Create a free Manufacturing.net account to continue

Growth, Change, And Growing Pains In BCM

Business continuity management is still looking for a place to call home in many organizations. BCM ownership is all over the map, and the changing scope of risks and standards adds complexity. ** sourced from Continuity Insights magazine Business Continuity Management (BCM) has changed rapidly in recent years.

Jun 21, 2011

Business continuity management is still looking for a place to call home in many organizations. BCM ownership is all over the map, and the changing scope of risks and standards adds complexity.

** sourced from Continuity Insights magazine

Business Continuity Management (BCM) has changed rapidly in recent years. Today, many BCM programs are a byproduct of enterprise risk management programs or part of customer-driven service level agreements. But BCM is still looking for a place to call home in many organizations, with BCM ownership all over the map. And the changing scope of risks and standards adds complexity, as well. Where will BCM end up? And what is it, really, anyway?

Home Sweet Homeless

For several years, the trend has been for BCM to move out of information technology (IT) departments, with IT retaining the IT Disaster Recovery program in most cases. Unfortunately, there also hasn’t been steady progress toward finding a new home for BCM that works for the majority of organizations. According to a 2009 survey by BC Management, it is almost equally likely that BCM will belong to risk management, operations, or a separate BCM program office on equal (or sometimes greater) standing as the traditional risk management department. Forward-thinking CIOs have lobbied for BCM to remain within their organizations as they have seen its profile rise and more board level interest in BCM.

The major challenges with the migration out of IT include finding the best fit organizationally and the right skills in the personnel charged with running the program. As intuitive as it seems to place the BCM program within risk management, it might not be a good fit. Risk managers generally deal with issues that are high frequency but relatively low severity, such as workers compensation and general liability claims.

Create a Better Value Proposition

BCM value propositions can differ as much as organizational cultures. Some examples of techniques to improve the BCM value proposition might include:
  • Add new sections to incident reports and other loss reporting that explains what might have occurred had mitigation and continuity efforts not been in place. Executives who do not know how effective past strategies have been at minimizing impact to key lines of business are not likely to support requests for new initiatives.
  • Look at each current BCM strategy regardless of whether it is focused on people, technology or facilities. Define what the day-to-day benefits the organization receives from it. Whether the investment is a rapid communication tool, better IT resilience or stronger continuity teams, make sure you can articulate the benefit the company will realize even without suffering a disaster. 
  • Document the process improvements and other benefits that occur as a result of the BCM program. Organizations routinely identify better ways of accomplishing their goals during the BCM life cycle because BCM requires a close look at the “How?” and “Why?” aspects of current processes as much as the “What”? When business leaders cannot explain how a process turned out to be so cumbersome or why it has to be organized the way it is during a conversation about restoring it to normal after a critical event, it is an opening to improve the process during business as usual operations as well.
  • Articulate the risk of not having an effective BCM program better. This might seem like common sense, but many BCM program owners simply assume executives “get it” about the consequences of an interruption. The truth is in many situations the executive team has been out of the minutia of operations long enough to forget the operational dominos that can occur, especially those involving recent changes or reductions in operations.
  • Promote BCM as a cost saver. Mark Twain said “Some people say don’t put all your eggs in one basket. I say put all your eggs in one basket and watch that basket.” Sometimes executives are wary of taking on operational changes that could save the company money because of the risk. If a BCM program owner can demonstrate how a portion of the cost savings could be used to make the downsized operation sufficiently resilient the organization can implement the change worry free and still realize most of the savings.

But where should BCM report? There really is no right or wrong answer. In most cases, continuity risk is best managed by people closest to the risk’s impact. That means the business ultimately should own it. How the program is managed should mirror how the overall company is managed. Organizations with a decentralized management structure that try to manage BCM in a centralized program office will tend to struggle with implementation. 

One development over the past several years has been to create standalone BCM program offices. These most commonly reside inside of a “shared services” group and report to its leader who typically reports to a chief operations officer (COO) or president. 

High Profile Changes

“Where” is not the only change BCM has undergone in the past several years. “What” has also expanded to include different types of risks, and programs are becoming more influenced by standards of practice in addition to individual practitioner certifications. 

With more high-profile catastrophes occurring, boards of directors have taken the management of these exposures more seriously, including more interest in BCM programs. For example, the trend toward improved pandemic preparedness (which began for many larger companies in 2005) opened the door for BCM programs to expand beyond traditional physical disasters.

