The world is now witnessing continuous advancement and progress in all aspects of life. The formulation of the global economy and global supply chain are among the characteristics of this era as well as part of our modern lives. In order for such advancement and progress to continue and be fruitful, the world needs to provide adequate stability as well as careful planning to achieve prosperity.
Unfortunately, things do not always go as smoothly as we expect them to. Being inherent to people’s presence and activities, failures, incidents, risks, disasters, and crises are taking place more and more across the world. With the close interconnection between economies and people, the results of disasters and crises quickly cross borders, creating an almost global impact. Other people’s problems are no longer just their problems. They could also be ours.
In the last few years, disasters have dramatically increased in frequency, impact, and complexity. In a shocking and saddening news release, the United Nations described 2010 as one of the “deadliest” years in two decades.1 During 2010, 273 natural disasters caused a death toll of almost 300,000 people. In addition, these disasters affected the lives of almost 200 million people and the financial impact reached US$110 billion. Two of the worst were the earthquakes that hit Chile and Haiti, with the latter being the worst as its death toll reached almost 200,000, with financial losses of US$8 billion.2
The UN numbers were based on natural disasters, over which people have little or no control. Other disasters result from human activities or failures in human activities. In 2010, a failure on a petroleum facility for British Petroleum (BP) in the Gulf of Mexico caused millions of barrels of oil to spill out, causing severe environmental, economical, and humanitarian impacts. The incident, which was caused by human and process failures, cost BP almost US$7.1 billion in claims submitted by affected parties, governmental and private, in relation to the disaster.3
What makes us extra sensitive to disasters is the financial crisis that we have been living through during these years with budgets shrinking and revenues decreasing. Disasters at such bad times hit harder and have more and more fundamental effects on many levels. They also take considerably longer to recover from than in other times of easier conditions.
One ever-challenging aspect of disasters is the continuous change in their causes, triggers, and impacts. While this always was the case, they now change faster and at a more dramatic pace. What was considered as extreme a few years ago is now being looked on as a normal baseline for measurement. In addition to natural disasters, wars, acts of terror, and technology failures, organizations are also threatened by new risks related to public health and pandemics, supply chain interruptions, and reputational risks resulting from the new social media and the citizen-journalist concept. As everyone can see and feel, our world is not becoming any safer and there should be protection schemes for organizations to provide proper protection from existing and new threats and effective measures to manage them.
What should we do? There is definitely no way to eliminate risks and disasters, and there never will be. But there is something that we can do about them. We may not be able to eliminate them, but we are definitely capable of mitigation.
The core of the mitigation process is to understand the threats and risks and how they affect the organization and its assets. These threats and risks come from many sources: internal and external. The capability of the organization to perform this process follows a learning curve; it gets better, the more it is done properly. The more the organization understands its risks and threats, the more effective and sufficient the mitigation and protection become.
Completing the process of understanding the risks and threats, proactive procedures and measures should be put in place to mitigate these risks and threats. The idea behind proactive measures is to keep the probabilities of the threats and risks occurring as low as possible. Even if they occur, the impacts are also lowered to minimal levels that do not reach the level of a disaster. If disasters occur, there should be proper responses – plans and arrangements – to effectively handle the events and control their results for minimal impact and effect.
Business continuity management provides an organization with the necessary frameworks and implementations that can help define risks and threats to the assets and operations of the organization and devise strategies and plans to manage them in acceptable ways. The ISO22301 Standard defines BCM as a “holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.”
We will now proceed to shed some light on the history of BCM. What started as a practice within the information technology (IT) field to manage the implications of systems’ failures became an evolving practice within organizations across the globe to manage the implications related to failures affecting all aspects of the organization, including IT. Through continuous evolvement, BCM has moved from being reactive to disasters to being proactively involved in the strategic and operational management of threats and the relevant consequences for the organization. Today, BCM does not only provide an organization with the capability to recover from failures, it creates enhanced levels of resilience to smaller incidents that could develop into disasters. BCM has also moved from being considered as an isolated project to being counted as an ongoing program that serves organizations as long as it exists.
Throughout this book we will be highlighting the various components of BCM programs. BCM programs are unique to an organization, yet one can identify shared or common components that exist in almost all BCM programs, regardless of the geographical region or the industry. We will discover how to set up a BCM program and how to go through the BCM life cycle. There will be specific focus on three major elements of a BCM program: technology, premises, and people, as these elements represent the critical aspects of any organization and they are the areas where disasters hit organizations hard.
