1. MANAGEMENT QUARTERLY January 2003
R I S K – O P E R AT I O N S
Business continuity and
crisis management
No organisation can have complete control over its business environment.
It is therefore essential for companies to have a business continuity manage-
ment (BCM) and crisis management capability, in case of crisis or disaster.
Dr David Smith outlines various approaches that can help companies pre-
pare for a business continuity ‘event’, and explains the BCM life cycle.
In August 2002, the Financial Services q limit/prevent impact beyond the organisa-
Authority (FSA) expressed deep concern over tion; Most
the high percentage of its members who did q demonstrate effective and efficient gover- organisations
not have a business continuity and/or crisis nance to the media, markets and stakehold- face a
management capability.1 They emphasised ers; business
that a robust, effective and fit-for-purpose q protect the organisation’s assets; and continuity
preparedness is essential, and complacency is q meet insurance, legal and regulatory ‘event’ at
unacceptable, in the face of the challenges requirements. some point
and threats that inevitably arise in today’s
business climate. This warning is reinforced However, BCM is not only about disaster
by the recently published research report of recovery. It should be a business-owned and
the Chartered Management Institute.2 driven process that unifies a broad spectrum
of management disciplines (see Figure 1 on
Business continuity management (BCM) is page 28). In particular, it is not just about IT
defined by the Business Continuity Institute disaster recovery. Too many organisations
(BCI) as ‘an holistic management process that tend to focus all their efforts on IT because of
identifies potential impacts that threaten an its mission-critical nature, leaving themselves
organisation and provides a framework for exposed on many other fronts.
building resilience and the capability for an
effective response that safeguards the interests Because of its all-embracing nature, the way
of its key stakeholders, reputation, brand and BCM is carried out will inevitably be depen-
value creating activities’. dent upon, and must reflect, the nature, scale
and complexity of an organisation’s risk pro-
The BCI’s use of the term ‘business continu- file, risk appetite and the environment in
ity management’ rather than ‘business conti- which it operates. Inevitably, too, BCM has
nuity planning’ is deliberate because ‘plan- close links to risk management and corporate
ning’ implies there is a start and end to the governance strategies. The importance of a
process and can lead to unwanted planning holistic approach across these areas was rein-
bureaucracy. BCM is, by necessity, a dynam- forced in the Turnbull Report (1998)
ic, proactive and ongoing process. It must be
kept up-to-date and fit-for-purpose to be As an organisation can never be fully in con-
effective. trol of its business environment, it is safe to
assume that all organisations will face a busi-
The key objectives of an effective BCM strate- ness continuity event at some point.
gy should be to: Although this simple reality has been etched
in high-profile names such as Bhopal, Piper-
q ensure the safety of staff; Alpha, Perrier, Barings Bank, Challenger,
q maximise the defence of the organisation’s Herald of Free Enterprise, Coca Cola, Exxon-
reputation and brand image; Valdez, Railtrack, the Canary Wharf bombing,
q minimise the impact of business continuity Enron, Anderson, Marconi, Landrover and
events (including crises) on the World Trade Centre, experience also
customers/clients; teaches that it is the less dramatic but more
FACULTY OF FINANCE AND MANAGEMENT 27
2. January 2003 MANAGEMENT QUARTERLY
R I S K – O P E R AT I O N S
Figure 2 The unifying process
BUSINESS CONTINUITY MANAGEMENT
Environmental management
Supply chain management
Communications and PR
Knowledge management
Emergency management
Facilities management
Crisis management
IT disaster recovery
Risk management
Human resources
Health and safety
Security
frequent business continuity events that can blindly implementing so-called ‘best practice’
be even more problematic to deal with. business continuity techniques is not the best
Unfortunately, it seems that many public and approach. As all organisations are different,
private organisations still think, ‘it will not techniques which work in one organisation
happen to us’. will not necessarily work in another. Most
executives tasked with addressing business
continuity issues are keen to achieve quick
Changing the corporate culture wins, and the ‘tick box’ audit approach,
which tries to copy successful strategies used
Ignoring business continuity issues can hap- elsewhere, is often adopted without consider-
pen for a number of reasons, ranging from ation as to suitability.