Perhaps the most significant change is the rise in the prominence of standards governing what constitutes an acceptable BCM program. There are currently several standards vying to be the one that the most influential organizations coalesce around: NFPA 1600, BS25999 and a new standard designed by the American Society for Industrial Security (ASIS). As part of U.S. Public Law 110-53, the Department of Homeland Security must select one or more standards that can be appointed as the U.S. National Preparedness Standard. While the growing sophistication among the standards and their application will lead to more discussion about what constitutes an acceptable BCM program, if multiple standards remain in use it could create more confusion. 

It is an exciting time to be responsible for BCM. When managed properly, BCM is an effective way to reach senior leaders with a new message around the importance of managing risk. The growing influence of standards, both in the U.S. and around the world, opens the door to discuss what kind of BCM program the organization’s leadership wants to have and how it ought to be governed. For example, while the content of NFPA 1600 and BS 25999 are similar, the flow of the documents and planning model they espouse are very different. Illustrating the differences in these two standards is an effective technique to help senior leaders and the board declare their intentions for the BCM program.

Integrating BCM and Insurance
Wondering how to integrate insurance and BCM programs? These are simple first steps most organizations can take to begin the integration process:

  • Reconcile the organization’s BCM program with its declared values for extra expense and business interruption insurance. Underwriters generally appreciate this type of thoughtful business interruption values study and in most cases, insurable values can be reduced or deductibles raised, allowing the organization to save money on premiums.
  • Determine what BCM standards or regulatory requirements the organization has as mandates and evaluate their effectiveness (Internal Audit is an excellent partner in this effort). Evaluate whether any gaps in the BCM program warrant additional protection for Directors and Officers based on the probable actions that might result from an unsuccessful continuity response. 
  • If the BCM program also includes emergency response and life safety responsibilities, review the training programs for those charged with assisting employee evacuation, fire brigades, administering first aid and other areas that affect worker or visitor/guest safety. A focused review might reveal specific improvements that could limit the organization’s worker’s compensation and general liability risk.
  • BCM programs can have an impact on Professional Liability coverage as well. In many surveys, professional firms rate near the bottom of all industries in continuity preparedness because they incorrectly believe that their people are their business and can resume work wherever they are. The reality is that professional firms with poor BCM can store client data inappropriately, insecurely  or in a manner that is not easily recovered, lose control over decision making during a crisis that puts clients at risk or succumb to unnecessarily long business interruptions that make the firm miss deadlines or otherwise jeopardize their clients’ interests. Effective BCM is a hedge against these kinds of risks and many professional firms find that as they minimize their professional liability exposures through improved BCM, they also identify ways to operate better for their clients on a day to day basis.

The proposals for creation of a super regulatory body to oversee all kinds of financial institutions will create additional opportunities for organizations to either benefit or be penalized by their BCM. In the U.S. today, the regulator of federal banks and thrifts (Federal Financial Institutions Examination Council or FFIEC) is seen as the “gold standard” of all BCM requirements. As the federal government groups more non-traditional financial service offerings with these long regulated institutions, it is much more likely that new organizations will be required to comply with these challenging rules rather than the existing set of requirements be watered down to reflect the broader group.

BCM and Insurance
The relationship between BCM and insurance has never been as strong as many outsiders might believe. Even in areas where the connection seems obvious, such as the procurement of business interruption and extra expense insurance, only a small minority of organizations actually use the BCM program to forecast what their losses would be like by reconciling the insurance minded “probable maximum loss” and “maximum foreseeable loss” with the capabilities of the BCM program. The recent changes have created an opening for more organizations to align their approach to catastrophic risk better, even if there is not currently a tidal wave of momentum for it.

One connection that hasn’t been made as strongly as it may be in the future is not necessarily premium reductions as a result of BCM programs, but insurability at any reasonable price if a higher risk company does not have a BCM program in place. This is already the case with some high risk companies with an extremely high incidence of business interruption losses, but as underwriters become more knowledgeable about the differences between effective BCM programs and the paper tigers, they will be able to lower the bar as to what kinds of risks they may require BCM to cover. The movement toward third party BCM certification similar to ISO 9001 or ISO 14001 certification should serve to expedite that trend since it will give underwriters one more piece of objective data upon which to base their conclusions. Rather than a totally new concept, this could simply appear in the marketplace as an evolution of HPR risk.