One of the main features of modern BCM programs is standardization, which was absent in the early days of BCM recognition. There were standards that were specific to certain geographical locations and/or industries. As BCM became increasingly adopted and its implementations were varied as well, there was a need to develop a unified and global set of rules, guidelines, and requirements for BCM implementations all over the world. Now there are several published standards that are recognized in the BCM field. In this book, we will be specifically looking at:
Disasters, outages, and disruptions are all nightmares for an organization as they may threaten its existence and survival. They also bring financial losses and other negative impacts that affect the overall performance of the organization and its ability to achieve its goals.
BCM programs form strong and solid enablers and guardians of the organization’s objectives and goals. The ultimate aim of the BCM program is to protect the organization from the effects of severe incidents and disasters as it enables the organization to maintain its existence, operations, and achievement of its strategic and operational goals.
In addition to enablement and protection, effective BCM programs bring many benefits to the organization and relevant stakeholders. These benefits may be direct, like reducing failures and disasters, or indirect, like improving performance and the perception of the organization.
This is the most tangible and direct benefit of effective BCM programs. Through effective implementation of the BCM life cycle, both the probability and impact of threats and risks occurring will decrease. In parallel, the readiness and maturity capabilities of the organization will increase. Mitigating disasters and failures reflects on the performance and outcomes of the organization on different levels: financially, regulatory, and socially.
Another benefit of effective BCM programs is a reduction in financial losses. Disasters and failures can result in significant financial losses for an organization. These losses may occur directly, like losing valuable assets or losing the revenues from operations. On the other hand, they may occur indirectly, like facing regulatory fines or suffering the loss of a good public image and being perceived badly, resulting in the loss of customers. Effective BCM programs help to prevent such awkward situations, especially those of indirect losses.
Disasters, incidents, and failures are permanent threats to an organization’s operations, causing disruption and affecting almost all aspects of the organization. With effective BCM programs, the operations will be increasingly protected from disruption caused by disasters and failures, either by reducing their probability and impact or by having robust plans to manage them.
One of the most important goals of an organization is to enhance its public image and perception, and increase its brand value. Collapsing under disasters can severely damage its image and public perception. Effective BCM programs help an organization to maintain its good public perception and continue to fulfill its obligations and responsibilities towards the public.
As major stakeholders, regulatory bodies enforce their requirements on organizations with regard to BCM. In fact, regulatory requirements are strong drivers for the BCM programs. In addition to being drivers, they can also resemble a benefit. By complying with the regulations, an organization can enhance its relationship with the regulators and they can translate this into better ratings and audit reports.
Shareholders are very important stakeholders in an organization. For shareholders, the most important thing is the protection of their investments. As disasters incur losses and cost the organization a significant amount of investment to recover from them, they can also affect the share price negatively. Implementing effective BCM programs would protect the share price and the shareholders’ investments in addition to reducing losses.
Nowadays, the words “risk” and “threat” are appearing more and getting more attention than ever before. In simple language, a risk is a probable incident that would affect an organization’s goals while a threat is an element, internal or external, which might cause loss and damage if was realized. We’ll have a deeper look into risk and threat definitions in the risk assessment phase of the BCM life cycle.
In the earlier days of BCM, when people asked themselves what could go wrong, they were mostly limited to the traditional risks and threats of natural disasters, utility failures, and IT systems’ failures.
Risks and threats are evolutionary by nature. With the changes in the nature and shape of the world and organizations’ activities, the associated risks and threats have changed too. After the mid-1990s, the number and severity of terrorist attacks increased dramatically, culminating in 2001 with the 9/11 attacks. In addition, climate changes continue to make a tangible and severe impact on people, countries, and even continents. With the increasing requirement across the global supply chain to achieve agile operations and maximized returns, disruptions and incidents happening in different parts of the world affect other areas. A strike of call-center staff in India can easily affect companies in the US and the UK. Pirate attacks in the Gulf of Aden can stop major supplies from reaching Europe and south-east Asia.
