Business continuity: a case for integrated risk management

0
Business continuity: a case for integrated risk management
Photo: Francis Owusu-Achampong,

Business continuity is defined as “the capability of the organisation to continue delivery of products and services at acceptable pre-defined levels following a disruptive incident”.

As the cartoon above depicts, business continuity is much more than an information technology issue. Interestingly, that is what it seems to many staff, especially in the finance and commerce industries. Business continuity is a holistic risk management concept that is applicable to both the public and private sectors and must be handled proactively.

COVID -19 in recent months has demonstrated profoundly that business continuity management must be embedded in the core operations of any organization.

Business continuity management is therefore a framework for building organisational resilience. It is geared towards providing the capability of an effective response that safeguards the interests of the firm’s stakeholders, protects its reputation, the brand and other value creation and enhancing capabilities.

It is clear from the above that disruptive incidents could occur in the public or private sector with potential debilitating effects on citizens or customers in every facet of the economic and social landscape. Business continuity management seeks to avoid or minimize the effects of catastrophic incidents.

Events in Ghana like the June 3rd 2015 twin fire and flood disaster, the inferno at the Tema Medical Warehouse of the Ministry of Health, and other major fire incidents like that of Makola market may be cited as providing significant lessons for the need for continuity management.

In particular, these disasters provide the impetus for integrating the functions of various state agencies to avoid the situation where, as in the Makola incident, various state agencies blamed each other for impeding their respective functions or making excuses for their inefficiencies during the fire incident.

The concept of business continuity management therefore involves both a strategic plan from the board to embed sustainability or the going concern orientation. The provision of resources and oversight of a tactical plan from operational management on how to engage in the 4 Rs (Respond, Resume, Recover, Restore) in a consistent and cost- effective manner must engage directors and management.

Business continuity management may be considered by inept business managers or politicians as an abstract, costly function until disaster strikes with the capacity to collapse the entire organization, or in the case of the nation, cause catastrophic, budget shattering effects, like the covid pandemic.

In modern business management, business continuity is seen as an operational risk. Some operational risks can be predicted and measured with reasonable accuracy, using statistical modelling from a well-crafted incident management system.

Others may not be so captured, hence the distinction between expected losses and unexpected losses and their respective treatments in accounting and risk management domains.

For a modern board of directors, especially in banks, part of their core responsibility is to ensure that they;

  • partner with Regulators  and other  key  stakeholders (the Fire Service, Building Inspectorate Department, the MMDCEs,  The Health Ministry, security agencies, among others)  in the discharge  of  their  corporate governance  responsibilities,
  • create organisational awareness of the entire BCM eco-system as a pro-active process; not simply a fire- fighting or reactionary event,
  • cultivate and maintain a culture of risk consciousness across the organization through education and rigid insistence on occupational health and safety rules,
  • understand the advantages of effective BCM in respect of disaster impact minimization, to foster the building of brand resilience, inter alia.

It is not uncommon therefore to find these objectives permeating various board charters as part of contemporary corporate governance frameworks, usually under the Operational Risk Management Committee.

To be fore-warned is to be fore-armed. The biggest testimony of this simple phrase could be seen in the events leading up to, during and after the unfortunate September 11 2001 attack in the United States of America.

From a business continuity management perspective, vital lessons could be learnt from the   coordinated and almost seamless linkages between various state agencies during the period. These helped significantly to forestall even greater disaster, for instance, by the shooting down of the second airplane used by the criminals and the swift closure of the air space, among other strategic interventions.

Similarly, the phenomenal coordination of agencies in the recovery effort involving the dead and injured, the quick resumption of various businesses that used to operate in the twin towers, and the events that culminated in the clearing of the debris and reconstruction of new monuments in the same place, exemplifies the benefits of integration among various organs of state.

Various countries like the United Kingdom, the United Arab Emirates, Australia and New Zealand have comprehensive national blueprints for dealing with disaster and related recovery efforts. A best practice compliance strategy must be formalized in routine operations as part of dealing with risk, however remote in the business continuity framework.

It is expected therefore that the concept of business continuity management is seen in the corporate world as an integral part of enterprise- wide risk management. Risk approaches must be consolidated, instead of the traditional siloed or stove pipe approaches where functional heads confine themselves to just managing risks within their respective business units.

The drawbacks to the traditional approaches in the business continuity framework is that a functional head may be oblivious of the significance of a particular risk to other segments of the business.

Similarly, the unit heads may not obtain a comprehensive view of how their individual tactical responses may affect operations in other areas of the business.

Understanding the concept of risk, the potential threats and their likelihood of occurence is a core element of the preparations towards avoidance or impact mitigation efforts.

