Printed from BusinessInsurance.com

Continuity belongs in business planning process

Posted On: Feb. 25, 2007 12:00 AM CST

Continuity belongs in business planning process

Terrorism, pandemics and hurricanes are just a few of the dreaded disasters that have generated growing corporate interest in planning for the potential effects of these and other types of catastrophes. Risk managers often are assuming such planning responsibilities and have many questions about the nature, scope and resource requirements involved.

Corporate contingency planning originally focused on technology, more specifically on the need to back up the corporate data center. In those early days, mainframe technology was the rule, and it was relatively simple to arrange for a duplicate backup site. Over time, technology became more and more widely distributed, morphing into an environment of networks in a server-dependent framework, making contingency planning far more complex and business-specific. It was also recognized that technology backup planning was only part of the answer. The businesses that were to access the backup sites also had to have the capability to recover their own operations.

A more holistic approach evolved: business continuity planning. However, this integration of business and technology planning engendered new potential conflicts between the perceived needs of the business and the capacity of technology to respond.

The most fundamental obstacle to progress is that business continuity planning does not generate revenue in the short term. While the business manager's compensation and continued employment are usually tied to the achievement of such short-term revenue targets, planning requires the initial and ongoing commitment of time, people and financial resources to create, test and monitor. This represents both a direct expense and an opportunity cost, drawing resources away from the achievement of revenue targets.

Risk managers will quickly discover that managing these new responsibilities requires a very different approach. In the traditional role of risk funding, the risk manager exercises significant control. In risk response planning, the risk manager must attempt to influence business and support units, driving the planning process forward while competing for available resources.

Given the level of difficulty, it is always stressed that effective planning first requires the buy-in and support of executive management. However, even given such buy-in, management will view its first responsibility as sustaining and increasing the stock price through continuously improving income. When a corporation encounters earnings difficulties, support for planning efforts can be pre-empted. The best use of executive management support is in institutionalizing continuity considerations into the business/systems planning cycle itself, such that no venture is entered into or system adopted without continuity issues having been thoroughly addressed.

An efficient way of achieving ongoing progress is to eliminate ad hoc discretion. This can be accomplished by integrating continuity planning into the business planning process itself, so that it becomes transparent.

In a large, complex organization, it is necessary to have some internal staff focused on the planning process. Ideally these resources should be at the corporate level, outside the potentially conflicting interests of business and technology. It may be of strategic value to associate this responsibility with that of managing the property insurance program, with its requisite focus on the business interruption and extra expense losses that the business continuity program is intended to address.

External experts should be engaged from the outset. There are highly experienced firms that may also offer physical facilities as alternative sites.

The risk manager should be aware of existing and developing regulations dictating business recovery capability requirements, for example, at one point, that banks were required to recover their money transfer operations in three hours. The need for compliance can greatly accelerate progress.

A potentially time-consuming detour in the planning process lies in becoming overly concerned with the specific causes of potential business interruptions. The primary focus of planning should be on the potential failure of facilities, systems and personnel—the key operational dependencies.

The risk manager also should recognize that business continuity planning is one component of crisis management planning. The spectrum of potential corporate crises is far broader than business interruption, and the arsenal of potential responses to such crises goes well beyond contingency plans. However, the corporate infrastructure established to address business continuity can help to facilitate crisis management, and the implementation of plans can serve as critical component of the response to certain types of crises.

Business continuity planning has come a long way from simple data center backup. Involvement in business continuity planning represents an important opportunity for the risk manager to contribute to addressing operational risk and, ultimately, corporate crisis management.


William J. Kelly, a former president of the New York-based Risk & Insurance Management Society Inc., is president of WJK Advisory L.L.C. in Morris Township, N.J.