Ian Thomson, consultant and founder of Resilience Consulting, and John Matthews, independent consultant and specialist in matters of organizational resilience, reveal the secrets of sound Business Continuity Management.
By Marilena Fatsea, Fidel & Fortis
M.Fatsea: On February 18, the first Business Continuity Management (BCM) conference will take place in Athens, and you are both invited as keynote speakers. Could you give us a brief definition of BCM?
I.Thomson: Business Continuity (BC) is a system helping an organization to discover what it needs to survive after an unexpected event. There will always be incidents, but we should be able to create the necessary conditions so that the organization’s most critical functions can endure and continue, or at least be restored in a very short while.
J. Matthews: One of the best definitions of Business Continuity that I’ve heard of is this: BC is what helps you fix things. It’s not about “business as usual”. If something goes wrong, how would we go about fixing it? This is what BC does, simply put: It buys you time in order to bounce back.
MF: What is the holistic approach of BCM?
I. Thomson: Through BCM we can have a comprehensive, in-depth understanding of the business, i.e. what its most important functions are, what its priorities are, and where we should focus. At the same time, though, we should be practical and realistic in our approach. Even if a business realizes that it has vulnerabilities, it cannot fix them all at once. But if the organization acknowledges the risks, it can then deal with them bit by bit. BCM is a programme, or rather a management system that you apply, test, incorporate in the organization, and evolve at will.
The system in itself is not an all-in-one solution, since different companies have different demands and priorities. What matters is that, in case of a serious event, we must make sure to be able to regain control of the situation. Indeed, what is most important for a company is to appear to have everything under control and supply credible information to others.
If you look at the statistics of businesses that have closed down, you will find that most didn’t have any function recovery plans for emergencies. And even if they did, they were either unsuitable or unsuccessful.
This is not scare tactics; this is reality saying that, if you don’t have the right plans, you will be shut down by the regulatory authority, lose market shares, or lose your best executives to the competition.
MF: Can you give us some practical examples of BC?
I. Thomson: A good example is that of a bank with a 500-strong call centre. What was the most important function in that case? The process of transaction certification, with a team of six people in charge. In the BC work we did there, we ensured a process for this team which was completely independent from the building and could be implemented directly, if necessary. This was applied successfully on several occasions.
MF: Quite a few companies claim that they do not mind taking the risk of an incident, because they will be compensated for whatever happens to them by the insurance company. What is your opinion on that?
J. Matthews: This is not as simple as it seems. Let’s take the example of a power station: If there is only one such station and it stops, what happens then? Even if there is compensation by the insurance company, how can obligations be covered, clients, things that need to be done? OK, maybe the station will become operable again in a few weeks, but by then there will be no company, no clients left. A solution in this case would be to buy or rent power until the station starts operating again. This is one thing; the other thing is to have a simple, practical and concise plan that could guide me “when that happens”: what to say to my clients, what communication to have with them, what to say to my auditors and the national power company so that, when the station comes again into operation, I will still be there talking to them. Therefore, the whole thing is about how to keep your clients after an unpredictable event, something the insurance company does not cover.
MF: What are the biggest threats in the current business environment and how can BCM help companies become more resilient?
I. Thomson: This depends basically on the individual business: its position, its vulnerabilities, understanding existing risks.
J. Matthews: One of the biggest sources of risk is change: It is what the Greek society goes through today, when change is driven by economic reality. When businesses feel more threatened, they have a bigger need to be protected, to apply a business continuity plan. What prevents companies from doing that is their view that Business Continuity Management is a complex thing, that it takes a lot of work and that its benefits cannot be measured - which is totally wrong, of course. BCM is common sense.
MF: What’s the difference between BCM, Contingency Planning and Disaster Recovery (DR)?
I. Thomson: DR simply means “I experience disaster, stop working, and then recover”. But is this what we want today? Shouldn’t we try much harder to find smart and practical ways to lower the risk and the possibility of something happening, before it happens?
Furthermore, when assessing risk you should focus on searching for specific things, specific situations. You should be very careful regarding the differences between BC, the technical Disaster Recovery, and Contingency Planning. The latter tells you what to do, for example, in case of a strike. If you know there will be a strike, then it’s just a matter of risk management for planning for it or not. On the contrary, with BC you have absolutely no idea what will happen.
MF: How can a company achieve resilience? What is a resilient company?
