Last year’s major catastrophes helped risk specialists push business continuity management up the board agenda. Now it’s all about maintaining that momentum

In the driving seat

Natural catastrophes, political unrest and cyber attacks all made headlines around the world last year. In today’s connected and global world, many organisations felt the impact as supply chains were disrupted, often with little contingency.

Japan’s earthquake and tsunami in 2011 hit car makers around the world, for example, when a single-sourced paint dye was suddenly unavailable.

“Whereas 15 years ago you designed in Manchester, produced in Liverpool and shipped out of Southampton, now you might design in Bangalore, produce in Guangdong and have your logistics centre in the Czech Republic - and send stuff all over the world,” says Chubb senior vice-president, European risk management, Jan Auerbach.

“Clearly your business interruption risk 15 years ago was very different to the risk you have today.”

Other businesses were hit more directly by last year’s events. Reinsurer Hannover Re has an office in Tokyo, so its crisis management team had to make quick decisions on relocating staff after the Fukushima Daiichi nuclear disaster - a big test of its reactive business continuity management (BCM).

“They had to plan what to do in case the radiation came near Tokyo,” says chief risk officer Eberhard Mueller.

“Leaving the country was not an option for Hannover Re. Our crisis management team decided to rent hotel space in Osaka so we could remain with the clients in mainland Japan if we needed to move.”

Such events have grabbed the attention of boards in global organisations. And cyber attacks including the one that brought down Sony PlayStation last year have reinforced the need for strategies covering business interruption and disaster recovery.

The right people
When a major event occurs, the risk manager and risk function must be able to communicate effectively.

“It doesn’t necessarily mean you’ve got to be sitting beside the board,” says former Airmic chief executive Alan Fleming.

“But you’ve got to have the right avenues to get through to the right people and crisis committees. The second thing is what you do when things go wrong - the really crucial issue. It’s more than BCM; it’s getting the right messages through quickly to the right people.”

The challenge is not simply achieving board buy-in - the Turnbull report, myriad legislation and the increasing popularity of enterprise risk management (ERM) have put risk firmly on the boardroom agenda.

The difficulty, says Mueller, is in gaining equal attention for the qualitative and quantitative aspects of risk management.

While some regulations call for reporting on aspects of qualitative risk management, including BCM and IT security, ERM’s emphasis is still on the measurable aspects.

“Sometimes management seem to have a good grasp of the quantitative aspects,” Mueller says. “But when it comes to qualitative risk management, they sometimes have difficulty in viewing those risks in the same metrics.”

Assessing these risks in a language the board understands can make a big difference, as Mueller found when he designed a self-assessment scheme for Hannover Re.

Numeric analysis of subcategories of qualitative risk enabled the board to assess readiness in different parts of the business and to benchmark progress.


Enterprise-wide approach
The next big issue is ensuring an enterprise-wide approach to business resilience.

“Specific risks need to be brought to the board’s attention,” says Auerbach.

“But the biggest challenge is bringing risk management to the C-suite and into the company. It’s about making risk management a priority of the factory manager in Guangdong and the country manager in Brazil.”

Sharing responsibility for measuring and managing risk across an organisation and its supply chain requires a joined-up approach from top managers.

A balanced scorecard approach can help here in shaping decisions and co-ordinating strategy.

“I talked to a retailer that gets 4,000 or 5,000 slips or trips a year across the world,” Auerbach says.

“One of them went bad and cost a lot of money, but it’s the overall expense of managing these claims and brand protection that concerns the board.

Retailers don’t want customers to come to any harm, so that has been put into the scorecard of their country managers.”

Given the recent high-profile disruptions that have hit the headlines, it’s been easier to grab the board’s attention on issues surrounding business resilience.

The key is to make the issues surrounding operational risk relevant in the longer term, particularly as they becomes more global in reach.

 

Expert view: Putting a value on business continuity

Tony Perry, senior managing consultant, practice leader, business continuity and resilience consulting at IBM

Establishing the value of business continuity is key to improving boardroom understanding of its importance.

Business continuity management is often seen as dealing with physical events, but actually it includes reputational management and softer issues.

Connected to that is the boardroom perception of the competitive advantages of having a sound continuity management system.

Also, boards fail to see that external events that impact on customers and suppliers can also affect their own organisation.

For example, a firm that outsourced car insurance claims handling failed to consider the consequences of the weather. The number of car accidents increased during bad weather, but conditions also stopped staff getting to work at the call centre.

Therefore the firm’s ability to process claims actually decreased at its busiest time.

Outsourcing is an area many boards need to look at more closely when it comes to business continuity, as there is often poor awareness relating to risk.

The default assumption is that the outsourcers will sort out any problems - but there is a significant difference between transferring and abdicating risk.

Transferring risk comes usually with a contractual obligation.

The current economic situation is, to some extent, influencing business continuity trends. A board might make a strategic decision that unwittingly damages the resilience of a business.

For example, decreasing production stocks will reduce costs but also the resilience of a business. Some boards appear to be struggling with the implications of this.

An organisation’s size is often an important determinant of board involvement with business continuity.

Large firms have, by nature of scale, boards that tend to be distant from the coalface and therefore fail to consider the full implications of any decisions they might take on day-to-day activities.

Smaller organisations tend to be more aware, as senior management are likely to be in closer touch with daily operations.

The boards of regulated companies, and those funded by venture capital, often have business continuity awareness thrust upon them by their external stakeholders.

To improve boardroom understanding and engagement, it is important that business continuity managers move away from programme status reporting and instead talk to the board in terms of risk, opportunities and mitigation.

Aligning themselves more with risk managers will help to achieve this.