2008 to 2011 proved turbulent times for business and business continuity, tumbling from the realisation of sub-prime into the credit crunch and now a sustained period of global recession. What did it mean for business continuity? Did it become a dispensable overhead - a hygiene factor, a luxury that organisations could afford to forego, or were we missing something?
Some key points underpin the way we implement Business Continuity Management (BCM) and help understand how some organisations managed the effects of recession:
- Each organisation has a unique, frequently changing and multi-faceted continuity risk profile. It typically includes a range of improbable but potentially catastrophic events, from climatic or weather extremes to technology failure, from civil unrest to terrorism.
- Each, knowingly or inadvertently through its actions, also exhibits a continuity risk appetite. This is usually stated via policy and sets out the exposure to continuity risk that stakeholders willingly accept and by implication, requires mitigation of any risks they are unwilling to take. Executives are then obliged to ensure continuity risks are effectively managed against policy.
- Funding therefore facilitates, constrains and shapes risk management since there are typically many treatments available for any given risk condition at widely varying cost. None is absolute and all leave a risk residue, such the as exclusions and excesses written into insurances. Best value and hence governance is achieved at the point where cost and residual risk are both acceptably minimised for stakeholders.
These basic paradigms are readily exercised under normal economic conditions; we are obliged to identify exposures that exceed the levels permitted by policy and to then implement best-value policy-compliant ways of treating them. Risk equilibrium is restored by allocating budget or resource to fill the gaps, buying insurance or accepting the increased risk.
So should recession have changed the way we interpreted these basic concepts? Clearly, we were/are earning less and therefore have less to lose, so it seems reasonable to assume that the system will self-adjust, automatically attaining a compliant level of protection simply by spending less on BCM. This is a convenient but probably invalid assumption; the risk landscape has changed and whilst the rules continue to apply, we may need to interpret them differently.
In this example it helps to visualise the full range of unmitigated risks affecting the organisation as a kind of graphical risk landscape, with peaks representing areas of high exposure. Some of these may directly threaten business continuity, whilst the remainder are managed operationally. The illustration below also shows how stakeholders are able to set a working level of continuity risk via policy. This is symbolised by the red line and reflects an overall risk appetite and budget. Some risks rise above the line; these exceed tolerance and need treatment to become policy-compliant.
When sound practice measures are applied, most of the risks are mitigated and this is represented by the greyed area in the second illustration. The darker region now represents remaining or residual risks, all of which lie below the acceptable level defined by the red policy line, with the exception of the exposure labelled ‘A’. This exemplifies an area of risk that cannot be mitigated within budget and which, after consultation with stakeholders may be accepted.
This landscape therefore represents the organisation’s risk managed status quo under normal economic conditions. It is a flexible and powerful construct, allowing budgeted improvements to take place at any time within policy limits. It also allows us to explore the effects of recession.
Recession Amplifies Risk
Two important recessionary effects threaten to change our risk landscape. Firstly, in an ironic twist, recession may cause cash and resource to be diverted away from continuity as the organisation focuses on survival. Disaster recovery contracts may be allowed to stagnate, continuity staff may be redeployed and key assurance activities postponed or cancelled. These all save money but erode carefully positioned defences, causing previously below-the-line exposures to resurface in a kind of seismic upheaval. The situation is not helped by the fact that some hazards, such as theft, fraud and supply failure may be intensified by recession.
Secondly, reducing liquidity and earnings may mean the organisation’s resilience is reduced. It can now withstand fewer major shocks, elevating previously inconsequential exposures to continuity risk status. For example, a risk event costing £1m may prove painful but not catastrophic to an organisation earning a £10m surplus. However, if the organisation only breaks even because of the downturn, then the same event could lead to bankruptcy in the absence of credit. It means we may need to respond faster than our business impact analysis suggests if we want to survive.
Combined, these two points have the effect of artificially boosting the organisation’s risk appetite and this is reflected in the illustration below. It causes tolerance to fall and, like a receding tide, this elevates potentially many previously inconsequential risk islands to continuity-threatening status. In this sense, recession acts as a risk amplifier.
There is a human analog to the condition described; in recession, many individuals instinctively focus on income and cut back on their outgoings, possibly buying less or cheaper food. However, it makes sense to consume at least the levels of essential nutrients needed to keep our bodily systems working properly, including our immune system, if we want to stay intact. In business, indiscriminate cost-cutting is similarly damaging, offering firstly, a progressive downgrading of the corporate immune system and secondly, legal breach by misleading stakeholders through inaction. The implication is that whilst we can spend less on continuity, we must continue to invest in key areas to ensure we don’t succumb to the equivalent of a common cold.
To do this we may need to balance our expanding risk appetite against a healthy but slim-line mitigation diet, identifying then treating exposures using lower-cost substitutes or blends whilst avoiding the easy temptation of blanket acceptance. Business impact analysis and risk assessment lie at the heart of this, offering relevant factual diagnosis. They jointly reveal the location and significance of any newly-exposed continuity risks faced by the organisation, and propose alternative forms of treatment. Thus armed, executives and stakeholders are in a position to offset the effects of financial and resource constraints, providing authoritative direction.
In the light of this, we may decide to reconsider, reposition and regroup, making more of what we have at our disposal and changing the way we approach continuity. Possible steps toward this include:
- Review what we know to ensure it accurately reflects current conditions.
- Encourage directors to understand the situation fully so they can act.
- Be proactive. Anticipate change and plan to preserve capability.
- Seek advice from industry experts and business continuity consultancy.
- Use business continuity software to leverage resource and provide fast BIA updates.
- Become agile. Ensure Business Continuity Management is capable of recognising when circumstances change and of reacting quickly enough to make a difference.