Business Continuity Management (BCM) enjoys the dubious distinction of being viewed as a cost centre that may never provide material value to the business. Unsurprising then, that decisions involving BCM don’t always seem to get the airtime they deserve. This paper explores how we may be able to position business continuity issues so they reach key decision makers quickly and with a better chance of success.
We were recently involved in assessing technology-related continuity risks for a large-scale European healthcare provider. The organisation’s profile means that lives, reputation and money are always at stake. These impacts coupled with environmental issues and dependency on legacy systems gave rise to justifiable continuity concerns. New management recognised this and a detailed report was commissioned, setting out exposures. It recommended solutions including non-budgeted infrastructure investment estimated at €5M. On reading the report, the responsible Director, relatively new in post, realised the severity of the condition and agreed to sponsor the business case to the executive board. The passage of events and associated learning are reflected in the content of this paper.
Whilst the details of the proposal are material, the factors initially influencing the success of the proposed change are the focus of this paper and are summarised in the table below. The drivers and positive influences on the left made the task easier; those on the right had the potential to delay or reduce the outcome. These are developed later on.
More likely to succeed (Drivers)
Less likely to succeed (Challenges)
The challenges each gave rise to uncertainty over if, how and when our proposal would be received, and whether funding would be made available to treat the newly exposed risks. We therefore set out to systematically re-position the business case to maximise our chance of success, capitalising on drivers and diluting or removing inhibitors. However, our first step was to better understand how senior decision-making bodies behave generally.
Boards are usually elected or appointed by key stakeholders in the organisation. They may include executive and non-executive members and are collectively responsible for fulfilling legal and statutory governance duties in addition to satisfying the contract with stakeholders. Generally, executive board members are selected and assigned responsibility for aspects of business operations, delegating this progressively to directors, managers and staff who on the one hand physically deliver services and on the other, provide feedback and decision information in the form of reports. The Board makes decisions based on the information it receives from both internal and external sources; in this way it exercises control and keeps the organisation operationally aligned with its agreed mission. One such control involves interpreting stakeholders’ appetite for continuity risk and using this to balance acceptable exposure against expenditure.
The frequency of Executive Board meetings varies between organisations, although in general they reflect the pace of change (e.g. monthly). Many run to a fixed agenda, covering each key control area. Risk management typically cuts across all areas and is a regular agenda item in some organisations. Meeting agendas frequently contain or conclude with an ‘Any Other Business’ or AOB item, a catch-all that may have a fixed time allocation and/or that takes any time remaining. AOB is often the only opportunity available for bringing up extra-ordinary business-critical issues such as new continuity risks. Frequently, the AOB list is longer than can be covered in the allocated time and is carried over to the next meeting. Access to AOB is competitive and usually subject to pre-qualification and prioritisation; new items can overtake those that have waited weeks or months to receive Board time. It can be a frustrating business unless a proposal qualifies for priority treatment.
If reports and audit results show that the business is on-track in a particular area, then there is little point in it consuming Board time. Continuity risk profiles change relatively slowly, typically improving as agreed measures are installed and maintained. We might therefore expect BCM to appear on a Board agenda only when either a major new threat such as Pandemic appears, requiring changes to investment programmes or policies, or if a major flaw in current defences is revealed. Where this is the case, we need to be sure the AOB system will work in BCM’s favour.
Meeting agendas are generally controlled by a Chairperson subject to legally binding procedures. Typically, AOB items are proposed by relevant Board members for inclusion and priority assigned according to the urgency or importance conveyed to the Chairperson by individuals or available documentation. So, for a business continuity-related issue to ascend from BC Manager to Director to Board Member to Agenda Item in a short space of time poses something of a challenge. It relies on access to senior individuals and a cast-iron business case that supports the interests of each. It requires trust between Chairperson and Board Member that the item is well-prepared and warrants Board time.
Boards are appointed to have the intellect, motivation and experience to fulfil their collective responsibility. Notwithstanding this, individuals may inevitably view an issue from their own standpoint within the collective. Members might abstain or vote against a motion if they misunderstand it or perceive a negative aspect. Chances of acceptance can therefore be improved by networking, informing, listening and influencing, addressing any misconceptions or objections early on. It demands a well-written proposal that gains maximum support, clearly explaining the value proposition in terms all parties can understand and sign up to.
Taking this a step further, Board papers are generally circulated before meetings and members are expected to be familiar with each item before the meeting takes place, with the aim of accelerating proceedings. These usually have a standardised format including a concise summary plus detailed supporting material. It makes sense for the paper to reflect any pre-proposal material that may have gained support from other Board members, making reading easier and avoiding surprises.
We applied the following four steps to improve our proposal’s chances of success
- Produce a detailed review addressing all aspects of technology continuity risk, quantifying and qualifying each exposure, providing recommendations and statements of residual risk. This provided the foundation for our proposal and the Board Paper.
- Draft an internal proposal evaluating the benefits of each recommended option and providing a fully costed implementation plan. Key features were:
- Summarised and detailed business case with costs that add up
- Undeniable significance, quantifying the risk
- Policy and mission-alignment, capable of being supported
- Professionally underwritten and independently produced
- Factually evidenced
- Familiar, using a format compatible with Board papers
- Uncontroversial, with no surprises or errors
- Clear and brief, with no technical jargon
- Inclusive of viable alternatives, including ‘do nothing’
- Checked and re-checked
- Secure a senior sponsor capable of promoting and guiding the proposal through the various stages of acceptance. The success criteria we associated with this were that the individual concerned should be:
- Bought-in, supportive and accessible
- Influential and well-connected
- Able to explain and sell it to others
- Eloquent on BCM and allied subjects
- Tuned into the Board’s appetite for risk and expenditure
- Promotion and involvement of other business leaders
- Presentation explaining concepts, aims, approach and benefits
- Make contact, ask their opinion and listen hard
- See their points of view and reflect them in the proposal
So, did we make the Board listen? Our lessons from this and similar experiences are summarised as follows:
- BCM is unlikely to be a regular board item for most organisations
- However, you can smooth the path
- External factors can delay or accelerate approval
- Board familiarity and buy-in is a major advantage
- These principles apply for most senior decision-making bodies
In my view, ‘making the Board listen’ is a misnomer, and the paper’s title should instead be ‘Giving the Board a message it needs to hear’. This suggests that the success or otherwise of any unplanned un-budgeted business continuity consultancy initiative is attributable to alignment, presentation, content and networking. It perhaps requires us to behave differently and for a while become firstly skilled salespeople and secondly, trainers of others to sell on our behalf.