denial through disavowal to rationalisation. A
Many process of ‘group think’ can develop whereby Underlying the ‘tick box’ approach is the per-
organisations an organisation genuinely starts to believe suasive belief that a structure, policy, frame-
believe it will that their size, or some other feature, makes work and plan is all that is required. Whilst
not happen to them immune to disaster. Or executives may these are critical enablers, relying on structure
them. firmly believe that insurance will cover them, alone tends to overlook the key issue – that it
without realising that insurance cannot is people who actually deal with business con-
indemnify against lost market share, loss of tinuity and crises.
reputation or tarnished brands.
In this context, it is worth remembering (and
Research shows that crisis-prone organisations reminding all senior executives) that ‘man-
tend to exhibit these tendencies seven times agerial ignorance’ is no longer an acceptable
more often than crisis-prepared legal or moral defence if a crisis is handled
organisations.3 Whilst all individuals may badly. All managers should consider the fol-
make use of such defence mechanisms from lowing key questions that are likely to be
time-to-time, the key difference is the degree, asked in a subsequent inquiry:
extent and frequency with which they are
used. q when did you know there was a problem?
q what did you do about it?
Changing such mindsets is not easy, and q if you didn’t do anything, why not?
28 FACULTY OF FINANCE AND MANAGEMENT
3. MANAGEMENT QUARTERLY January 2003
R I S K – O P E R AT I O N S
q if you didn’t know there was a problem, Using good practice guidelines –
why not? a different approach
q what would you have done if you had
known such a problem could exist? Because of the caveats listed earlier, the BCI’s
‘Business continuity management good prac-
tice guidelines’ are not intended to be a Some sort of
Avoiding planning bureaucracy restrictive, exhaustive or definitive process to continuity
cover every eventuality within BCM. Instead, plan is
There is no doubt that some sort of business they set out to establish the generic process, essential
continuity plan is essential. The plan becomes principles and terminology; describe the
a source of reference at the time of a business activities and outcomes involved; and provide
continuity event or crisis, and the blueprint evaluation techniques and criteria.
upon which the strategy and tactics of deal-
ing with the event/crisis are designed. In par- These guidelines draw together the collective
ticular, it can provide essential guidance on experience, knowledge and expertise of many
damage limitation in those short windows of leading professional members and fellows of
opportunity which often occur at the begin- the BCI and other authoritative professional
ning of a crisis. organisations. In particular, the guidelines
reflect the following BCM principles:
Unfortunately, reputations and trust that
have been built up over decades can be q BCM and crisis management are an integral
destroyed within minutes unless vigorously part of corporate governance;
defended at a time when the speed and scale q BCM activities must match, focus upon and
of events can overwhelm the normal opera- directly support the business strategy and
tional and management systems. goals of the organisation;
q BCM must provide organisational resilience
A further and critical reason for having a to optimise product and service availability;
planning process is so that the individuals q as a value based management process BCM
who are required to implement the plan can must optimise cost efficiencies;
rehearse and test what they might do in dif- q BCM is a business management process
ferent situations. Scenario planning exercises that is undertaken because it adds value
are a very helpful technique for destruct-test- rather than because of governance or regu-
ing different strategies and plans. latory considerations;
q the component parts of an organisation
Having said this, it is simply not possible to own their business risk; the management of
plan for every eventuality, and if you try to, the business risk is based upon their indi-
there is a great danger of creating ‘emer- vidual and aggregated organisational risk
gency’ manuals that are simply too heavy to appetite;
lift. A trade-off needs to be achieved between q the organisation and its component parts
creating an effective fit-for-purpose capabili- must be accountable and responsible for
ty and relying on untrained and untried indi- maintaining an effective, up-to-date and
viduals and hoping they will cope in an emer- fit-for-purpose BCM competence and capa-
gency. bility;
q all BCM strategies, plans and solutions
The spanning of the gap between the plan must be business owned and driven;
and those who carry it out can be achieved q all BCM strategies, plans and solutions Scenario
by either formal tuition and/or simulations. must be based upon the business mission planning
The well-known maxim that a team is only as critical activities, their dependencies and exercises are
strong as its weakest link is worth remember- single points of failure identified by a busi- helpful in
ing here. ness impact analysis; destruct-
q all business impact analysis must be con- testing
The exercising of plans, rehearsing of team ducted in respect of business products and strategies and
members and testing of solutions, systems services in an end-to-end production con- plans
and facilities are the elements that provide text;
and prove an effective and fit-for-purpose q there must be an agreed and published
capability. However, simulations are not easy organisation policy, strategy, framework
to devise, and because of this, many organisa- and exercising guidelines for BCM and cri-
tions do not venture beyond the develop- sis management;
ment of a plan. They are, nevertheless the q the organisation and its component parts
best way to avoid planning bureaucracy. must implement and maintain a robust
FACULTY OF FINANCE AND MANAGEMENT 29
4. January 2003 MANAGEMENT QUARTERLY
R I S K – O P E R AT I O N S
exercising, rehearsal and testing pro- outsourced and/or internal sourcing of
gramme to ensure that the business conti- products, services, support or data should
nuity capability is effective, up-to-date and reflect these good practice guidelines.
