|
By Brian Bobich and Andrew Tait
Terrorism threats, financial scandals, and executive malfeasance
are increasingly becoming topics of discussion in corporate board rooms.
What influence do business continuity managers have when board members
take the lead to reduce these threats? More importantly, how can business
continuity managers be more effective at infusing the best practices of
business continuity into their organizations' strategic planning processes?
Many implemented business continuity programs are not based
on a solid, business-focused foundation. Too often, the driving factors
given for implementing BC/DR fail to address the overall business benefits
altogether. Reasons such as adherence to regulatory requirements or protection
of local operations (lines of business) so they can function continually
are often rooted in a reactive philosophy that may or may not impact the
business' bottom line.
Sarbanes-Oxley is a control legislation designed to assure
corporations are properly reporting results to the investment world. Where
it diverges from the major benefit of a truly integrated, business-driven
BC/DR program is in interpretation: It often doesn't direct how to address
the impact of time and materiality of a systems failure. We define materiality
as "that quantified measure of the adverse business impact, which would
be incurred by the business if one or more specific business processes
were disabled for a defined period of time, that is no longer acceptable
to the stakeholder." As long as the corporation can evidence its recovery
system will get it back to the correct financial figures, it has met the
intent. While this satisfies the investment community, the long-term impacts
on the corporation are not addressed.
The second frequently cited reason to implement a full scale
BC program is to protect the local operations. This approach also often
fails to look at the importance of an operation from an enterprise perspective
and appropriately measure the cost and time it takes to feel the pain.
This failure can have very expensive repercussions for the shareholder,
mostly in the form of lost income, negative corporate image, over-investment,
and improper asset allocation.
The two drivers above therefore miss what should be the
overall driving principal and the cornerstone of a full-scale BC/DR program.
The criticality of every business operation should be measured in terms
of the overall impact to the shareholder, and a company's ability to recover
should be defined in terms of the shareholder's expectation of a planned
and tested recovery procedure. What is the criticality of this operation?
How long will it take to reach a pain threshold where the shareholder
feels the impact? Asking these questions and knowing the expectations
is critical to putting the company in a position to do the right thing.
Thinking Globally
What happens when BC/DR programs are not implemented around these principles?
If a BC/DR program does not base itself around protection of critical
and material systems, resources and time will be wasted, and often investment
decisions will be made based on incorrect or non-material factors. For
example, a local general manager in a small operation or country may want
to invest in the best high availability solution to protect his local
results and thus his job and bonus. However, this small operation contributes
very little to the overall company bottom line in this scenario. In this
case, the shareholders would be spending an inordinately large amount
to protect a small part of the company's revenue stream.
A better solution would be to have a focused yet global
approach. This would mean satisfying a local need but basing the solution
(and the investment) on a validated global or enterprisewide standard.
In the scenario above, a best-effort recovery model may be more than adequate
instead of a fully implemented high availability solution, thus freeing
up resources for use in other, more critical businesses or locations.
Understanding Materiality
A program must be based on two driving principals: materiality of a system,
and time to reach this materiality. Materiality must be based on global
stakeholder needs and expectations.
For the most part, financial materiality can be an easy
item to determine and measure. It can be based on cents per share, percent
of annual sales or profit, or it can be linked to working capital - all
items that resonate with senior management and that are important to their
and the company's success. The challenge for many companies is to spend
the time necessary to appropriately define materiality and to translate
these definitions into terms that can be quickly understood and considered
by business leaders.
When does a manufacturing plant, which is part of one or
several complicated supply chains, have a shutdown which becomes material?
When does delay in ability to file regulatory data, or contact a client,
reach the next level of materiality? At what point does the local business
disruption become a disaster? These questions must be developed in order
to engage with the business, garner their support, and bring a full-scale
integrated process to all areas of the business. This means bringing the
full power of an integrated solution to the plant manager, facilities
supervisor, or research director that is tailored for the business and
corporation and that can be revisited over time.
