Business continuity management – It’s not always about buying a second car
Business continuity management (BCM) is often perceived as having a backup IT system or a secondary office in a different location so that if a disaster does occur, the IT people will just turn on a switch that will make the backup IT system available or business operations can just move to that secondary office and the company can go about its usual business. It’s like buying a second car to serve as backup when your other car breaks down or for use on those “color-coding” days. This misconception is one of the reasons why some companies hesitate in properly investing in BCM as it is seen as a major cost that they can live without, at least for the time being.
But BCM does not automatically translate to buying a second car. It really depends on the risks a company faces, its business priorities, its strategic goals, and the consequences they are willing to accept. Taking a taxi or public transportation may be an acceptable logical option. For some they may even need a big pickup truck or SUV as they foresee a different and greater requirement during a disaster.
It’s not always an IT issue
Another misunderstanding about BCM is that it is only about the IT system since a lot of business operations are dependent on their IT. This is why in some cases, it is the IT people who are designated to handle the BCM. But it’s not always an IT issue. During 9/11, all the global courier services such as DHL, FEDEX, and UPS experienced a critical crisis, not a downtime with their IT but they could not take off or land their planes in mainland US for a period of time. SARs led to a major manpower crisis due to the number of company personnel affected and even those who died, as well as due to those who opted not to report to work or travel due to fear of contamination. Coups since the presidency of Cory Aquino created problems on accessibility of offices in the affected areas like
What is BCM and why it is needed
BCM is the term used to describe how a business manages operational risks in a continuous cycle. It is not limited to common disasters and thus should not be taken lightly. BCM is much more than disaster recovery or crisis management. It is a Board and CEO concern, not just the CIO. BCM is tailor-fitted per company, and not an out-of-the-box package or a fill-in-the-blanks template you can extract from books, download from the Internet, or copy from other companies. It does not automatically translate to a duplicate or redundant site of immediate availability… again, the second car.
BCM is aimed at minimizing financial loss caused by inability to do business in the event of system failure, or slow and ineffective disaster recovery. It helps protect a company’s brand image, reputation, and credibility which are dependent on consistent, good quality performance. It is not only a vital element of a mature, well-developed enterprise risk management practice but is also supportive of and consistent with good corporate governance. It serves to preserve market share and company share value, which is increasingly susceptible to high profile outages and helps satisfy customer demands as consumer confidence is vital to developing and sustaining a wide customer base.
BCM is beyond reactive planning – it is now into the realms of confidence building, not only for the companies themselves but more importantly for their customers. Going back to 9/11 experience with the global couriers, delays in the delivery of packages were expected, but how much would your confidence in a global courier increase if in spite of the banning of flights on US airspace and the expected delays in land transportation, your urgent package still arrived on time? If you experienced the expected delay in the delivery of your package while a colleague told you his package arrived on time, would that not influence you to switch to his global courier?
Some facts and figures
Based on several KPMG BCM-related surveys, the top perceived possible cause of business interruptions is terrorist activities but in actuality, the top four were hardware failure, software failure, communications failure, and security breaches while the bottom four were regional political activity, social unrest, economic changes and geographic conflicts. Fifty-one percent of financial service companies rated BCM as ‘extremely important’ and had corporate-wide Business Continuity Plans (BCP) in place. Twenty-five percent of companies have a downtime tolerance of less than two hours. sixty percent of companies said recovery objectives were not met following an incident or downtime. Only 25 percent have a fully functional and stable BCM program. Fifty percent of companies are still developing their crisis management plans (CMP), disaster recovery plans (DRP), and BCPs. About 50 percent of companies estimate disruption cost at US$50-500K per hour. Almost 40 percent had experienced an interruption in 2004 that caused them to activate their plans. No energy company claimed having an organization-wide plan in effect. Sixty percent claimed they do not receive sufficient levels of training.
The scary thing is that some BCM professionals such as Richard FitzHugh, event program director of Business Continuity Expo 2007, arguably claim that “It’s a fact that 80 percent of businesses affected by a major incident close within 18 months, if they do not have a contingency plan in place”. If you do a simple Google search on the Internet, it will result in various organizations quoting broadly similar statistics such as the US National Archives and Records Administration, Gartner, IBM, and the University of Minnesota to name a few.
BCM, the past, the present, the future
BCM has and continues to evolve from a first aid kit to a survival kit to full body armor to an aggressive weapon. As more companies grasp the concept of BCM, either because they realize its value and/or because of regulatory compliance, BCM continues to evolve into its future state, increasing the value it offers to a company. In a KPMG BCM study, DRP which generally states “I can recover from a disaster” and BCP stating “I can resume my operations after a catastrophe” are already considered the ‘yesterdays’ of BCM. BCM today is Enterprise High Availability that boldly announces “I am always there for my customers” and Service Level Management stating “My services satisfy my customers’ expectations”. BCM of tomorrow brings Extended Enterprise Intelligence addressing “How I manage and act on information differentiates me from my competitors”. This is foreseen to eventually progress into Business Service Management targeting “My business services facilitate realizing new opportunities.”
So when will you act on your BCM?
You now have a better understanding of what BCM is and is not, and why it’s needed. You’ve seen some facts and figures. You got a glimpse of its future. So when should your company start taking your BCM seriously? When the company has excess funds to buy that second car? When everyone else in the industry has joined the bandwagon? When it becomes a strict regulatory requirement? Before hijacked planes come crashing on your business? Or when your towers have crumbled? If you’re not ready, can you postpone your disaster?
(Reginald John “RJ” P. Javier is a Senior Manager for Risk Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of KPMG International, a Swiss Cooperative. This article is of general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email
- Latest
- Trending