“Of course my function is critical. We need all of our department systems back in no less than 4 hours, and we can’t have more than 1 day data loss. No question about it!”
The Business Continuity (BC) resource taking the interview marks down 4 hours for the RTO and 24 hours for the RPO and moves on down the list of questions. How many times has this scenario played out, and how often do senior managers roll their eyes when they see a department they view as less than critical demanding a very short (and therefore expensive) solution? The real underlying problem is the inability to directly translate and link the criticality of a function to the goals of the company and convert that to a recovery time that makes sense and appropriately identifies critical functions and recovery requirements to survive a major incident. By overlaying an Enterprise Risk Management (ERM) approach to business “Criticality”, the risk management or business continuity support team can go a long way in building a process which better supports the business as its develops and implements its BC/DR program.
Business Continuity (BC) and its sibling – Disaster Recovery (DR) – are two of the disciplines which, at their core, are all about leveraging assets and planning to make sure that if and when something goes wrong, enough has been done in advance to allow the company to keep its critical parts running without a ‘Critical’ impact to ‘Stakeholders’.
Now the challenging part of this statement – what is a Critical impact? Who are the stakeholders? The answer to both of these questions is one that any engineer would love… “That Depends”.
Addressing these questions, linking them with a process to understand what is ‘Critical’ and how long it takes for something to become ‘Critical’, and identifying which scenarios must be planned for, we suggest, establishes the foundation and is a most important first step on the road to an effective BC/DR program. Once established, a focused, logical plan can be developed by the business to build resiliency into the ‘Critical’ parts of the company. Just as importantly, this establishes a clear and supportable message that scarce resources should not be expended on anything other than incident management/ emergency response services and baseline disaster recovery.
‘Criticality’ – the Heart of the Matter
At the heart of every good ERM program is an established set of criteria which helps bucket the magnitude of the impact of risk into tranches that allow a multitude of different risks to be compared, assessed, and prioritized– in order to allocate the scarce resources of time and money. Whether or not a company has implemented a full ERM program, establishing these thresholds, in the language of the company, is a very important step which can guide a broad range of internal discussions. ‘Criticality’, which by our definition is “an understanding of the reference points used to categorize the magnitude of the impact of an event”, will have different dimensions and orders of magnitude for different companies. Simply put, it helps us understand, when proactively assessing what could happen and the associated outcomes, when things move from ‘not good’ to ‘bad’ to ‘terrible’. At the primary level, it is usually the financial measure most used by the board to discuss threats and opportunities against company targets – be it Gross Revenue, Net Profit, Gross Profit, Free Cash Flow, or other.
The process of getting to these definitions is an interesting one, which first requires the company to think introspectively. Once this initial metric is identified, the organization then needs to determine the break points between ‘Low’ to ‘Medium’, ‘Medium’ to ‘High’, and ‘High’ to ‘Catastrophic’. The various break points applied (e.g. 1%, 5%, 15%) should identify where, in general, management would perceive the increased magnitude and significance of the outcome. With a good ERM program, these become part of the foundation for discussion and filtering of issues and also become a great set of criteria to link BC/DR with management’s expectations.
‘Business Criticality’ in the Language of the Business
Once the master set of ‘Criticality’ definitions has been established, the next step (and one which is often overlooked but may possibly be the most powerful step in building this foundation) is the creation of operational synonyms which convert these master levels of severity into the language of the operational user. Ask an employee on a production line or a research chemist at an R&D site when a breakdown in their process would cause a loss in net profit of more than $15M and you will get a shrug of the shoulders. Ask them in the same question using their own operational language (45-day shutdown of a product line; or 90-day delay in the filing of a patent) and you will get a quick answer. Every industry and company has different terminology, but, when done correctly, this set of parallel definitions or synonyms creates a way for the heart and soul of the company to participate in the discussion of protecting critical business operations in a consistent manner. Some examples of this application of synonyms:
- Critical manufacturing line shutdown
• Less than 1 week – Low
• 1 week to 30 days – Medium
• 30 days – 90 days – High
• Greater than 90 days – Catastrophic - Research building shutdown
• Less than 30 day delay in a critical research project – Low
• 30 – 60 day delay in a critical research project – Medium
• 60 – 180 day delay in a critical research project – High
• Greater than 180 day delay in a critical research project – Catastrophic - And many others like – Reputation, Customer Contact Time, or Number of Lost Orders – can be mapped out in similar manners.
