BCP for the Enterprise's Sake

By Andrew M Tait, P.E, founding principle of Core Risks Ltd

The employee asked, "Why are we doing this business continuity thing?" The plant manager responded, "So that this plant stays in business and you have a job."

This seemingly innocent statement - using the wonderful, motivational force of fear to gain acceptance - misdirects the participants from the real drivers for BCP. And it may actually set the stage for long-term disconnects between stakeholders and employees at large.

The short answer to this simple question should have been something like this: "To protect the stakeholders of the company." Unfortunately, that answer leaves both the plant manager and employee unsatisfied, as it really does sound like a bunch of baloney. It also does not help company management move forward in fulfilling the fiduciary responsibilities of assuring continuity of critical operations.

Herein lies one of the most common disconnects in the broad area of business continuity. Business continuity and its twin brother disaster recovery are two of the disciplines which, at their core, are all about leveraging assets and planning. Their intent is to make sure that, if and when something goes wrong, enough has been done in advance to enable the company to keep its critical parts running without a material impact on stakeholders.

The challenge? Determining what a material impact is and who the stakeholders are.

Addressing these questions provides the foundation and is the critical first step on the road to effective business continuity and disaster recovery. Once they have been addressed, a focused, logical plan can be developed to build resiliency into the material parts of the company. Just as importantly, answers will establish a clear and supportable message on where resources should not be expended, assuring efficient use of company assets.

Materiality: The Heart of the Matter

Every company has different drivers and levels of materiality. Materiality, by one definition, is an understanding of the reference points used to categorise the magnitude of the impact of an event. Simply put, it helps one understand when things move from "not good" to "bad" to "terrible".

At the primary level, it is usually quantified using some form of financial measurement. It should be the unit of measurement most used at the board level to discuss threats and opportunities as well as measure company results. It should also be one where break points in progressive critical escalation points can be identified. The various break points applied against this metric (for example, 1 percent, 5 percent, 15 percent) should identify where, in general, management would perceive the significance of the loss and consider its stepped relevance.

Two important points to consider: BC materiality is not necessarily the same, in definition and level, as materiality is for SOX, where controls may need to address more granular issues. Additionally, materiality is the foundation for discussion and filtering of issues as they are presented to management. Therefore, there needs to be relevance to management's perspective of the differing criticality levels.

When first discussing this during program development, I like to reference the "Oh Crap" Materiality Scale.

The process of getting to these definitions is an interesting one, and first requires the company to think introspectively and go beyond the old meaning of material loss. This primary set of definitions should be presented in the most commonly used measure of the business. Whether it is impact on gross revenue, net profit, gross profit, operating margin, free cash flow, or another key measure, the metric should be that which is most commonly used by senior management to discuss threats or opportunities. Once that metric is identified, the working team needs to determine the break points between low and medium, medium and high, and high and very high (or catastrophic). Once this master set of materiality thresholds has been identified, the first step toward an enterprise approach to BCP has been taken, and it is possible to establish a level set of requirements to address priority material systems.

Materiality: The Language of the Business

With the master set of materiality definitions established, the next step (one which is often overlooked but may possibly be the most powerful step in the process) is the creation of operational synonyms which convert these high level determinators of severity into the language of the operational users.

Ask an employee on a production line or a research chemist at an R&D site when a breakdown in their process would cause a loss in net profit of $100 million, and they'll shrug their shoulders. Ask them the same question using their own operational language (causes X days shutdown of a product line; or loses X number of experimental samples), and they'll provide the answer.

Each industry or organizations has different requirements, but, when defined correctly, this set of synonyms creates a way for the heart and soul of the company to participate in the discussion of protecting critical business operations in a consistent manner. Some examples of this application of synonyms include:

Critical manufacturing line shutdown

  • Less than one week (Low)
  • One week to 30 days (Medium)
  • 30 - 90 days (High)
  • Greater than 90 days (Very High)

Research building shutdown

  • Less than 30 day delay in a critical research project (Low)
  • 30 to 60-day delay in a critical research project (Medium)
  • 60 to 180-day delay in a critical research project (High)
  • Greater than 180-day delay in the critical research project (Very High)

Consulting operations shutdown

  • Less than two-day inability to contact / support customers (Low)
  • Two to five-day inability to contact / support customers (Medium)
  • Five to 10-day inability to contact / support customers (High)
  • Greater than 10-day inability to contact / support customers (Very High)

With this type of vocabulary in place, the discussion is immediately focused on criticality of operations and starts to identify and address recovery priorities and requirements.

Stakeholders: Investors and Who Else?

A company's fiduciary responsibility requires an investment and rationale that will provide an explanation for why a site did or did not have a continuity plan. This is true on both an ongoing basis (to be able to justify utilization of resources) and following an incident (to support the lack of detailed pre-planning for non-material locations).

In order to properly address the issues which would materially affect stakeholders, one must understand and recognise who these stakeholders are. Are they shareholders, customers, employees, and the community? The answer may be yes, yes, yes, and yes. However, some of these may not be stakeholders at all, and still others may need to be indentified. Considering who the stakeholders are help us define the different angles from which materiality needs to be assessed. Consider the following:

Shareholders: These are the primary stakeholders of for-profit entities. Whether it's a publicly-traded or privately-held organization, shareholders have financed the company. Where do the shareholders expect money to be spent? Where could have been saved, retained earnings dividends increased, or new ventures funded?

Customers: Of course, customers are always important. They drive the revenue area of any financial measurement, but there are other considerations here. Are there smaller revenue products which have life or death implications to select customers, and are therefore "priceless"? What are their other customer issues specific to the organization?

Employees: Once the protection of life and limb is assured, (which is not a function of BC), the important issue to consider for these stakeholders is the long-term viability and success of the company. If the company survives, it can continue to pay its employees. Poor utilization of assets - whether from bad acquisition or from over-investment in non-essential BC - hurts the long-term viability of the company and exposes employees.

Community: This could be an important stakeholder for the not-for-profit entities, or for some for-profits depending on footprint and structure.

Others: Each industry and company may have unique shareholders that must not be overlooked.

Protecting the Enterprise

Once the definition of materiality, the understanding of stakeholders, and the synonyms of materiality have been developed, the foundation for a clear and consistent policy upon which to build a strong BC program is established. The fiduciary responsibility of management is to effectively deploy the assets of the company in a manner that shows good business judgement, which normally includes a strong dose of common sense.

One must be sure that the business continuity policy addresses the simple question: "Would our stakeholders (often read shareholders) expect us to have invested scarce resources in a business continuity strategy for this process?" With that, one can go a long way towards building buy-in and support from all levels of staff, supporting development of resiliency in business critical operations, and promoting fiscal responsibility and good management.