Corporate Directors charged with Operational Risk Management oversight are ultimately responsible for Continuous Continuity (C2) of the Enterprise.
The modern enterprise that effectively manages the myriad of potential threats to its people, processes, systems and critical infrastructures stands to be better equipped for sustained continuity. A Business Crisis and Continuity Management (BCCM) program is a dynamic change management initiative that requires dedicated resources, funding and auditing. Corporate Directors must scrutinize organizational survivability on a global basis.
Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C2, or "Continuous Continuity". A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are "Loss Events" that could have been prevented or mitigated all together.
According to the risk management best practices from sources such as the Turnbull Report and specifically Principle 13 of the Basel II Capital Accord, the Board of Directors and corporate management are responsible for the effectiveness of the Business Crisis and Continuity Management of an organization. The following testing techniques must be used to ensure the continuity plan can be executed in a real-life emergency:
- Table-top testing: Discussing how business recovery arrangements would react by using example interruptions.
- Simulations: Training individuals by simulating a crisis and rehearsing their post-incident/crisis management roles.
- Technical recovery testing: Testing to ensure information systems can be restored effectively
- Testing recovery at an alternate site: Running business processes in parallel with recovery operations at an off-site location.
- Test of supplier facilities and services: Ensuring externally provided services and products will meet the contract requirements in the case of interruptions.
- Complete rehearsals: Testing to ensure the organization, employees, equipment, facilities and processes can cope with interruptions.
Many of these best practices talk about a BCCM that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.
This will change over time as organizations figure out that this is now as vital a business component as supply chain management. The effective BCCM framework will become a core process within the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise. As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C2 , or "Continuous Continuity".
Having survived several large quakes in Southern California in years past, we are not sure that all of the testing in the world can prepare people for human behaviors that come from within. People literally lose all sense of common sense when you are on the 42nd floor of the 50+ sky scraper and without any warning it physically sways a couple feet to the left and a few more feet to the right. Believe me, the issue is not the testing itself, it’s how to create a real enough scenario that you get similar behaviors out of unsuspecting people. Certainly the largest organizations realize that the external threats are taking on new and different forms than the standard fire, flood, earthquake and twister scenarios.
These historically large catastrophic external loss events have been insured against and the premiums are substantial. What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the internal facets of the organization having to do with people, processes and systems. Corporate Boards of Director’s are now being consistently subjected to regulatory scrutiny across the globe to ensure the continuity and survivability of the enterprise. It is their duty and responsibility to their shareholders to make sure this occurs on a continuous basis. The world can only hope that our Global 500 companies are well on their way to achieving C2 already.