholders, including clients. However, plans are not controls, and a Business Continuity Plan (BCP) does not form part of the description of controls performed. Rather, in an SAS 70 report, it constitutes merely part of the general information provided by the service provider. In this sense, a BC plan is not officially audited, only communicated.

 

Clients need reassurance. In order to reinforce the credibility of the BCM organization of a service provider or a sub-contractor, a recognized certification like the BS25999 will reinforce that its business continuity organization will meet a measurable standard, has been described in an internationally recognized way, and can be benchmarked.

 

Note that, because B-Source had to carry out the same analysis with many different sub-contractors, it was very difficult to evaluate the level of readiness of these companies. Although all had already confirmed that they had a functioning BCP, it really was difficult to achieve a quick and efficient evaluation of their level of preparedness.

In this sense, a broad implementation of a recognized business continuity standard like BS25999 would have allowed clients of a service provider like B-Source to:

  • Establish that there is a recognized standard in place guaranteeing a certain level of readiness

  • Improve BCP communication between all the service providers and the outsourcer, based on a common language and framework

A sensible policy here is for a client to contractually request from its key sub-contractors or service providers that the BS25999 certification is obtained and maintained.

For the conclusion of the story, see PULSE Issue 32 in February 2018.

Our most recent research finds organizational understanding of contemporary business and global sourcing risks, especially their systemic nature, is very underdeveloped.

To put it bluntly, where hazard is high and perception/outrage low, we need to alert those who are insufficiently informed about serious risks. This is particularly needed when encouraging companies to adopt more resilient BCM practices. 

Clients need reassurance. In order to reinforce the credibility of the BCM organization of a service provider or a sub-contractor, a recognized certification like the BS25999 will reinforce that its business continuity organization will meet a measurable standard, has been described in an internationally recognized way, and can be benchmarked.
IAOP connects you and your organization to our global community and resources.