fit-for-purpose;
q the relevant legal and regulatory require- The structure and format of the guidelines is
ments for BCM must be clearly defined based upon the most frequently asked ques-
and understood before undertaking a BCM tions in relation to BCM, which are listed in
programme; Figure 2 (below).
The BCM life q the organisation and its component parts
cycle has been must recognise and acknowledge that rep-
created as an utation, brand image, market share and The BCM life cycle
interactive shareholder value risk cannot be trans-
process tool ferred or removed by internal sourcing The BCI principles and frequently asked ques-
and/or outsourcing; tions have been drawn together to create the
q BCM implications must be considered at BCM life cycle (see Figure 3, opposite), an
all stages of the development of new busi- interactive process tool to guide the imple-
ness operations, products, services and mentation of an effective BCM process.
organisational infrastructure projects; The six stages of the life cycle in more detail
q BCM implications must be considered as are set out in Figure 4 (opposite).
an essential part of the business change
management process; The guidelines have been used to generate a
q the competency of BCM practitioners tool for evaluating the BCM process, which
should be based and benchmarked against takes the form of a spreadsheet current state
the 10 professional competency standards assessment (benchmark) workbook (see Figure
of the BCI; 5, on page 32). The workbook enables and
q all third parties including joint venture facilitates good practice compliance evalua-
companies and service providers, upon tion, current state assessment gap analysis,
whom an organisation is critically depen- assurance and benchmarking (process and
dent for the provision of products, ser- performance).
vices, support or data, must be required to
demonstrate an effective, proven and fit- Each organisation needs to assess how to
for-purpose BCM capability; and apply the ‘good practice’, contained within
q the standard terms and conditions of any the guidelines, to their own organisation.
They must ensure that their BCM competence
and capability meets the nature, scale and
complexity of their business, and reflects their
Figure 2 BCM questions individual culture and operating environment.
GUIDELINE COMPONENT MOST FREQUENTLY ASKED
HEADING QUESTIONS Crisis management
PURPOSE q Why do we need to do it? The key elements of a crisis management
OUTCOMES q What will it achieve? framework are slightly different to the BCM
lifecycle, and include those set out in Figure 6
COMPONENTS q What do we need to do to it? (page 32), but the list should not be seen as
q What does it consist of? restrictive or exhaustive. There are many
(ingredients)
advantages to adopting a modular approach
METHODOLOGIES AND q What are the tools we need to a crisis or business continuity situation,
TECHNIQUES to do it? not least that it can be easily and quickly
modified to suit local, national as well as
PROCESS q How is it done? global requirements.
q How do we do it?
