Is Your Company Prepared for the Worst? Why Business Continuity Must Be Part of Your Strategy
You may think your company is prepared for adversity - but if you believe these 7 common misconceptions, it's not.
By David Nolan, CEO and founder of Fusion Risk Management
Imagine a runner on a treadmill following a preset workout program. Even as the treadmill speeds up during the higher-intensity phases, as long as the runner is prepared for changing conditions, she will stay in sync with the machine - but if the runner falters or stops, and the treadmill keeps going, she'll stumble, fall and may even end up injured.
A business trying to remain competitive and profitable in today's world is like the runner trying to keep pace with the machine. If a business is prepared for whatever adverse circumstances come up, the organization can take it in stride and keep moving forward. If a business is not prepared, then it will experience disruptions - and, like a runner who gets injured, the business may find it difficult to recover.
To keep the business running and revenue flowing, executives must include business continuity in their overarching company strategy - and that requires a fundamental understanding of what business continuity is and what it means for the organization.
Defining Business Continuity
Business continuity comprises certain processes that allow a company to continue to deliver products and services - and therefore continue to bring in revenue and meet its commitments - no matter what circumstances may befall it. The types of disruptions that threaten all businesses include:
- IT services disruption - any disruption affecting access to IT services (often referred to as "IT disaster recovery") or the protection of critical data (often referred to as "cyber security").
- Workplace disruption - any disruption of a business entity (offices, call centers, retail locations, trading rooms, manufacturing plants, labs, warehouses, etc.) as well as critical assets such as machinery or other specialized equipment.
- Workforce disruption - any disruption involving personnel such that sufficient, trained and skilled employees are not available. Possible causes may include labor actions; regional disasters during which the community or public infrastructure is severely impacted; or pandemics, any of which can cause severe absenteeism.
- Supplier disruption - any disruption to critical suppliers, service providers, utilities and related infrastructure, or logistics that stops or slows the movement of critical products and/or services into or out of your business.
While most executives may believe they are prepared for at least some of these disruptive scenarios, commonly held misconceptions show the opposite may be true.
Breaking Down 7 Business Continuity Misconceptions
A number of misconceptions about a company's level of resilience to adverse events, and its ability to effectively respond, can create serious risk for executives:
"We have a plan." Many executives think if they have a documented business continuity plan, the business is adequately prepared. But having a plan and being able to execute it are two very different things. Unless the plan is comprehensive, complete, current and accurate, it may not be worth the paper it's printed on.
"It won't happen to us." To think that a business will never experience a significant disruption is wishful thinking, and indefensible, should a disruption occur. In addition to natural disasters, acts of terror or the catastrophic weather events that are becoming more common, even seemingly minor disruptions can have a significant impact on an organization's ability to maintain operations and meet its commitments.
"We have insurance for that." This is certainly a way to pay for some disruptions, but it does not ensure business continuity. Insurance coverages can lull executives into a false sense of security that risks have been addressed and require no further attention. And insurance will never compensate for brand impact and loss of shareholder value.
In fact, effective business continuity can help avoid claims and prevent losses entirely. Balancing investments between insurance coverages and business continuity can result in a dramatically reduced risk profile that may otherwise drive higher premiums. Additionally, typical coverages only compensate the business - they do not compensate partners or customers who rely on goods and services for their own needs, and who may be left high and dry in the event of a disruption.
"We don't have the time or resources for that." It is true that there is a rational balance of fiscal and fiduciary demands that should determine how much to invest in managing any risk. That number is rarely zero and should never materially impact the core mission of the business. Tragically, many organizations are spending money on people, assets, services and activities that will not protect the business's ability to function during a crisis.
A focused program aligned with the business priorities and mission can cost much less and deliver much more than one that is left to its own devices without executive sponsorship. The most expensive programs are those that produce plans that no one will ever use. Well-conceived programs operate more effectively and efficiently and deliver superior results.