An additional angle that may be exploited in coming years is the relationship between BCM and Directors’ and Officers’ coverage. As BCM standards become more commonplace, it will be far easier for plaintiff’s attorneys to demonstrate that the organization owed its stakeholders a specific duty and failed it. This exposure will be more likely if the courts continue to hold Boards of Directors accountable for the specific content of their decisions as opposed to simply reviewing the process used to inform their business judgment.

As BCM standards gain prominence, insureds should also take greater notice of most property insurers requirement to mitigate losses. While it isn’t likely that insurers will require insureds to demonstrate BCM program effectiveness as part of ordinary claim activity on typical losses, it is absolutely foreseeable that insurers will become more interested in what BCM elements were used to mitigate large losses and where BCM programs were not present or were ineffective to use that during claim negotiations. Since the elements of an appropriately designed BCM program are well known, insureds cannot reasonably claim they mitigated a business interruption loss when little or no continuity capabilities were deployed. 

The greater the adoption of BCM standards in the marketplace, the more likely they will be used to determine whether insureds met the threshold of commercially reasonably steps to mitigate a loss. If this trend develops, wise insureds would do well to establish with insurance carriers in advance the level of BCM program effectiveness that will demonstrate their commitment to be ready to mitigate any losses during renewal negotiations when their leverage is the strongest.

Good, Better, Best
There is no shortage of articles indicating that lack of management support will doom a BCM program to mediocrity but in most cases the premise of this position is wrong. The reality is that most senior leadership teams will support initiatives that have a strong value proposition. BC program owners over the years who have explained BCM programs as “insurance” have done the program a disservice and in most cases seen their program maturity plateau or even decline. The reason for this is simple—senior leadership does not spend more than it has to on insurance which we see every year at renewal time. A poor value proposition for the BCM program is one reason it might never be good, let alone world class.

A similar reason for mediocre programs is a compliance mentality. When BCM is seen and managed like compliance rather than an operational capability, it is almost always seen as a necessary expense to meet a minimum criteria rather than an investment in a resilient operation. Not only do companies generally spend the minimum time and resource on these types of programs needed to comply with the requirement, they often lose sight of the spirit of the requirement altogether and end up “checking the boxes.”

Perhaps the most important difference between good programs and great ones is how focused great programs are on executing their programs during an actual business continuity event. Great programs consider all the stakeholders with roles in responding to an event and provide the panorama of tools necessary to do so effectively. Plans certainly comprise a part of that but BCM practitioners are wise to remember General Eisenhower’s well known quotation “In preparing for battle I have learned that plans are useless, but planning is indispensable.”

General Eisenhower knew what great BCM program managers have learned—more than the plans themselves, it is the learning that happens in the planning process that makes effective execution possible. This is a very good explanation of how so many organizations with bookshelves full of plans still struggle to deal with moderately small events as well as they should. Full time BCM staff and outside consultants can play an extremely helpful role in the development of a BCM program, but if the focus is on building plans or making sure plans have the “right” content rather than equipping those responsible for ultimately implementing them it will never produce the desired results. 

ERM and BCM        
Business continuity risk is a great example to use with Boards in ERM discussions because their backgrounds are so different there’s no guaranteed common reference point for risk discussions. Unfortunately, there have been enough large scale crises in the world recently that everyone can relate to something like a major hurricane, terrorist attack or product recall.

Consider the company that has a lot of high profile operations in a central location. When Boards have a hard time visualizing what we mean by enterprise risks worthy of their attention, it’s common for us to talk about a natural disaster wiping out their entire campus for an extended period of time. They can immediately relate to the business interruption aspects, but we also have the opportunity to bring in all the other consequences of that risk including new product introduction schedules, reputation hits, impacts to market cap from investor’s visceral rush to get out of what they think might be a sinking ship, etc. 

Experienced risk professionals can use these decisions to show how potential risks actually interrelate like a series of dominos. For example, flooding around a key distribution center that could be reasonably mitigated with a non-union labor force or modern equipment can highlight the risks around human capital or freight capabilities. A pandemic in a facility with a high concentration of key personnel will highlight the obvious risk to people and key processes requiring special skills during a pandemic, but it also shows the weakness or strength of an organization’s day-to-day health and wellness programs, the effectiveness of personal time off policies and areas where segregation of duties (a type of fraud mitigation where an organization does not let one person have too much control over a process that involves sensitive issues like money or intellectual property) have gone too far or not far enough.