 |
There are other very important terms both for ERM and BC/DR – including Likelihood, Onset Speed, Recovery Time Objective, and others, but properly establishing the ‘Criticality’ levels may have the greatest impact on the effectiveness of the process. With ‘Criticality’ established, the discussion referenced at the beginning of this article becomes one that immediately starts to focus on protecting the enterprise.
Stakeholders: Investors and Who Else?
The company has a fiduciary responsibility around investment and needs to be able to provide a rational explanation as to why a site did or did not have a Continuity plan. This is true on both an ongoing basis, so as to be able to justify utilization of resources, and following an incident, so as to support the recovery capability provided at both critical and non-critical sites. In order to properly address the issues which would affect stakeholders, one must understand and recognize who these stakeholders are. Are they shareholders, customers, employees, or the community? The answer may be yes, yes, yes, and yes. Some of these may not be stakeholders and others may need to be identified. Considering who the stakeholders are helps us define the different angles from which ‘Criticality’ needs to be accessed.
Consider
Shareholders: The primary stakeholders of for-profit entities. Whether publicly traded or privately held, they have financed the company. Where do the shareholders expect money to be spent? Where could funds have been better used to increase retained earnings, dividends, or fund new ventures? This group and customers directly or indirectly pay for virtually everything.
Customers: Of course customers are always important, and certainly they would drive the revenue area of any financial measurement, but there are other considerations to make here. Do you have some smaller revenue products which have life or death implications, and are thus ‘priceless’? What other specific customer issues are there?
Employees: Once you have assured protection of life and limb (with an incident management process designed to protect life and the environment coordinated directly with the BC/DR programs and established at all sites), the important issue to consider for these stakeholders is long term viability and success of the company. If the company survives, it can continue to pay its employees. Poor utilization of assets, whether they be from a bad acquisition, or from overinvestment in non-essential BC, hurt the long term viability of the company and therefore exposes employees.
The community: This could be an important stakeholder for not-for-profit entities, or for some for-profits depending on footprint and structure. What environmental controls require BCP solutions to protect the community?
Others: Each industry and company may have others unique to their situation.
By thinking comprehensively about the stakeholders, it is possible to identify those areas which need to be considered to properly access ‘Criticality’ of an event.
Now the Business can protect the Enterprise
Once the definition of ‘Criticality’ and its ‘Synonyms’, and the understanding of ‘Stakeholders’ have been developed, the foundation has been established for a clear and consistent policy upon which to build a strong BC/DR program. By directly tying into (and often taking direction from) the ERM practices of the organization, linking related disciplines, and breaking down silos so that consistency in terminology, sharing of data, and leveraging of work effort are all supporting what’s in the best interest of the company, the implementation team will have optimized the effectiveness of everyone’s efforts and should be able to affirmatively addresses the simple question, “Would our stakeholders expect us to have invested scarce resources in a Business Continuity strategy for this process?” With this approach we can go a long way towards building buyin and support from all levels of the organization, providing support for the development of resiliency for business critical functions, and promoting fiscal responsibility and good management.
About the Author
Andrew M Tait, P.E., a Principal at Core Risks Ltd., has 22 years of risk management experience. He previously worked as Risk Manager for Sanofi Aventis and at its predecessor companies, where he ran BC/DR, implemented supply chain risk management and ERM programs, and coordinated the insurance purchases. Prior to that, he worked at J&H Marsh, and as a loss control engineer for Factory Mutual. He can be reached at: [email protected]
Leave A Comment
You must be logged in to post a comment.