Similarly, an information security breach may be damaging to governments and organizations. On top of this are incidences of cyberattacks and cyberterrorism. News of leaked confidential information appearing on the Internet is also increasing. With the swift spread of social networking and the age of new media, it doesn’t take more than a couple of minutes for the average person to share confidential information with millions of people over the Web.
Regulatory threats are also on the rise as more regulations are being introduced these days. Compliance with these regulations is in itself a challenge and if they are not met, it could mean paying large fines and damaging the company’s reputation. Since the Sarbanes-Oxley Act became effective in 2002, all public companies are required to fulfill the Act’s requirements, which might entail fundamental changes and upgrades in the organizations’ working practices. It also contains heavy penalties for non-complying companies. Basel II is another example of guidelines whose implementation and fulfillment may require extensive modifications and changes, needing considerable resources both financially and non-financially.
In 2009, the outbreak of the H1N1 pandemic put the whole world in panic mode as it faced one of the worst outbreaks in modern history. Regardless of whether the response was overreactive or not, governments, organizations, and people were affected, severely in some countries. It put the spotlight on an area that had not been given the same importance before.
In 2010, a volcano eruption in Iceland created an ash cloud that kept most of the aircraft in Western Europe on the ground for extended periods of time. This grounding of flights left millions of people unable to travel and airline companies suffered losses of billions of dollars. Neither of these two risks had been properly evaluated previously. Both of them caused losses that were greater than those from the other usual threats.
The bottom line is that risks are changing and threats are no longer static. In order for an organization to remain in a good state of readiness, it should be constantly considering what could go wrong and what affect would it have on the organization. Keep your mind open to unusual threats. The more comprehensive your view is of risks and threats, the better you can prepare to manage them.
BCM and risk management are related disciplines and do, from certain angles, look like they are doing the same job. The fact that BCM and risk management are related leads to thoughts of the nature and future of this relationship.
BCM forms part of the overall risk management framework, focusing on the risks related to an organization’s operations and assets. Through the various activities of the BCM life cycle, an organization can understand its core activities and focus its resources towards managing their risks. This makes the process of risk management more efficient and relevant. BCM also enhances an organization’s capability to take “higher” risks as it allows the organization to manage expected failures or incidents effectively and as required.
All across the world, regulatory requirements form an external pressure on organizations of almost all sizes. BCM is one of the areas that has been witnessing major waves of regulatory requirements across all industries over the last two decades. Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and Basel II have the strongest impacts on BCM and its role within the organization.
Regulators understand and value the importance and criticality of BCM programs to organizations and the fact that organizations are becoming more and more related and interconnected. They provide their requirements to make sure that the organizations are serving their purpose and not jeopardizing the interests of the stakeholders. BCM is also considered an integral part of overall corporate governance and the specific governance programs in IT and other areas. BCM can be utilized to enhance performance and manage the risk exposure of an organization.
Meeting the regulatory requirements is not always an easy task. On the contrary, sometimes it requires careful planning and resourcing to satisfy them. This is why it is always beneficial to understand the implications, timelines, and costs related to meeting such requirements.
With the increasing adoption of BCM disciplines across the world, insurance companies have started looking into an organization’s BCM program and capabilities as an important factor when providing their services. Logically, the more effective an organization’s BCM program is, the less likely it is that major incidents will impact the organization and, consequently, the less would be the amount that insurance companies would have to pay to the organization. This also leads to smaller premiums being paid to the insurance companies.
The relationship is not unidirectional. Insurance coverage is a widely used risk mitigation option that is usually used for low-probability, high-impact risks. Organizations can seek the help of insurance companies in designing the appropriate insurance coverage based on the results of the BCM life cycle and an understanding of the organization’s critical operations and assets. In the end, the interests of the insurance companies and the organization are the same. Organizations want larger coverage and smaller premiums while insurance companies want fewer incidents and compensation claims. Both interests are achievable through effective BCM programs.
1 UN: 2010 among deadliest years for disasters, urges better preparedness. United Nations. 24 January 2010. www.un.org/apps/news/story.asp?NewsID=37357.
2 UN: 2010 among deadliest years for disasters, urges better preparedness. United Nations. 24 January 2010. www.un.org/apps/news/story.asp?NewsID=37357.
3 Claims Information, Gulf of Mexico, BP. http://www.bp.com/sectiongenericarticle.do?categoryId=9036580&contentId=7067577.
18.223.172.191