Another advantage of coupling BCM and ERM is that it can provide a filter for senior leaders to see which risk categories they want to address in ERM. When you can show them that events as different as an executive kidnapping and a major tornado can share enough similarities to be included in one category it can help them fashion other categories as well that prevent you from trying to manage a hundred different enterprise risks individually. 

The opposite is also true. You can show how something like a product recall can fit both into a continuity risk category and a products design/reliability category if you wanted to. Since you never know which angles may most appeal to the board, it’s terrific to use a risk everyone has a basic understanding of in the exploratory discussions.

Avoid "Compliance Mentality"

It is rare that a BCM program that is treated like a compliance program by executives and participants was ever really intended to be that way, yet many are. This is especially true in organizations with a regulatory requirement such as financial institutions.  The challenge is that the most common way to see that departmental business leaders are following the standard is to objectively look through the documentation they produce. Frequently these reviews happen in a sterile environment without sufficient one on one contact with the business unit management that developed them. The results are usually undesirable: an unhealthy reliance on how documentation appears without any evaluation of how well it could be implemented, an underdeveloped understanding of how well business leaders understand their continuity related responsibilities and can execute them and perhaps worst of all a culture that promotes the idea that documentation in good order is more important than any other part of the BCM program. If this situation is common and accurate, what are some solutions?
    • New approaches to reporting: Many BCM programs that require reporting to senior management focus their reports on the kinds of things described above: Percentage of plans with content filled in or percentage of people doing activities prescribed by the BCM office such as participating in a “test”. These reports can be counterproductive since they drive people to these types of surface activities without affecting the actual capability. Instead of reporting exclusively on outward appearances of the BCM program, consider how the program can report on retention of program participants, impact of successful initiatives on organizational risk management goals and how the program is changing to reflect the changing risk profile and risk appetite of the organization.
    • Emphasis on professional development throughout the stakeholder group: The old adage of “give a man a fish, feed him for a day; teach a man to fish, feed him for a lifetime” is true in Business Continuity Management. From departmental representatives required to document impact analyses and continuity plans through the senior management team and the Board, it is essential to provide progressively sophisticated training and experience to the stakeholders on whom the overall BCM program will rise or fall. Line of business managers need to understand what they can expect from others during a catastrophic event and what others expect of them. These requirements include but are not limited to simply IT infrastructures and applications. Stakeholders need to know whether their decision making authority increases or diminishes during a catastrophic event. Every participant in the process needs to know the preferred method for information exchange and who is responsible for synthesizing all available information to determine the most effective way to bring the organization back to normal. Developing these types of professional development opportunities will also help the BCM program manager ensure the elements are appropriately configured for maximum benefit.
    • Design of tools with average participant in mind: One of the problems that has accompanied the increasing professionalization of BCM is the rise of BCM software tools. While they can be extremely helpful in many situations, they don’t tend to be user friendly. If they are not careful, BCM program managers can select the tools they believe will make their reporting or governance of the program go well rather than look at the vast number of stakeholders affected by the use of the tool and select one based on how useful it will be to the people who have to complete their BCM responsibilities in only a few hours per month. Designing tools that can be effectively used by the largest number of participants–even if it involves more work for the BCM program manager–is an effective way to “empathize” with the stakeholders who already have a full time job. There are practical benefits for the BCM program office as well–departmental and field managers cannot participate in BCM-related professional development when they are wrestling with the organization’s BCM software tool and demonstrating how stakeholder-focused the BCM program is with its design of planning and analysis tools is the most effective recruitment effort into the professional development program.