I. Thomson: It takes time for a company to become resilient. You can gradually introduce elements of resilience, but essentially a company can achieve this if the senior management believes in its value and slowly incorporates the need for resilience to the organization’s everyday life. That means it must become a way of living and thinking for employees.
MF: Based on your experience, could you give us an example of BCM helping in practice?
I. Thomson: There are many examples of BCM saving the day. And there are companies, such as Pan Am and Enron, that didn’t have BCM programmes, and failed. The real problem with Enron, however, was that it had a rotten culture and, when exposed to risk, it lost face and no one trusted it any more.
J. Matthews: Resilience is mainly a matter of culture. Part of it is to ensure that what we do does not increase risk or danger for the organization. Enron willingly followed a path that increased the organization’s risk. This means that it wasn’t a resilient organisation. If Enron had been a resilient organization, would they have gone about things the way they did? Certainly not. They made some terribly wrong decisions, based on a terribly bad corporate culture.
MF: What do you thing the future of BCM will be in Greece and the rest of Europe?
I. Thomson: Europe shows interest in BCM. What we see is that organizations in different areas of activity understand that through BCM they acquire a competitive advantage and they can lower their risks, adopting the proper procedures. Greece poses a bigger challenge, since people are used to taking more risks and solving problems on the spot, i.e. when these come up.
MF: How hard is it for a Greek business to apply Business Continuity Management?
I. Thomson: I believe it’s a mentality thing. Let’s take, for example, a Greek and a German. Give them the same project, and the German will get right on it. He will develop a project plan, define the steps for the project’s overall course, and follow them closely. And if the original planning proves to be insufficient and a problem comes up, he will analyze it and fix it. The Greek, on the other hand, will start on the planning at some point and, if he comes across a problem, he will try to deal with it on the spot, and go on with the project. It is, therefore, a completely different mentality. But you can’t turn Greeks into Germans. True, in the last 5-10 years Greeks have had to deal with difficult incidents on the spot – floods, riots, fires, economic crisis – and they are very flexible and used to problem solving. So, since they are used to doing that, they think they can manage all problems on the spot. But things aren’t like that.
MF: What should somebody say to employees to make them start taking Business Continuity seriously?
I. Thomson: That it has to do with their own security, their present and future in the business. Who would want their company to shut down and lose their jobs, especially today?
MF: There have been claims that BC serves only to satisfy shareholders and that it makes sense only for large businesses. What is your opinion on this?
J. Matthews: First of all, interested parties do not include just shareholders, but also clients, suppliers, auditors, companies affiliated to your business, and service providers. Anyone who does business with a company, from any sector, is an interested party and, therefore, BCM concerns them. As for the size of a company, we should point out that a small company is at much greater risk than a larger one, since it is generally less resilient, given the fact that it is more likely to have only one place of operation (computers, personnel, storage areas).
This means that small companies are a single point of failure and likely to be less resilient in case of a business operation breakdown compared to big companies that could own sufficient reserves (financial, insurance, or stock) in order to survive. If a small shop burns down, it’s ruined. If a large organization loses a point of sale, then it just has one less store. This might cause some inconvenience, but it’s not the end of the world. BC, therefore, is necessary and important for small and medium-sized businesses as well.
Published in netweek 2 / 2014
With a presence of more than forty years in the fields of IT and Business, Ian Thomson is considered one of the top professionals in Business Continuity Management and Crisis Management, with a long practical experience. He is founder and CEO of Resilience Consulting (UK) since 2009, a provider of consulting services in Business Continuity and Crisis Management. Since 1999, he has been a member of the Business Continuity Institute (BCI) and one of the first BCI-certified BCM trainers. He has also been a certified Risk Practitioner since 2010. He has provided services for the British government to a series of projects, as well as to local administration bodies in the UK.
An independent business consultant with 20 years of experience in Organisational Resilience, he has deep knowledge, specialization and experience in the good practice standards and demands of organizations both in the public and the private sectors concerning Crisis Management, Business Continuity and Information Security (including the international standards ISO22301, ISO27031, ISO27001, Civil Contingencies Act, Corporate Governance, etc.). He is a member of the Business Continuity Institute (UK), BSI-trained and lead auditor for ISO27001. He cooperates with Resilience Consulting, a provider of Business Continuity Management and Crisis Management services in the areas of Crisis Management, Business & ICT Continuity, and Information Security.