A Case Study
During an enterprisewide BC/DR initiative at a major global pharmaceutical
company, all decisions were based on a "shareholder test," which took
into account the breadth of the shareholder community and uncovered that
there were no individual shareholders for any particular business group,
but in fact only shareholders for the parent company. The challenge then
was determining if a shareholder at the global level would approve of
an investment (of both time and money) in the selected BC/DR standards
and solutions.
The executive sponsorship was compelled to support the business-driven
BC/DR vision, citing that, though IS can be a key enabler, without the
business being required to drive decisions on investment, a BC/DR project
cannot succeed. This sponsorship set the stage for a program to be developed
that would eventually redefine how and when BC/DR plans and investments
were identified and implemented.
A cross-functional team was created and led by a member
of the risk management organization with direct linkage to supply chain
and operational risk assessments. The team also included several broad-minded
IS folks with a core understanding that IS was an enabler to business
continuance and not the sole solution unto itself. This structure and
approach provided the contact with the business leaders and the knowledge
of all business operations. It also ensured technical representation so
that processes, systems, and tools could be developed to satisfy the materiality
and time-to-recover requirements identified.
The program leadership team orchestrated the development
of a panel of business representatives in order to structure and tailor
the process to meet their specific business group needs and to assure
their ongoing representation. The team also had a tie-in to the Strategic
Risk Office and had access to the enterprise risk levels that drove materiality
decisions. The team conducted a focused risk tolerance analysis involving
much of senior management and yielded four materiality ranges.
Considerable time was then spent with the business units,
continually working to build the needed parallel definitions of materiality
and translating these definitions into terms they could understand. Any
system with an impact of greater than a predetermined value in six months
would be required to have a documented and tested recovery strategy in
place to avoid the loss.
Once the levels were identified, materiality and time to
reach materiality became the driving elements of the business impact assessment
(BIA) process. A BIA tool was built that would quickly identify material
processes and systems, and the related time to materiality. This method
would allow for a more efficient implementation, focusing efforts only
on the specific functions that breach materiality.
Throughout the project, senior management support was sustained,
and it was mandated that the business functions would drive the process,
and only those systems (whether IS, facilities, manufacturing, research,
etc.) with a material impact on the shareholder would be considered and
continue along the implementation trail to the final stage: a documented
recovery plan capable of recovering the system before its impact becomes
material.
Sustainable BC/DR Operations for
the Business
A properly designed and integrated BC/DR solution is of significant strategic
and tactical value to numerous areas of the business and IT, beyond that
of pure recovery planning. Overspending in BC or DR will hit the company's
P&L, while underspending on BC or DR for a critical line of business can
be devastating to shareholder value. Understanding and acting according
to this premise can be extremely valuable for resource planning, long-term
decision making, and investment planning and can be very effective in
supporting change management.
By building BC/DR into the culture of the company and making
it part of any investment and change management decision, it becomes a
sustainable process that can add value to the company and increase the
understanding of business operations by the employees. A properly implemented
program will always seek to evaluate at the enterprise level, but implement
locally. This evaluation is based on understanding the intrinsic value
of any operation to the enterprise as a whole and further ensures investments
are directed to critical business priorities.
Understanding materiality and time to reach materiality
in operations, and the associated shareholder expectations specific to
those operations, can benefit local business managers and support inventory,
capacity allocation, and even long-term planning decisions. In this way,
BC/DR is a critical and leverageable part of the strategic risk management
decision process. It is impossible to implement a business continuity
solution without understanding the company's risk appetite and thresholds
for materiality.
About the Authors
Brian Bobich was an IS team member and BC/DR implementation
leader at Aventis. He is now a founding member of Core Systems Group,
a company founded to provide optimal solutions for Business/Government
Continuity, Service Management/Service Delivery, and Enterprise Security.
He can be reached at Brian.Bobich@Coresystemsgroup.com. Andrew Tait was
global BC/DR director for Aventis and is now a member of the Sanofi Aventis
Insurance department. He can be reached at Andrew.Tait@aventis.com.
|