Latest in Home
Ep166tn
CEO Convicted in Shipbuilding Scheme
May 13, 2024
A worker checks solar panels at a factory in Jiujiang in central China's Jiangxi province on March 16, 2018.
U.S. Plans to Impose Major New Tariffs on Chinese Imports
May 13, 2024
169 Thumb
Doomsday Plane Deal; Smelly Beermaker; Tesla Layoffs | Today in Manufacturing Ep. 169
May 13, 2024
This image from remote video released by the U.S. Air Force shows Air Force Secretary Frank Kendall during his experimental flight inside the cockpit of a X-62A VISTA aircraft autonomous warplane above Edwards Air Base, Calif, on Thursday, May 2, 2024. The AI-controlled flight is serving as a public statement of confidence in the future role of AI in air combat.
U.S. Aims to Stay Ahead of China in Using AI to Fly Fighter Jets
May 13, 2024
Related Stories
Outofoffice
Home
Notice: No Mnet Newsletters Next Week
Outofoffice
Home
No Mnet Newsletters Until Jan. 3
Imts
Home
Preview Days Videos Help Attendees Pre-Plan IMTS 2022 Agenda
Out Of Office Istock 5eff498fc27a7
Home
Notice: No Newsletters Next Week
More
Ep166tn
Video
CEO Convicted in Shipbuilding Scheme
He took 400 investors for more than $28 million.
May 13, 2024
A worker checks solar panels at a factory in Jiujiang in central China's Jiangxi province on March 16, 2018.
Laws & Regulations
U.S. Plans to Impose Major New Tariffs on Chinese Imports
Major new tariffs are coming for EVs, semiconductors, solar equipment and medical supplies.
May 13, 2024
169 Thumb
Video
Doomsday Plane Deal; Smelly Beermaker; Tesla Layoffs | Today in Manufacturing Ep. 169
Also on the podcast, Boeing's fake 787 inspections, Tyson's waste dumping record, the vet who cracked bird flu in cows, Microsoft invests billions in Wisconsin and how to sell welding to Gen Z.
May 13, 2024
This image from remote video released by the U.S. Air Force shows Air Force Secretary Frank Kendall during his experimental flight inside the cockpit of a X-62A VISTA aircraft autonomous warplane above Edwards Air Base, Calif, on Thursday, May 2, 2024. The AI-controlled flight is serving as a public statement of confidence in the future role of AI in air combat.
Aerospace
U.S. Aims to Stay Ahead of China in Using AI to Fly Fighter Jets
AI's roots in the military are actually a hybrid of machine learning and autonomy.
May 13, 2024
Ep165
Video
Rivian Gets Nearly $1 Billion to Help Expand Operations in Illinois
Can the boost help the company's midsize R2 make it to market?
May 10, 2024
Raymondjamestn
Supply Chain
Survey: Pricing Up Across the Board for Manufacturers; Sales & Margins Down
Key takeaways from an exclusive new report from Industrial Media and Raymond James.
May 10, 2024
In this screen grab taken from video people jump down emergency slides, running from a plane, in Dakar, Senegal, Wednesday, May 8, 2024.
Aerospace
Boeing Plane Catches Fire, Skids Off Runway in Senegal
It wasn't immediately clear what caused the Boeing 737-300 to catch fire and skid off the runway.
May 10, 2024
2024 Chevrolet Malibu
Automotive
Chevrolet Malibu Heads for the Junkyard as GM Shifts Focus to Electric Vehicles
GM sold just over 130,000 Malibus last year.
May 9, 2024
Ep164
Video
Florida Woman Pleads Guilty to Fake Military Parts Scheme
Any component failure could have rendered end systems inoperable.
May 9, 2024
I Stock 1408775753
Industry 4.0
Microsoft to Invest $3.3 Billion to Build Cloud Computing, AI Infrastructure in Wisconsin
The company plans to train more than 100,000 residents with essential AI skills.
May 9, 2024
Ap24122462832460
Automotive
Feds Have 'Significant Safety Concerns' about Ford Fuel Leak Recall
They are demanding answers about the fix.
May 9, 2024
Ap24130343865690
Automotive
Nissan Reports 92% Jump in Profit as Sales Surge
Nissan sold 3.44 million vehicles globally for the fiscal year.
May 9, 2024
I Stock 672599910
Supply Chain
The Rise of Monopolies & Oligopolies
Consolidation has been bad for working people, taxpayers, the middle class and suppliers.
May 8, 2024
Manufacturingnowtn
Video
Milwaukee Tool Work Gloves Allegedly Tied to Forced Labor
U.S. Customs officials halted the shipments at the border.
May 8, 2024
The Toyota Motor Corp. logo is seen, May 11, 2022, at a dealer in Tokyo.
Automotive
Toyota Racks Up Booming Profit
And the automaker vows to invest to keep growth going.
May 8, 2024