November 19, 2006 Considering Business Continuity PAY ME NOW, OR PAY ME LATER JOHN GLENN, MBCI Certified Business Continuity Planner I was watching builders construct wood frame and ply board 4-story townhouses (that's a row house that sells for 6 figures) in a town that hosts an occasional hurricane. I grew up in Dade Country, Florida, where everything was "CBS" - concrete block structure, and steel reinforced at that. Beside being dinner for termites, I wondered why anyone would build a wooden house where hurricanes visit. Then it became clear - money. It's less expensive to build with wood than concrete. PUROLATOR SAID IT Purolator once had an oil filter commercial which used "Pay me now, or pay me later" as its catch phrase. Purolator was suggesting that investing in a less-than-$10 oil filter every 3,500 miles or so prolonged the life of a $20,000 car. Failing to change the filter when (if?) the oil was changed could end up costing the car owner for a replacement engine worth considerably more than several oil filters. I thought about Purolator's commercial as I watched the brick facade going up. How much hurricane protection will a ply board-sided wood frame building provide? Never mind that houses here are nowhere close to Dade County's building codes - but then, the structures are not in Dade County or even in Florida. On the other hand, hurricanes are not limited to the south east and south central (Gulf of Mexico area) coasts of the country - just ask the folks in Charlotte NC. If I was a cynic, I might think people who buy wood frame and ply board structures are depending on Joe and Josephine Taxpayer to subsidize reconstruction after the winds subside. That's not to say that a wood frame house can's survive a hurricane. There are more than a few virgin pine Cracker houses in Florida that have survived decades of storms. (The turpentine level in the virgin pine is high enough to make the structures termite proof.) BUSINESS CONTINUITY CONNECTION The connection between oil filters, construction materials, and Business Continuity really is pretty straight forward: pay for a Business Continuity plan now or risk a business failure and a hit on the wallet later. I won't site "statistics" on how many businesses lacking a Business Continuity plan failed following this event or that disaster. Given the vagaries of business and the fickleness of customers and lenders, the business may have failed even without the event. We do know that many businesses fail for lack of cash flow. Cash flow means (a) income from sales and (b) financial backing from lenders. We also know there is a growing trend for investors, be they family or otherwise, to expect management - family or otherwise - to exercise financial responsibility and due diligence to protect the organization and its assets. While some industries have a government agency demanding a Business Continuity plan of some sort, most don't. The Sarbanes-Oxley Act of 2002 (SOx) fails to demand a Business Continuity plan; the Health Insurance Portability And Accountability Act Of 1996 (HIPAA) also falls short. Both are IT-centric and both leave the people they are supposed to protect exposed. While the financial world regulated by Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS) must have "Business Continuity," until recently the plans focused on InfoTech; requirements still leave much to be desired, but some examiners are encouraging financial institutions to take enterprise Business Continuity seriously. In the absence of a Federal mandate, management of many organizations elects to take their chances that nothing will happen to their organization. Larger businesses - multi-line insurance companies, consumer product manufacturers, aircraft builders - companies with real or perceived "deep pockets," typically have some degree of Business Continuity planning if only to satisfy lawyers' demands for "due diligence." So why should an organization bother with Business Continuity? Why does it bother with insurance? Even though neither HIPPA or SOx demand Business Continuity, and although both seem to focus on InfoTech, their demands for document protection and tracking expand beyond the data center. Managers also face both stockholder and client invitations to defend their actions in court. HIDDEN BENEFITS The obvious benefit of a maintained and exercised Business Continuity plan is the organization's ability to avoid risks and, in the event a risk occurs, to efficiently, expeditiously, and economically recover to at least a minimum level of service (meeting the organization's Service Level Agreements - SLAs - with the customers and clients) while restoring to "business as usual." There are other, less obvious, benefits. All enterprise Business Continuity plans are "process (re)engineering" exercises. Enterprise plans follow business processes from inception to completion, crossing all the "silos" they touch along the way. Most organizations, unless they are very small, are composed of a number of functional unit "silos" or isolated areas of interest. The people in each "silo" know their job, but it is unlikely that they know what occurred to the process before it came to their functional unit or what occurs after it leaves their functional unit. This isolation is an unfortunate "fact of life" for almost all organizations, regardless of type. The Business Continuity planner developing an enterprise plan follows a process as it traverses the silos. The planner also follows the process when a sub- process branches off, only to return later. As the planner tracks process progress, the process is "mapped." The map can later be examined to eliminate redundancies and to enhance efficiencies that can only be discovered by following the process from beginning to end. Is this a job for a Business Continuity planner? If the planner has the ability and if the plan sponsor authorizes the effort, certainly. But, like the plan itself, "process (re-)engineering" is not something to be undertaken in a vacuum. Having a Business Continuity plan of any quality may stave off some legal action "in the event of . . . " The operative word is "may." Part of the "may" stems from any official fiats. Few in the United States, they are many in the UK and the number is growing in Europe and Japan. "May" also because an aggressive plaintiff might suggest that management failed to take a plan to its next logical steps - exercises and maintenance. "Due diligence" is the watchword. What defines "due diligence" might be left to the courts to decide. Any legal action, even a successful defense, is a loss for the organization since it costs to defend and image is placed in jeopardy. Two other "hidden benefits" can improve the bottom line. Insurance companies may - and as with due diligence, the operative word is "may" - offer a discount if they are convinced the organization has a viable (exercised and maintained) plan - especially if the insurer was invited to participate in risk identification and avoidance/mitigation recommendations. The nice thing is that many insurance companies provide their expertise gratis; the organization's plan is to the insurer's benefit. Lenders tend to be more generous with their money - and their expected Return on Investment (ROI), otherwise known as "interest" - if they have evidence that their investment is protected by a viable Business Continuity plan. Finally, while SOx fails to require a Business Continuity plan, people who buy stock in both institutional and individual quantities generally have a better feeling toward an organization that has a plan, especially is the plan's focus is protecting its most important resource - its people. The bottom line: Business Continuity is simply good business. Oil filters or Business Continuity plans, as the Purolator folks said: You can pay me now, or you can pay me later. Managers must decide how much they are willing to pay. John Glenn, MBCI, has been helping organizations of all types avoid or mitigate risks to their operations since 1994. Comments about this article, or others at http://JohnGlennMBCI.com/ may be sent to Planner @ JohnGlennMBCI. com. (c)2006, John Glenn MBCI