Terrorism threats, financial scandals, and executive malfeasance are increasingly becoming topics of discussion in corporate board rooms. What influence do business continuity managers have when board members take the lead to reduce these threats? More importantly, how can business continuity managers be more effective at infusing the best practices of business continuity into their organizations’ strategic planning processes?
We find part of the answer by looking at who is responsible for managing risk in a modern organization. For many, the risk profile is distributed among several risk specialists. In fact, risk assessment is sometimes so fragmented that the individual pieces are not known or understood within the enterprise. Recently, a major distributor formed a new committee to evaluate possible process changes that should be considered due to the enactment of the Sarbanes-Oxley Act. In this instance, the committee functioned for eight months before they stumbled on the business continuity manager’s program. Several risk specialists are common. Risk managers protect the assets, while auditors look after financial integrity, and security managers protect property and personnel. Systems managers ensure the integrity of data. But who is identifying operational risks as the business expands, contracts, or changes its business processes? This is a perspective that must be supplied by the business continuity manager.
One Company’s Experience
When business continuity is not integrated with strategic planning, bad things can happen. Recently, a content provider for cable television built a new corporate headquarters on the east coast. Because their site choice and construction were well underway on 9/11, terrorism was not a significant consideration in their site development processes. Shortly after the 9/11 disaster, they requested a business impact analysis for the headquarters site to learn more about this newly perceived threat, but when they saw the results of the study, they were surprised. Despite their initial concerns about terrorism, the assessment reports revealed that a major metro station, freight and passenger railways, and a nearby industrial area all posed dangers far more likely to occur than a potential terrorist attack. None of these vulnerabilities had been factored into the site selection process.
Recognizing the need to upgrade their site selection processes caused positive change in this company, as they began to examine other strategic decisions they were engaged in making, one of which was the relocation of their uplink site that broadcasts to Latin America. With the headquarters revelations fresh on their minds, they realized the value of having a similar analysis for the proposed uplink facility. This time the analysis was performed far enough in the future, enabling them to consider several alternative sites, and thereby narrowing the choices to those that offered the least risk from both natural and man-made hazards. Now they see the financial value of their improved planning processes, and henceforth they will routinely consider the operational risks when it is time to make strategic decisions.
To Centralize or Not to Centralize…
Facilities consolidation is another strategic planning process that needs the influence of business continuity principles. I recently worked with a west coast non-profit organization that had four separate facilities in the Los Angeles area. Recognizing their need to expand would continue for several years, they leapt at an opportunity to lease space in a single location that could accommodate everyone. Soon after they embarked on this consolidation strategy, they began to discover that their operations were becoming more vulnerable to disaster because they were no longer distributed among multiple locations.
In another strategic consolidation, a major financial institution decided to reduce headcount by setting up a centralized call center to take over functions that had previously been performed at branches throughout the U.S. Examining their risks after this consolidation, they quickly became aware that the impact of a disruption at the call center would now be felt throughout the country. Once this exposure was pointed out to the corporate executives, they re-examined the plans they were developing for growth, and made the strategic decision to not expand the existing call center further, electing instead to set up two more centers located in different geographies. In the process, they sized the new centers so that any two of the three could take the full workload, should one of the centers become inaccessible. This change in strategy did not cost extra dollars, yet it significantly improved the disaster resistance of their call center operations.
In two other cases, a financial lender and a major retailer both learned through the work of their business continuity managers that the proposed strategy to establish new business recovery centers would be far more costly than using space the company had already acquired for normal business growth.
Strategic = $avings
Through trial and error, all of these organizations discovered the strategic value of a good business continuity program. In the process, their business continuity managers became valuable internal resources, providing unique insight and knowledge, and ultimately saving their organizations from making costly mistakes.
It is an ongoing challenge to teach executives how to position their business continuity managers so they can more easily perform in a strategic role. Where should the business continuity manager report organizationally? Frequently we find the business continuity manager isolated and reporting to a function that has narrowly focused priorities. From these vantage points, the business continuity manager becomes a lonely voice in the wilderness, struggling to be heard, with little success.
Business Continuity Should Report to the CFO
Several departments can support the work of a business continuity manager somewhat effectively, including Security, Auditing, Information Systems, and Operations. However, the ideal spot for a business continuity manager is reporting to the CFO along with the auditors and other risk managers. CFOs are ultimately responsible for fiscal integrity. They hold the purse strings, and must always consider risk versus gain. That’s why CFOs need the business continuity manager’s expertise to quantify the operational risks. When the business continuity manager reports in this hierarchy, the CFO begins to see the full spectrum of risks under his control: physical assets, financial integrity, and operational risks.
This reporting structure is not new. Many organizations have already positioned their business continuity managers in this manner. But our industry has not yet embraced this concept as a standard. We continue to voice that our business continuity managers need to be recognized more, yet we are overlooking the obvious logic: If we position business continuity managers where the money decisions are being made, they will be better perceived to bring value to the business.
This reporting structure has not been standardized because the significance of business continuity is still not understood. Moving the business continuity manager into a more visible position under the CFO’s umbrella, and making them be a part of the strategic planning team are key steps to make that happen. Enabling the business continuity manager to contribute an objective analysis of pending business decisions at the beginning of the process will be a significant way for our profession to gain the respect and clout it deserves. Take a close look within your own organization to determine what steps you can take to make this happen. We, ourselves, hold the key to solving the visibility problem our industry is facing. Each of us must take the first step to make these changes become reality.
About the Author
Judy Bell is the co-founder and CEO of Disaster Survival Planning Network (DSPN). She is a Certified Emergency Manager (CEM) through the International Association of Emergency Managers, and a member of the American Society of Professional Emergency Planners (ASPEP). As a Division Manager at Pacific Bell, Ms. Bell directed the activities of 2400 employees and was responsible for all central offices and data services within area codes 213 and 310 (Los Angeles), as well as all long distance services within Southern California. During the Whittier Earthquake of 1987, Ms. Bell, as EOC Chair, coordinated the overall restoration of the Pacific Bell public telephone network. She has participated with industry associations at national and international levels, and, in 1991, authored the first book on business continuity for the private sector, Disaster Survival Planning: A Practical Guide for Businesses. Judy may be reached at [email protected].
Leave A Comment
You must be logged in to post a comment.