FREQUENCY AND TRIGGERS q When should it be done? However, in managing any event it is critical
to recognise that a successful outcome is
PARTICIPANTS q Who does it? judged by both the technical response, and
q Who should be involved?
the perceived competence and capability of
DELIVERABLES q What is the output? the management in delivering the business
response. The stakeholder perception should
‘GOOD PRACTICE’ q How do we know if we have be seen as the critical success factor with an
EVALUATION CRITERIA got it right? equal, if not more urgent priority over the
30 FACULTY OF FINANCE AND MANAGEMENT
5. MANAGEMENT QUARTERLY January 2003
R I S K – O P E R AT I O N S
Figure 3 The business continuity management life cycle
Understanding
your business
1
Exercising, Business
maintenance 5 2 continuity
and audit strategies
BCM
6
Programme
management
4 3
Develop and
Building and implement a
embedding BCM response
BCM culture
Figure 4 The six stages of the life cycle in more detail
1 UNDERSTANDING q Business impact analysis. 5 EXERCISING, q Exercising of BCM plans.
YOUR BUSINESS q Risk assessment and control. MAINTENANCE q Rehearsal of staff, BCM teams.
AND AUDIT q Testing of technology and
2 BCM STRATEGIES q Organisation (corporate) BCM BCM systems.
strategy. q BCM maintenance.
q Process level BCM strategy. q BCM audit.
q Resource recovery BCM
strategy. 6 THE BCM q Board commitment and
PROGRAMME proactive participation.
3 DEVELOPING AND q Plans and planning. q Organisation (corporate) BCM
IMPLEMENTING A q External bodies and organisa- strategy.
BCM RESPONSE tions. q BCM policy.
q Crisis/BCM event/incident q BCM framework.
management. q Roles, accountability,
q Sourcing (intra-organisation responsibility and authority.
and/or outsourcing providers). q Finance.
q Emergency response and oper- q Resources.
ations. q Assurance.
q Communications. q Audit.
q Public relations and the media. q Management information sys-
tem (MIS): metrics/scorecard/
4 BUILDING AND q An ongoing programme of benchmark.
EMBEDDING A education, awareness and q Compliance: legal/regulatory
BCM CULTURE training. issues.
q Change management.
FACULTY OF FINANCE AND MANAGEMENT 31
6. January 2003 MANAGEMENT QUARTERLY
R I S K – O P E R AT I O N S
Figure 5 The BCM process
Maturity level
STAGE 1: UNDERSTANDING YOUR BUSINESS
Organisation strategy
Operational and
Critical business factors
(Mission critical
Business outputs and
deliverables
1
business objectives activities) (Services and products)
STAGE 2: BUSINESS CONTINUITY MANAGEMENT STRATEGIES
Organisation
(corporate) BCM
Process level
BCM strategy
Resource recovery
BCM strategy
2
strategy
STAGE 3: BUSINESS CONTINUITY SOLUTIONS AND PLANS
Business continuity
plans
Resource recovery
solutions and plans
Crisis management plan 3
STAGE 4: BUILDING AND EMBEDDING A BCM CULTURE
BCM culture and Education and culture BCM training 4
awareness programme building activities programme
STAGE 5: EXERCISING, MAINTENANCE AND AUDIT OF BCM
Exercising of BCM Maintenance of BCM Audit of BCM 5
STAGE 6: BCM PROGRAMME MANAGEMENT
BCM programme
BCM policy BCM assurance 6
management
technical solution. Consequently, the acid test
is to convincingly demonstrate an effective
Figure 6 Crisis management and fit-for-purpose business continuity and
crisis management capability, and to continue
business as usual. This is in contrast to the
BUSINESS RISK CONTROL more familiar pattern of a fall and recovery of
q Monitoring. a business, which is more representative of the
q Prevention. outdated disaster recovery and business
q Planning and preparation. resumption approaches.
q Crisis identification.
ASSESSMENT Conclusions
q Crisis evaluation (including an evaluation criteria).
An organisation consists of people, and people
INVOCATION AND ESCALATION at the top who give a cultural lead. As a conse-
quence, business continuity and crisis man-
MANAGEMENT AND RECOVERY agement are not solely a set of tools, tech-
niques and mechanisms to be implemented in
CLOSURE AND REVIEW an organisation. They should reflect a more
q Formal closure. general mood, attitude and type of action
q Ongoing issues, eg investigation and litigation. taken by managers and staff.
q Post crisis review and report.