The impact of each risk will also vary according to its nature. This could range from financial, legal, occupational health and safety and a business interruption consequence. The BCM process attempts to introduce rigour while retaining flexibility during implementation by operatives. It is worth emphasising that events simply don’t happen the way we plan but failing to plan is like consciously embracing business failure.

A typical example is the Covid 19 pandemic that has resulted in the ways many organisations conduct their respective businesses and the unforeseen risks associated with the remodelling of business operations.

Bankers have been hard hit through the emergence of working from home scenarios and the heightened risk implications arising from vulnerability to cybercrime from different geographies. Inadvertent breach of confidential information, dysfunctional teams and other health and safety concerns arising from working from diverse locations have compounded continuity management.

From a structured, systematic process, organisations may attempt to manage all significant business risks pro-actively through the implementation of appropriate preventative controls and other risk treatments methods.

The essence of business continuity management is not the complete avoidance of risk, but a reduction to an acceptable level of the impact of risks, should they occur. It is important to recognize, though that preventative controls and other pro-active treatments are no guarantee that risk events will not occur. There can be no complete elimination of the likelihood of occurrence of all risk types.

For a board of directors charged with oversight of business continuity, among other crucial responsibilities, the key question is how much time, effort and resources need to be invested in corrective controls in preparing for an eventuality that may never occur?

This is where a risk-based approach becomes essential in deploying resources for effectiveness and efficiency. Capital and recurrent expenditures deployed in the business continuity spectrum must be proportional to the likely cost of recovery should a disaster occur.

Within contemporary business environment, firms must prove and maintain a high degree of trust necessary for its survival. This includes the trust of their employees, their investors, the regulators, and the general public who make up their customer base.

For instance, the extent to which the business has met building regulations, occupational health and safety standards, labour laws and other regulations ought to be paramount.

Now, and even more importantly, sustainability principles embodied in the International Finance Corporation of the World Bank’s Performance Standards and other country specific sustainability rules must be complied with. These have business continuity elements grated in the governance structures and processes.

This leads to a critical examination of risk treatment methods, undergirded by business continuity management, and the imperative to apply the enterprise risk management philosophies that embody comprehensive firm-wide consideration of diverse risk impacts.

Traditional risk treatment methods involve

(a) Avoiding the risks. This requires a decision to shun certain business lines or drop them if the perceived risk is not worthwhile, given the capital and other resource outlay.

(b) Reducing the risk. This involves conscious efforts to reduce the likelihood/incidence of the risk and could best be handled through widespread education and training, sanctions or incentives as may be found in a large- scale poultry establishment with laboratory and hatching facilities.

(c) Reducing the consequence/impact. This could take the form of implementing contingency plans. These plans may be triggered as soon as the risk event crystallises. A Liquidity Contingency Funding Plan in a bank is a typical example.

(d) Transferring the risk. This method could take the form of hedging or insurance. The insurance company will obviously protect their exposure by ensuring that the insured observes certain routine obligations, including known regulatory and compliance measures.

(e) Accepting the risks.  This includes a determination of the firm’s risk appetite and a conscious decision to live with and manage associated risks with an eye on what may be considered acceptable returns. Without this, industries like aviation, shipping, mining and telecommunications and information technology will not find sponsors or investors, given their high- risk nature.

Which of the above risk treatment methods will be applied, will be determined by each firm through;

  • an assessment of the level of likelihood and consequence of the risk emerging,
  • evaluation of the expected effectiveness of methods to reduce the likelihood and consequence/impact of identified risk events, and
  • an assessment of the level of likelihood and consequence of residual impacts after adopting any of the risk treatment methods mentioned.

All of the above requires that the board and management of each organization must recognize Business continuity management as a regulatory imperative, now required in many jurisdictions.

The board must therefore integrate the processes for adoption and implementation of continuity management ethos into its core activities. This could be accomplished through the establishment of a policy with clear lines of responsibility and ownership of such responsibilities by all business unit heads across functions. The Chief Risk Officer takes responsibility for coordinating functions regarding business continuity management.

Knowledgeable personnel must be allocated and given sufficient financial resources to properly implement the continuity plans. This must be reviewed and approved at least annually or as business processes change with technology or the legal regime makes this inevitable.

It is also important to ensure that employees are trained and aware of their roles in the implementation of the continuity plans. Regular testing and updating of the plan are essential and designed to incorporate any major changes in the operational environment.

Having dealt with the conceptual basis of business continuity management, the next articles will highlight the methodologies for implementation, control and monitoring in specific organisations, with banks and financial institutions as primary reference points.

The writer is a Fellow of the Chartered Institute of Bankers and an adjunct lecturer at the National Banking College, and the Chartered Institute of Bankers, a farmer and the author of “Risk Management in Banking” textbook.

Email; [email protected]  Tel. 0244 324181

Leave a Reply