The root word to “Business Continuity Program (BCP)” is, obviously, not Information Technology (IT). It is “Business”!
An enterprise, therefore, should plan for significant business disruptions (SBD) of which the emphasis must be on protecting itself, as opposed to protecting its IT system. After all, the business world is complex and has lots of challenges wherein IT is only one of the many dependencies an enterprise has in the delivery of its products and services. Unless, of course, the primary purpose of a business is the providing or selling of information technology products or services.
Recognizing the traditional view (that business continuity plan [BCP] is merely an IT issue) as a stumbling block is a step forward in looking for ways to avoid confusion and upgrade one’s learning in relation to business resilience. Another essential step is to identify other stumbling blocks existing within the organization, particularly corporate mind barriers.
Government Intervention
In some countries, enterprises recognize the need to develop a BCP through government’s legislation, responding to insurance requirements and understanding the threat of litigation from third parties. In the U.S., BCP initiatives were developed in response to the financial losses brought about by the 9/11 attacks and first-aid solutions to high-profile corporate accounting scandals, including those like Enron and WorldCom. So laws and regulations in the U.S. are not surprising like the Sarbanes-Oxley Act of 2002, known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called Sarbanes-Oxley, Sarbox, which deals with disaster recovery and business continuity.
Philippine Viewpoint
We need to have similar laws in the Philippines in light of the recent multimillion peso pre-need scandals victimizing many Filipino plan holders. This explains why many companies with BCP in the Philippines are only those that are required by their respective foreign mother companies or partners to comply with the regulations and apply the best practices. These enterprises are fortunate to have responsible management executives who live by the guiding principles of leadership and accountability.
BCP Truths
As a Certified Protection Professional (CPP), I have attended several American Society for Industrial Security (ASIS) International—Philippine Chapter meetings. I have heard many stories from other security professionals how some companies rationalize (rational lies) why they are not adopting a BCP. Some of the common reasons are:
Denial. Some companies believe that they are invincible from crises: either from minor downtime or major downfall. They think that there are far more important things to consider than identifying the firms’ organizational weak links. They do not anticipate that an enterprise,like a piece of machinery, has points of failure. “What I do not know would not hurt me” is the favorite tag line.
Disavowal. This is when a company that sails through the stormy seas of the business world only focuses on the tip of the iceberg. With its ineffectual risk management to check the deeper parts of its underbelly, it transfers risks to someone else, i.e., an insurance company, but ignores the indirect costs that will be incurred—the hidden charges and uninsured, out-of-pocket expenses due to downtime costs, overtime work, and so on.
In 2000, mobile phone giants Nokia and Ericsson were both tested when a fire hit one of the facilities of their common major chip supplier in the U.S. Reportedly, Ericsson did not budge while Nokia acted on the situation. Ericsson suffered the impact of the disruption making it unable to obtain required supplies of its affected parts. The price of Ericsson’s disavowal was an incredible US2.34 billion loss in its mobile phone division.
Idealization. Do bad things happen to good organizations? A company suffering from this mind barrier would answer “no” as a defense mechanism. It tends to ignore the idea of connecting to something larger than itself. It is not that it sees or hears no evil; it is just that it is not apt to consider the unpleasant things that have happened to other people or organizations elsewhere.
Grandiosity. This mind barrier involves a company that brags that it has been in the industry for a very long time and owns the biggest and widest coverage of assets in the country and elsewhere. It does not entertain the idea of getting a BCP, which entails understanding the trends and lessons learned of other companies. The common line, “we were not born yesterday” becomes a favorite mantra. This is the case where security managers work as ornaments for ostentation rather than catalysts for change.
Projection. A company that only considers induced risks suffers from this mind barrier. It believes that if a crisis happens, it is inevitable because someone is bad or out to get it. It is confined to its own belief that there is no room to change anything in a risk matrix, including the erratic actions of Mother Nature.
Intellectualization. ’Never say never’ as low probability is still a probability. It is vital to recognize the root causes of risks, and not consider risks as events occurring almost randomly. But those hardened with this mindset, a low probability risk is merely a nuisance. For this reason, it safeguards the business with safety nets full of holes and creates an alternate reality where small leaks never let the ship to sink.
Compartmentalization. ’Domino effect’ is not in the dictionary of those afflicted with this mind barrier. For them, crises cannot affect the whole organization as parts are independent to each other. By analogy, one views the company in times of crises as standing in one leg, boxing with one arm, or running like a headless chicken. Worse, one views the left brain to think and plan differently from its right brain.
BCP as Catalyst for Change
Ideally, the BCP strategies are highly dependent on the existing culture within an organization. If an organization suffers from any or all of the aforementioned rational lies, then BCP would be a hard sell for any business continuity planner. While BCP could be done in-house or through the help of a consultant, the full support and commitment of the top management remains indispensable.
The critical question is how to win top management’s support. Management needs to overcome any mind barrier towards business continuity through awareness and education. Keeping abreast of the significance of BCP in an organization will teach the old hands some new tricks. Developing a business continuity culture through team learning and experience is essential. If these two recommendations are tough to implement, then seek professional help.
There are two easy steps to achieve business resilience through BCP. First is to understand the traditional views. Second is to overcome mind barriers. The rest will follow after you free your mind. By promoting BCP, enterprises will help them be aware of their current financial condition and critically fortify their shareholders’ view that business continuity is a necessity for the future path to progress. •