And if your list includes "terrorism," I think it's time you stopped watching "Homeland" (an American television series).
My own list would not include terrorism, influenza, earthquake, tsunami, nuclear meltdown, flooding, SARS, power outage, computer crash, network failure, software virus, transportation disruption, World Trade Organization meetings, Black Swans or alien invasion from another planet - none of the traditional scary stories that animate contingency planning today. Yes, they are "disasters" or can be. Yes, they are sudden, severe and unexpected. They have happened and will again. They cause interruptions and inconvenience, in some cases severe.
But they're infrequent, unpredictable, unpreventable and their consequences are transitory. They are almost never existential threats to a company, a community or a country. You and I think organizations should plan for them, but most CEOs don't and most elected leaders can't afford to.
They may be tragedies to their victims but to everyone else, they are unfortunate aberrations.
My own list of Big Risks is: water scarcity, food availability, food pricing, chronic disease, contention for resources (the eventual consequence of population growth and rising living standards), climate change (drought & sea-level rise in particular, because I live on an island) and globalization. For the private sector, my list also includes competition, product obsolescence and damage to reputation.
I'm still undecided about "cyberwar", but former National Security Advisor Richard Clarke's presentation at WCDM 2011 lifted some wool from my eyes.
What do my risks have in common? They are slow to develop (I called them "boiling frogs" at WCDM 2010), potentially catastrophic and easily foreseeable - if you're scanning the horizon with an inquiring mind. I know that CEOs and elected leaders think about one or more of them every day.
And they are all outside the job scope of every resilience professional I know.
We in the resilience professions – EM, BCM, crisis communications, security, disaster response, IT disaster recovery – make our livings planning for the standard litany, all the while hoping for Black Swan events to justify our existences. 'It would be so much easier to get people to pay attention', we think wishfully to ourselves. (If you've not read Nassim Taleb's book The Black Swan, you really should.)
There is nothing wrong with doing contingency planning, of course. It is a worthwhile, noble - if thankless – professional activity. It saves lives and protects assets in the public and private sectors. Its objective - resilience - can even offer a competitive advantage for a company, a community, even a country. (See how in the YouTube clip about Singapore's water planning from my 2010 WCDM presentation, Water & Emergencies: The Impact of Thirst.)
But the ways we practice contingency planning today cannot lead to resilience because:
- we can't add value if we don't address the Big Risks that leaders think about, but
- we don't have all the skills to address them, and
- we deal with only a small fraction of the full range of consequences.
The risks leaders think about
What do you think executives at Research In Motion (RIM, maker of Blackberry's) or at Nokia believe the single, greatest risk to their company's continuity is? Is it power failure or denial-of-access? No. It's Apple, which has pushed them nearly to extinction.
I'll bet you don't think of competitive analysis, business strategy and product development (what RIM and Nokia desperately need) as "business continuity management." You will agree that RIM's and Nokia's business continuity is in doubt, so why aren't those subjects part of BCM? If you were to ask their executives for $150,000 a year to fund a Business Continuity Manager position right now, what do you imagine their responses would be?
While you're thinking of it, what's Apple's greatest risk? Samsung? Android? Maybe, but I'd say it's replacing Steve Jobs. The whole world wonders just how much of the company's cachet and reputation – and share price - depended on his obsessive vision. Succession planning isn't considered a BCM responsibility, but you'd have to agree that Apple's continuity may depend on it. (I wrote about Apple's supply chain risk in 2006.)
Maybe it's because I'm assiduously looking for them that I find examples everywhere of Really Big Risks that aren't covered in emergency or business continuity management. Here are some (and I'll have others by the time of WCDM):
- American Barnes & Noble had a terrible 2012 holiday season because their Nook e-reader isn't selling. Analysts muse aloud whether they can continue in business. What's their biggest threat? Amazon. Where would you position a backup data centre – essential for a digital book distribution business - on B&N's capital spending priority list, with a shrinking budget, shrinking market and shrinking confidence in the survival of the company? It would be no surprise if IT disaster recovery were not a priority at Barnes & Noble these days (I don't know if it is or not).
- In July 2012 the HR Director of a Maruti Suzuki automotive plant in Manesar, India was gruesomely murdered by employees striking – for the fourth time in two years - over wages and working conditions. If a company has actively-hostile relations with its workers could it ever be described as "resilient"? Maybe "stubborn," "tough," or "profitable," but "resilient"? No amount of BCM or EM will make that kind of company resilient.
By definition a strike is an interruption of business continuity. Does murdering the HR manager constitute an "emergency" in your opinion? It does in my view. What are the main mitigation measures for a strike? Adjusting wages and working conditions. Do BCM, EM, IT, Environmental Health & Safety (EHS) or Security ever have any input into setting wages or working conditions? Never. They're expected to respond to the consequences of unhappy workers and poor working conditions, but no one ever asks them for suggestions to mitigate the causes of workplace violence.
