Click here To view the latest edition of CEO TODAY

Lyndon Bird, Technical Services Director, Business Continuity Institute (BCI)

The early years of the 21st century have proven to be exceptionally challenging for all those involved with disasters, emergencies, security and business continuity. Since the events of 9/11, the world has experienced a seemingly endless stream of catastrophic incidents. Hurricanes, earthquakes, and global terrorism, including the London bombings of 7th July, have rarely been out of the headlines. The impression given was that despite our technological sophistication, we were effectively powerless to prevent acts of god and only marginally better to deal with those deliberately wishing to wreak havoc on our lives and businesses. However, in reality, many of those human catastrophes were less damaging to the continuity of business operations than other less newsworthy incidents.

On a domestic scale, one of the UK's largest oil depots exploded and created what was described as "the largest fire fighting exercise in peacetime Europe". Many local businesses were badly affected, and the first to signal problems was an on-line fashion retailer who suspended its shares on 23 December and had to refund 19,000 customers who had ordered on-line goods for Christmas.

Another company immediately affected was a major IT outsourcing operation, which provided payroll services for a large percentage of public sector workers. A lesser-known consequence was the fact that it also ran the entire Patients Records system for one of the UK's most advanced hospitals. The hospital literally did not know which patients were actually in the hospital, who had been discharged and what medical treatment they had received. They coped for almost 48 hours in this chaotic condition, mainly thanks to superhuman efforts of the staff and one piece of luck - the Buncefield incident had not created massive casualties for them to handle. They could not have coped with both a full scale major incident and a complete system failure at the same time - but both would have been created by the same incident and could have so easily have happened.

This incident gave rise to warnings from the normally amusing and urbane Sir Digby Jones, Director General of the CBI. He used his Christmas message to the business community to emphasise the lessons of Buncefield and how vital risk management and business continuity were becoming to business success or even survival.

In fact, Sir Digby was building on a theme already well debated within CBI circles. Eliza Manningham-Buller, Director-General of MI5, speaking at the CBI Conference in November 2004, set the tone. She said: "I am often asked what single piece of advice I can recommend that would be most helpful to the business community. My answer is a simple but effective business continuity plan that is regularly reviewed and tested."

For many organisations, the first direct experience many top executives had with Business Continuity Management came in the run up to the millennium, when the so-called "Y2K bug" failed to emerge. Although this naturally caused some scepticism about the value of listening to "doom merchants", the process many organisations had put in place for Y2K did highlight some alarming weaknesses in supply chains and other operational vulnerabilities in strategic areas such as outsourcing.

In recent times, the primary business continuity issue that directors have debated centred on the risks created by the possibility of a pandemic, based upon a mutation of the bird-flu virus. HSBC have warned of the possibility of having to operate globally with only 50 per cent of normal headcount for a period of months. The UK government has been even more alarming in its predictions of infection and death rates.

As an expert in business continuity, I am often asked what the connection is between these diverse types of risks; natural disasters, terrorism, fire, accidents, computer failures and health scares. The answer is that, although they arise from entirely different sources, the management of the consequences relies on a set of principles that are largely the same, regardless of cause. This set of principles is now generally accepted to be defined by the overall subject name - Business Continuity Management (BCM).

BCM has suffered from not having a clear legal definition that is accepted by all. Many of its original practices emerged from an earlier technical discipline "IT Disaster Recovery". Other concepts seemed to overlap with other fields such as Emergency Management, Crisis Management, Operational Risk and Security. Exact understanding of the terminology varied across the disciplines and between countries. For example, Continuity of Operations (COO) is a popular term in North America, whereas it has limited usage in the UK. Nevertheless, business managers are clearly resolving these difficulties, to a large extent encouraged by government, regulators and standards bodies around the world.

In the UK, The Civil Contingencies Act defined a legal responsibility for Category 1 responders (mainly emergency services) to have full Business Continuity Management in place. More interestingly, the final part of the act now places a statutory responsibility on local authorities to promote Business Continuity to businesses in their areas. If they will accomplish this, and the extent to which large companies might need to support smaller ones, are yet to be clarified, but it does suggest that government is keen to encourage wider acceptance of BCM as a central management principle.

Given the obviously risky environment in which business is forced to operate today, why does it take tacit compulsion rather than business judgment to improve the take up on BCM Good Practice?

"It won't happen to us", "We will cope - we always do", "We are too big to fail" and "We are not a terrorist target" are frequent responses by businesses when questioned about their lack of business continuity. Others believe their insurance company will pay for everything. Many think they do not have the resources to prepare for something that will never happen.

Many of these common excuses have been used in the past and the surreal nature and dire consequences of some of the threats suggested by BCM practitioners do not help credibility. To keep a sense of reality, some facts are worth emphasising:

• Whilst bombs, fires and floods capture the headlines, almost 90 per cent of business-threatening incidents are "quiet catastrophes" which go unreported in the media but can have a devastating impact on an organisation's ability to function.
• Many of the causes are outside of an organisation's control and they are often at the mercy of the emergency services or suppliers who define the timescale of an interruption.
• The external perception of how well a company manages a crisis is usually determined less by the technical response and more by the perceived competence of the management.
• Research by Knight and Pretty indicates that when an organisation has successfully dealt with a crisis, their share value has increased in the long-term. In contrast, those who were perceived to have managed a crisis poorly experienced a declining share price and, after a year, still did not recover.

Successful business leaders are risk takers and they might see Business Continuity as a constraint on their legitimate entrepreneurial skills; however, it should not be, good business continuity helps protect your brand, your image and your market share. Promoted imaginatively, it can offer higher service levels that attract new clients and give much greater confidence to your existing ones.

About the BCI

The BCI is the world's premier institute offering professional accreditation in the discipline of business continuity. It has around 3,000 members and a presence in more than 55 countries. BCI members are employed in practically every large organisation in the UK and journalists from the BBC and Financial Times down to local newspapers regularly source BCI opinion.

The institute offers several grades of membership, some "professional" and some "affiliate". The professional practitioner works in all sizes and sectors of companies, as well as many who are self-employed consultants. Members work in every major bank; every large telecom company; every global IT corporate, and most of the household name retail and insurance companies.

Biography

Lyndon Bird is Technical Services Director of The Business Continuity Institute.

He has been involved on a full time basis with business continuity since 1986 and helped establish the Institute in 1994. He served for six years as a BCI Elected Board Member (six years as Chairman). In addition he was Managing Director of CPA Limited, a company widely regarded as the first specialist Business Continuity consultancy in Europe.

Mr Bird was voted Business Continuity Consultant of the Year in 2002, and given the prestigious Lifetime Award by Continuity, Insurance & Risk Magazine in 2004.

 

Click here to obtain a copy of