By Matthias Rosenberg
Costs and benefits of BCM: let us ask the right questions, not answer the wrong ones.
The costs and benefits of BCM : I have dealt with this issue for almost 20 years now and it always goes back to one question: Why would a company invest in something that does not provide a contribution to revenue and that is meant to protect the company against something that hopefully never happens? This question is quite understandable from a business perspective and therefore justified as a basic question. Those who cannot give a plausible answer to this question will fall at the first hurdle. This issue is fundamental to our profession and at the same time underrepresented in the BCM literature. Even the Good Practice Guide (GPG) 2013 does not see the task of selling BCM as a central task of a BC manager; but in reality the sale and presentation of the business continuity topic are critical for our success.
Soft skills are as important in BCM as in any other management discipline.
Let me give you some examples: BCM professionals need strong presentation skills and they need strong training skills (e.g. to train BCM coordinators). These are specific skills that can be described. Analytical skills (e.g. to prepare BIA results for top management) and communication skills are equally important. In the end it is not enough to read another BCM standard, to take part in a training course or to buy BCM software and hope to run a BCM programme successfully. A BCM professional needs experience and one of the most important skills to implement a BCM programme successfully: patience.
The burden that is oftentimes associated with BCM is not as problematic as assumed. High costs due to necessary investments are the results of failings during the last 20 years. Spontaneous revelations (most of the time by external auditors) wake up management and from then on everything needs to be done as quickly as possible. This can be avoided if a BCM programme is implemented gradually and with the diligence it deserves.
Like a good salesman, you first need an idea of how decision makers think about the subject.
According to a study by Forrester Research, Inc., the main drivers for improving business continuity capabilities are regulatory or legal requirements (38 percent), followed by fiduciary responsibility to stakeholders. It has always been easier to implement and sustain business continuity principles in regulated sectors. The benefit is obvious: fewer or no findings by an auditor. But this is only the compliance side of business continuity. What are the actual benefits to the (daily) business and what exactly is this ‘business’ (time critical processes) we want to continue under severe circumstances?
Significant cost savings for business interruption insurance is one of the more obvious benefits. In the case of Basel III regulations, another benefit is a decreased equity ratio. By the way, one goal of Basel III is to decrease the CCR (counterparty credit risk) for derivates, pension transactions and securities transactions. Did you already consider this as a chance for BCM to contribute to stress testing and scenario analysis to create further value for your business?
It always needs to be considered that we as professionals can measure the benefits of BCM. It would be interesting to know how other departments of your company deal with measuring their benefits to the business. If they are measured at all.
In Germany there are no ambitions to implement BCM for the sake of entrepreneurial responsibility. BCM efforts are mainly triggered by regulators. Which leads us to interesting questions: Will companies undertake actions to secure their business only if they are obliged to do so by regulators? This is a typical chicken-and-egg situation: who was there first, the lazy entrepreneur or the Prussian civil servant? (For those who do not know Prussian civil servants, they are known here in Germany for having been very dutiful and orderly.)
Let me explain this by referring to the growing need and respective usage of Shared Service Centers (SSC) in Eastern Europe. We notice a huge accumulation of these centers and this makes perfect sense from a business point of view, as the benefits of reduced costs due to lower wages are obvious. At the same time the availability of qualified personnel is key to making the centres attractive for customers. During the last 20 years of working in the BCM field I have experienced only one case where a company precautionarily implemented a BCM system in one of their SSCs to support their business strategy. In this case BCM was able to deliver real business benefits but this remains an exception from my point of view.
When asked about the top challenges of implementing and managing effective business continuity, the Forrester study states that implementing BCM corporate-wide (45 percent) and inadequate funding (43 percent ) are the main challenges, followed by a lack of skilled staff (27 percent ). Let’s relate this to costs and benefits; can you say what the benefits of a corporate-wide business continuity management system are? And I do not mean our typical answers like “We will be more resilient” (whatever that means exactly). And if you can say what exactly the benefits are, do you only verbalize them or did you experience the benefits in your organization yourself?
If we cannot answer fundamental questions likes these, how can we justify costs that are related to our business continuity efforts? If these questions are unanswered why do we talk about concepts like ‘resilience’, which appear not to be fully understood or defined consensually anyway? Why do we ‘invent’ new BIAs (strategic, tactical and operational) and why do we ‘invent’ new abbreviations (MBCO, MTPD) without defining them properly. And by defining I do not talk about just ‘putting a sentence behind it’. I talk about specific calculations, e.g. how to calculate the MTPD and critically examine whether the current definition of the MTPD makes sense in the first place. The economic consideration of maximum tolerable periods of disruption in the context of company-wide consequences on a process level is unfeasible for departments/divisions and can lead to wrong conclusions in a real crisis. The key challenges are accumulation risks which cannot be understood with our standardized BCM language.
Beside these ‘construction yards’, I see an unpleasant trend in Germany and at the international level which I personally consider as dangerous. I see colleagues of mine (other consultants) talking about ‘resilience’, ‘resilience management’ and ‘resilience benchmarks’ without rhyme or reason. Let us face it, by doing so our profession changes from a useful tool for coping with unforeseeable events to a mere compliance exercise. The focus changes from real survivability (benefit!) to having the certificate on the wall (benefit?). Search the World Wide Web for toolkits promising an ISO22301 certification in no time and with almost no effort. You will find them. But let me ask this: Do you really think this makes sense and provides any benefits for your business?
From my point of view a correct question is: Why is BCM still not a boringly normal business process like controlling or human resources?
Why do we still have to argue about the costs and benefits of BCM? Imagine a controlling or human resources department that has to justify its activities over and over again. I think BCM as a profession is spinning in circles with too much self-referencing. We need to think differently about what we can contribute to the business itself and how we can do this. I imagine our profession being a part of every MBA programme of this world to educate all future managers on the costs and benefits of a business continuity management programme.