The Good Practice Guidelines suggest that embedding BCM is hard to measure, but secretly I believe that Executive Directors deep down in their hearts and minds know full well if they are merely trying to be compliant.
In the busy world of the Executive, maybe they only have time to ask if the business is adequately covered from a risk and business continuity perspective. Is it the difference between plausible deniability and culpable liability? To paraphrase a well-known political interviewer: “Did you know there was a problem, in which case you are culpable or did you genuinely not know in which case you were incompetent, which is it?”
Apply that logic to the board and ask them if they understand the relationship between, in some cases, hundreds of thousands they spend on business continuity management believing that it will deliver benefits should it be needed, without insisting on seeing the cost benefit analysis that proves the case, only to find that in reality, plans are hardly invoked or utilised even in a real event.
I can only suggest from experience that Top Management Executives are unlikely to ask the question: “Show me the costs associated with maintaining our Business Continuity Management System/Programme and tell us how much deploying our strategy for resumption will cost if invoked and the savings, yes, savings to the business in reducing the impacts to the business over a known time scale.”
If business continuity professionals were pressed to answer this question, they would have to take a more commercial view of business continuity, they would have to truly align to risk disciplines and share common risk and impact scales and they just may invite procurement professionals to assist in quantifying response strategies and tactic and resource requirements.
This would lead to Top Management Executives having a genuine opinion, to give a mandate and possibly believing that business continuity does indeed add commercial advantage to your business.
So, I implore Non-Executive Directors and Heads of Audit Committees, challenge your Top Management Executives to prove the commercial case for undertaking business continuity management for your business.
Ask your Chief Risk Officer or their equivalent in your business:
- How much do we spend annually on business continuity management, without an incident taking place?
- How much would you estimate we would spend on deploying our strategy and tactics during a disruption and in achieving the timescales for resumption how much cost avoidance would we achieve in monetary terms?
Even as I write this, the national news talks of under spending and being under prepared for severe disruptions, they offer the costs associated with preparedness and with failure, within days or weeks of an event.
So I will say it one more time, why do we not estimate these impacts in monetary terms using the same methods as undertaken post event – but do this in advance. Why can we not offer Top Management Executives fixed and variable costs (including invocation) set against the cost of impacts over time? Let them decide their Maximum Attitude to Disruption M.A.D.
Finally, why don’t Top Management Executives ask these questions, rather than simply are we covered?
By David Window
Non Executive Director at Continuity 22301 Ltd