- A November 2012 investment report by a short-seller called Muddy Waters recommended dumping the stock of Singapore commodities processor Olam International. As a result, shareholders and investors questioned the company's ability to survive. To counter those suspicions, the company has been forced to seek $1.25B to shore up its balance sheet. For a company with market capitalization of $4 billion, $1.25 billion dollars constitutes serious "business impact," but I have never seen "short selling" included in a business impact analysis (BIA). What, if anything, could a BCM manager have contributed to a discussion of the company's response to the report? I will suggest several things in my presentation.
- Investment bank Goldman Sachs' reputation seemed impregnable. Then in 2012 the New York Times published an op ed. by a former employee accusing the firm of "ripping off customers." Now there's even a wickedly funny Twitter feed, GS Elevator Gossip, that has 375,000 followers (and growing). As one example, see the tweet, "Nice try, God" after Hurricane Sandy. @GSElevator is effective because it taps into a widely-held feeling that the firm is arrogant in the extreme.
Isn't damage to its reputation Goldman Sachs' biggest risk? When the Harvard Business Review headlines an article with "What Happened to Goldman Sachs?," you know there's a problem. Whatever's wrong at Goldman Sachs won't be fixed with a backup generator or a fire drill, the standard strategies of BCM and EM. What social media strategies would you suggest to address the reputation risk of a bulge bracket bank? The EMs and BCMs I know don't think businesses should use Facebook and believe Twitter is for teenagers. (I wrote about using Twitter in emergencies. Seriously? in 2010.)
- If I say the word "melamine" to you, what comes to mind? I think, "milk in China!" And that makes me remember Sudan Red dye in the chili oil (2005), lead in the toys (2007), cardboard in the dumplings (2007, eventually revealed as a hoax), melamine in the milk (2008), god-knows-what in the illegally-recycled cooking oil (2010), antibiotics in the bean sprouts AND hydrolyzed leather meal in (again!) the milk (2011) and formaldehyde in the cabbage (2012). The whole country's reputation has suffered from the well-publicized misadventures of a few miscreants.
There's clearly a problem, but do EM or BCM "good practice" offer guidance that would be of use to companies manufacturing poisonous food? Would a "Notification Call Tree" help? Or an "Incident Command System"? Not likely. They need strict quality control, activist Health, Safety & Environment departments, and much better law enforcement – none of which are taught in any business continuity or emergency management class I've ever been in.
- You may have read about the November 2012 conflagration at the Tazreen Fashion factory in Bangladesh that burned 111 garment workers to death. The cause can be easily guessed: an awful confluence of cost pressures, poverty and lax enforcement – the same confluence that resulted in the 1911 Triangle Shirtwaist Company fire in New York City that killed 146 garment workers.
Should Tazreen Fashion have had an emergency manager? Of course - right after Bangladesh passes a National Labor Relations Act and a Fair Labor Standards act, enacts a minimum wage, establishes a 40-hour week and gives garment workers the ability to bargain collectively, all of which the United States eventually did after the Triangle Shirtwaist disaster. Bangladesh isn't ready for American-style "emergency management" in 2012 any more than New York City was ready for it in 1911. It took decades to lay the legislative and regulatory groundwork in the U.S.; it may take even longer in Bangladesh. If you're interested in how disasters become legislation, see David von Drehle's Triangle: The Fire That Changed America (2004).
But those are the kinds of Big Risks that leaders think about every day - not power outages, flooded basements or disk crashes. It is no wonder we struggle to capture management bandwidth for narrow definitions of "emergencies" and "disasters."
Part 2: Skills we could develop
I'm frustrated. Too often I find myself asking, 'Is this all there is?' Is the future of BCM putting colored squares on BIA tables and debating Recovery Time Objectives? Is the future of EM organizing fire drills and handing out masks in pandemics?
If that's my future, please just point me toward the exit.
If there's more, well, then…what is it?! What goal should I be aiming at? To what vision should I be tenaciously clinging? What skills should I develop to make myself more valuable? How can I expand my scope? How can I move up the professional ladder? Hell, where IS the ladder?!
You see, I think business continuity management has turned into business crisis management, and I am absolutely sure that's a professional dead-end.
We are fixated on the downside while most people – and every CEO and elected official – are focused on the upside. We don't add value; we are an expense. We're forever secretly hoping to see a Black Swan while everyone else loves feeding the white ones. We prepare to deal with "consequences" while everyone else wants to make "an impact." We get training when what we need is education. The future of companies, communities and countries is above-the-line, and we are stubbornly – but not, I submit, inexorably – below the line.
Right, then. I'll just take two aspirin and see you in Toronto.
About the Author
Nathaniel Forbes started Forbes Calamity Prevention (FCP), Asia's oldest business continuity planning company, in Singapore in 1995. FCP prepares and manages BCP and emergency response plans for the overseas offices of multinational companies, with a focus on Asia. You can reach him at firstname.lastname@example.org.