Individual personalities play a crucial and crit-
IMPROVEMENT ical role. It is the human factor that is fre-
q Implementation of approved post crisis review quently underestimated in BCM. This is of
report recommendations. particular importance because the examina-
tion of the cause of business continuity events
32 FACULTY OF FINANCE AND MANAGEMENT
7. MANAGEMENT QUARTERLY January 2003
R I S K – O P E R AT I O N S
and crises usually identifies several warning appointing a BCM ‘champion’ at a senior level
signals that were ignored or not recognised. whose role is to draw together, under a matrix
The key to a successful crisis and BCM capabil- team approach, representatives from the vari-
ity is to adopt an holistic approach to validate ous organisation functions eg human People are the
each of the key building blocks of the BCM resources, together with key line of business key to
life cycle and process. heads to ensure a co-ordinated approach. The successful
key advantage of this approach is that it BCM
The first task is always to identify the right builds on what already exists and has been
people who are not bounded as individuals or done thereby enabling a ‘virtual capability’
within the corporate culture. It is on these cri- that provides cost efficiency. A further benefit
teria that the success or failure of creating an is that it ensures ‘buy-in’ throughout the
effective and fit-for-purpose BCM capability organisation.
will be determined. Having identified the right
people, they should engage in the BCM plan- In adopting this methodology and regularly
ning process using the BCI Good Practice exercising, rehearsing and testing the organisa-
Guidelines and training via the exercise simu- tion maintains an effective up-to-date and fit-
lations of plans, rehearsal of people/teams and for-purpose BCM and crisis management capa-
testing of systems, processes, technology, bility. When a crisis hits the organisation
structures and communications. everyone knows what to do and a smooth
invocation of the plan takes place ensuring
The organisation can assist this process by that the impact on mission critical activities is
Further reading and references
Whilst the guidelines are predominantly designed for the q ‘Major incident procedure manual’,
BCM practitioner the following publications are strongly London Emergency Services Liaison Panel, (5th Edition)
recommended as introductory reading by directors and Metropolitan Police, London (1999)
senior managers of all organisations:
q ‘Wider than IT’
q ‘Communicating out of a crisis’ Leather, G, Continuity (2001), Vol 5, Issue 1, p4-5
Bland, M, Macmillan Press Ltd, London (1998) (ISBN 0-
333-72097-0) q ‘Crisis Management : A diagnostic guide for improving
your organisation crisis preparedness’
q ‘Getting Started’ Mitroff, II and Pearson, CM, Jossey-Bass, San Francisco
Business Continuity Institute, BCI, Worcester(2001) (1993) (ISBN 1-55542-563-1)
q ‘BCM: A strategy for business survival’ q ’BCM – preventing chaos in a disaster’
Business Continuity Institute, BCI, Worcester (2002) Power, P, Department of Trade and Industry, London
(1999)
q ‘An introduction to BCM’
Central Computer and Telecommunications Agency, The following video should also be considered as introduc-
HMSO, London (1995) (ISBN 0-11-330669-5) tory viewing by all managers and staff within an organisa-
tion:
q ‘A risk focused review of outsourcing in the UK retail
banking sector’ q ‘Back to business: planning ahead for the unexpected’,
Financial Services Authority, London (2001) Business Continuity Institute (2001).
q ‘How resilient is your business to disaster’
Home Office, HMSO, London (1996)
References
q ’Heeding the lessons of 9/11'
Honour, D, International Journal of BCM (2001), Vol 2, Issue 1. ‘FSA working paper on Business Continuity manage-
1, p13-17 ment’
Financial Services Authority, London (2002)
q ‘Business continuity’
Institute of Directors, Director Publications Limited, 2. ‘Business continuity and supply chain management’
London (2000) (ISBN 0-7494-3563-1) Chartered Management Institute (2002).
q ‘The impact of catastrophes on shareholder value’ 3. Transforming a crisis-prone organisation’
Knight, RF and Pretty, DJ, Oxford Executive Research Pauchant,TC and Mitroff II (1992), Jossey-Bass,
Briefings, Templeton, College (2000) San Francisco.
FACULTY OF FINANCE AND MANAGEMENT 33