"We already have data backups, recovery centers, and cyber security measures." These, like insurance, are critically important measures to have in place, but only address a narrow portion of the full scope of disruptions that can impact a business. Like business continuity plans, are the IT disaster recovery plans comprehensive, complete, current and accurate? Have these plans been exercised under a variety of disaster scenarios to ensure IT operations can be restarted and resynchronized to the current state of the business? A comprehensive program that incorporates IT disaster recovery plans and response capabilities ensures that investments in IT resilience deliver value in the event of a disruption.
"We don't have a very complicated business, so we don't need a formal plan." The truth is, every business is complex in its own way, and lacking a formal business continuity program, the true extent of the organization's internal and external dependencies, or the actual duration of a business disruption, isn't revealed until a disruption occurs.
Not having a business continuity program means not having an understanding of what it will take to respond to a variety of potential disruptions, find workarounds to maintain operations, and recover fully, should an adverse event occur. Scrambling to respond without a plan - while under the pressure of customer commitments, compliance, safety and public scrutiny - never works out as well as having a plan and a program already in place.
In the event of any disruption, a workforce will need to execute a business continuity plan with a minimal amount of damage to the business, and that is very hard to do without complete visibility into all facets of the business - no matter how simple you believe its processes and dependencies are.
"Our contracts protect us and limit our liability." Another common misconception is that if you limit your liability, your business is protected. But what about your customers, your employees and your business partners? Are you protected from shareholder suits if your equity value is damaged? During an operational disruption, there are many stakeholders affected - whom the business has the responsibility to consider, and whose impact can cause damage to your company's reputation and your brand. If brand trust is destroyed because a potentially preventable issue has affected customers, shareholders, employees or partners, contract liability may become immaterial. Planning and responding effectively in the face of adverse events far exceeds the benefits of contract protections alone.
Why It's Important to Change Your Perceptions
Unlike the thinking behind most of these misconceptions, business continuity is not a defensive concept; it should be a fundamental component of business strategy.
For executives to responsibly establish and execute a competitive business strategy, risks must be identified, contingencies must be considered, and capabilities must be established to ensure strategic objectives can be achieved. Assessing operational risk, evaluating business impact and defining appropriate tolerances for operational disruption are the foundations of a responsible approach to managing business continuity risk.
Not taking action creates its own set of risks. Oftentimes, executives place a higher priority on fulfilling their fiscal, not fiduciary, responsibilities, by managing costs, monitoring accounts receivable and payable, assessing credit risk, etc. This is managing risk simply as a financial phenomenon when it should also be considered an operational necessity.
Lenders are becoming increasingly aware of continuity risk and its potential effects on an organization's ability to service its debt. In this regard, business continuity becomes more relevant as a firm's readiness may determine, in part, its ability to compete for preferred access to capital.
To gain an objective perspective, look at your company from an outsider's shoes. Would you bet your business on a company with reckless disregard for continuity risk? Not likely. You undoubtedly have a stringent vetting process for all suppliers, providers, partners, manufacturers, etc., looking at them through the lens of, "Does this company have a backup plan if something goes wrong?" because it will affect your ability to deliver your products and services to your customers.
More than anything else, brand equity depends on business continuity management as a critical supporting element. Brand equity is created by an accumulation of goodwill over time, and executives are the stewards of that equity. If a disruptive event occurs and is not well managed, then reputation, trust and ultimately brand equity can be damaged, and market value diminished. Investing in an effective business continuity management program can be the best investment to make for the highest potential return for your brand.
To Keep Moving Forward, Manage Business Continuity Risk
Managing business continuity risk is critical for the strategic success of every organization. It should be at the core of an organization's values and mission, and executives must shoulder that responsibility to ensure that a business does not falter or fail to meet its commitments in the event of a disruption.
A company's viability, brand equity, and ability to compete in the marketplace every day all rely on having a firm grip on business continuity risks, and an effective program to actively manage them. If you are not making business continuity management a strategic priority, you are in a shrinking minority - and creating substantial risk for your business.