Terrorism threats, financial scandals, and executive malfeasance are increasingly becoming topics of discussion in corporate board rooms. What influence do business continuity managers have when board members take the lead to reduce these threats? More importantly, how can business continuity managers be more effective at infusing the best practices of business continuity into their organizations’ strategic planning processes?
Many implemented business continuity programs are not based on a solid, business-focused foundation. Too often, the driving factors given for implementing BC/DR fail to address the overall business benefits altogether. Reasons such as adherence to regulatory requirements or protection of local operations (lines of business) so they can function continually are often rooted in a reactive philosophy that may or may not impact the business’ bottom line.
Sarbanes-Oxley is a control legislation designed to assure corporations are properly reporting results to the investment world. Where it diverges from the major benefit of a truly integrated, business-driven BC/DR program is in interpretation: It often doesn’t direct how to address the impact of time and materiality of a systems failure. We define materiality as “that quantified measure of the adverse business impact, which would be incurred by the business if one or more specific business processes were disabled for a defined period of time, that is no longer acceptable to the stakeholder.” As long as the corporation can evidence its recovery system will get it back to the correct financial figures, it has met the intent. While this satisfies the investment community, the long-term impacts on the corporation are not addressed.
The second frequently cited reason to implement a full scale BC program is to protect the local operations. This approach also often fails to look at the importance of an operation from an enterprise perspective and appropriately measure the cost and time it takes to feel the pain. This failure can have very expensive repercussions for the shareholder, mostly in the form of lost income, negative corporate image, over-investment, and improper asset allocation.
The two drivers above therefore miss what should be the overall driving principal and the cornerstone of a full-scale BC/DR program. The criticality of every business operation should be measured in terms of the overall impact to the shareholder, and a company’s ability to recover should be defined in terms of the shareholder’s expectation of a planned and tested recovery procedure. What is the criticality of this operation? How long will it take to reach a pain threshold where the shareholder feels the impact? Asking these questions and knowing the expectations is critical to putting the company in a position to do the right thing.
Thinking Globally
What happens when BC/DR programs are not implemented around these principles? If a BC/DR program does not base itself around protection of critical and material systems, resources and time will be wasted, and often investment decisions will be made based on incorrect or non-material factors. For example, a local general manager in a small operation or country may want to invest in the best high availability solution to protect his local results and thus his job and bonus. However, this small operation contributes very little to the overall company bottom line in this scenario. In this case, the shareholders would be spending an inordinately large amount to protect a small part of the company’s revenue stream.
A better solution would be to have a focused yet global approach. This would mean satisfying a local need but basing the solution (and the investment) on a validated global or enterprisewide standard. In the scenario above, a best-effort recovery model may be more than adequate instead of a fully implemented high availability solution, thus freeing up resources for use in other, more critical businesses or locations.
Understanding Materiality
A program must be based on two driving principals: materiality of a system, and time to reach this materiality. Materiality must be based on global stakeholder needs and expectations.
For the most part, financial materiality can be an easy item to determine and measure. It can be based on cents per share, percent of annual sales or profit, or it can be linked to working capital – all items that resonate with senior management and that are important to their and the company’s success. The challenge for many companies is to spend the time necessary to appropriately define materiality and to translate these definitions into terms that can be quickly understood and considered by business leaders.
When does a manufacturing plant, which is part of one or several complicated supply chains, have a shutdown which becomes material? When does delay in ability to file regulatory data, or contact a client, reach the next level of materiality? At what point does the local business disruption become a disaster? These questions must be developed in order to engage with the business, garner their support, and bring a full-scale integrated process to all areas of the business. This means bringing the full power of an integrated solution to the plant manager, facilities supervisor, or research director that is tailored for the business and corporation and that can be revisited over time.
A Case Study
During an enterprisewide BC/DR initiative at a major global pharmaceutical company, all decisions were based on a “shareholder test,” which took into account the breadth of the shareholder community and uncovered that there were no individual shareholders for any particular business group, but in fact only shareholders for the parent company. The challenge then was determining if a shareholder at the global level would approve of an investment (of both time and money) in the selected BC/DR standards and solutions.
The executive sponsorship was compelled to support the business-driven BC/DR vision, citing that, though IS can be a key enabler, without the business being required to drive decisions on investment, a BC/DR project cannot succeed. This sponsorship set the stage for a program to be developed that would eventually redefine how and when BC/DR plans and investments were identified and implemented.
A cross-functional team was created and led by a member of the risk management organization with direct linkage to supply chain and operational risk assessments. The team also included several broad-minded IS folks with a core understanding that IS was an enabler to business continuance and not the sole solution unto itself. This structure and approach provided the contact with the business leaders and the knowledge of all business operations. It also ensured technical representation so that processes, systems, and tools could be developed to satisfy the materiality and time-to-recover requirements identified.
The program leadership team orchestrated the development of a panel of business representatives in order to structure and tailor the process to meet their specific business group needs and to assure their ongoing representation. The team also had a tie-in to the Strategic Risk Office and had access to the enterprise risk levels that drove materiality decisions. The team conducted a focused risk tolerance analysis involving much of senior management and yielded four materiality ranges.
Considerable time was then spent with the business units, continually working to build the needed parallel definitions of materiality and translating these definitions into terms they could understand. Any system with an impact of greater than a predetermined value in six months would be required to have a documented and tested recovery strategy in place to avoid the loss.
Once the levels were identified, materiality and time to reach materiality became the driving elements of the business impact assessment (BIA) process. A BIA tool was built that would quickly identify material processes and systems, and the related time to materiality. This method would allow for a more efficient implementation, focusing efforts only on the specific functions that breach materiality.
Throughout the project, senior management support was sustained, and it was mandated that the business functions would drive the process, and only those systems (whether IS, facilities, manufacturing, research, etc.) with a material impact on the shareholder would be considered and continue along the implementation trail to the final stage: a documented recovery plan capable of recovering the system before its impact becomes material.
Sustainable BC/DR Operations for the Business
A properly designed and integrated BC/DR solution is of significant strategic and tactical value to numerous areas of the business and IT, beyond that of pure recovery planning. Overspending in BC or DR will hit the company’s P&L, while underspending on BC or DR for a critical line of business can be devastating to shareholder value. Understanding and acting according to this premise can be extremely valuable for resource planning, long-term decision making, and investment planning and can be very effective in supporting change management.
By building BC/DR into the culture of the company and making it part of any investment and change management decision, it becomes a sustainable process that can add value to the company and increase the understanding of business operations by the employees. A properly implemented program will always seek to evaluate at the enterprise level, but implement locally. This evaluation is based on understanding the intrinsic value of any operation to the enterprise as a whole and further ensures investments are directed to critical business priorities.
Understanding materiality and time to reach materiality in operations, and the associated shareholder expectations specific to those operations, can benefit local business managers and support inventory, capacity allocation, and even long-term planning decisions. In this way, BC/DR is a critical and leverageable part of the strategic risk management decision process. It is impossible to implement a business continuity solution without understanding the company’s risk appetite and thresholds for materiality.
About the Authors
Brian Bobich was an IS team member and BC/DR implementation leader at Aventis. He is now a founding member of Core Systems Group, a company founded to provide optimal solutions for Business/Government Continuity, Service Management/Service Delivery, and Enterprise Security. He can be reached at [email protected]. Andrew Tait was global BC/DR director for Aventis and is now a member of the Sanofi Aventis Insurance department. He can be reached at [email protected].
Leave A Comment
You must be logged in to post a comment.