Risk management may have climbed the corporate agenda but UK organisations, from blue chips to SMEs, retain a haphazard, departmental based approach to business continuity that is not only wasting money but actually damaging business value.
The issue is no longer simply ensuring business continuity in the event of a major catastrophe but the creation of strategies that underpin and can help formulate good business practice; strategies that will mitigate the damage of a high profile employee dismissal case, non-compliance to financial or other legislation or failure to meet contractual supplier obligations. Risk management is about protecting the company's reputation while supporting the needs of employees, shareholders, customers and suppliers.
Strategies cannot be developed in isolation if spending is to be aligned with business direction. A consolidated approach ensures consistency and, critically, informs the decision making process when new business opportunities arise. How can an organisation, today, embark upon any new initiative – from market expansion to promotion – without considering the risk and business and risk implications?
And how can an organisation assess these implications without a consolidated cross functional risk management strategy with board level authorisation?
Running a successful business becomes, it seems, more challenging each year. New financial compliance regulations, increasing employee rights and the management and protection of information are now core components of every business strategy. The risks are significant – and personal. Not only is a director responsible for employee welfare as well as investor relations but mistakes can result in a prison term. Business continuity is a serious business.
Today, business continuity is not just about protecting the company from flood, fire or theft but mitigating the risks associated with non compliance to a raft of legislation and demonstrating a strategy that supports the miscellaneous needs of customers, suppliers, employees and investors. Simply understanding the diverse issues is a significant and time consuming challenge.
But it is a challenge that has to be met: attaining that understanding and devising an appropriate risk strategy is becoming a business prerequisite. Within a couple of years, organisations will not be able to trade with customers or suppliers without the ability to demonstrate excellent business continuity practices. It will become as standard a practice as Public Liability or Employee Liability Insurance.
Haphazard business continuity
However, despite the increasing awareness of business risk, UK organisations have a long way to go to get close to this position. Today, risk reviews may be a regular component of board meetings but the approach to attaining business continuity remains haphazard at best. The Human Resources department is wrestling with the issues raised by new Employment legislation coming into force from 1st October 2004 that demand new, robust processes to respond to allegations of harassment and bullying as well as, grievance and disciplinary problems, TUPE reforms and Disability Discrimination Amendments.
At the same time, Finance is investing enormous amounts of money to meet new regulations from the Financial Services Authority, as well as attaining compliance to Sarbanes Oxley and Basle II where relevant; while the IT department is tasked with a range of issues from Data Protection and email compliance to internal and external system security, a task made ever more complex by the growth in home and remote working.
But if every department has a handle on its own business continuity issues, the business is doing fine – right? Wrong. The CEO may feel that everything is under control but beware a false sense of security.
Is this fragmented risk management activity being undertaken in line with business strategy and business value?
If not, how much money is being wasted on business continuity? Without a central, co-ordinated assessment of cross-organisational risk, an organisation cannot possibly ensure the business continuity strategy is being developed in line with business strategy.
Without embedded business continuity and board level responsibility, what happens when the next business opportunity – from new market to acquisition – comes along?
Will the risk evaluation be based solely on market information and perceived business value? Or will the implications for business continuity be considered and evaluated to ascertain the risks associated with new personnel, IT change and new premises or the challenges of sustained delivery to an expanded market?
Business continuity cannot be retrospectively bolted onto existing business processes any more. In the developing commercial environment, it is becoming a core component of standard business practice; from secure information flows to top down organisational culture, business continuity must be part of the very nature of doing business, driven by a senior management figure, the Risk Director.
Organisations are wasting money if they fail to consider business continuity plans when making investment decisions.
This situation applies as much to the SME as to blue-chip organisations. For the SME, however, there is little business continuity at all, since few are able to even grasp the issues, let alone devise an appropriate risk management strategy. Indeed, most SMEs are playing Russian roulette daily with the business, failing even to regularly backup critical information.
But burying the head in the sand will not be an option in the medium term, even for the SME. Large organisations, from retailers to financial institutions, are beginning to demand their smaller business partners demonstrate a strategy for managing risk. The SME has to get a handle on business continuity, and fast.
Of course, there is no way an SME is going to appoint a Risk Director – the cost of such a role would be punitive. But just as SMEs now outsource a range of business functions from payroll and accounts to human resources, outsourcing risk management is a viable choice.
An external business continuity provider will identify and prioritise the SME's business continuity issues and offer a structured approach to mitigating risks. And no, not every SME will be able to justify a belt and braces approach to business continuity. However, by identifying the issues and associated risks, these organisations can take informed decisions. Every business decision has an element of risk attached – but today too many SMEs are gambling on the unknown.
Undoubtedly many organisations are investing significant money and resources in risk management. Yet while the individual activity may be laudable, this dispersed, disparate approach to separate business continuity issues will never create the consolidated, consistent business continuity strategy required to be successful in the developing climate of risk awareness.
Furthermore, organisations simply cannot afford to continually react to new information, security legislation or corporate governance demands; demands that are not only adding an enormous financial burden but also distracting key personnel from the core business strategy.
Someone has to take central control. For the large organisation that will increasingly mean the creation of a new board level role: the Risk Director, tasked with co-ordinating risk assessment and mitigation across the business, and the gearing up of all key business processes towards business continuity. Without this role, or its outsourced equivalent, organisations will struggle to demonstrate the business continuity increasingly expected by business partners throughout the trading environment.
Graeme Howe is Events Director at Business Continuity Expo and Technology for Compliance