De-risking Business Continuity
How risky is your business continuity planning? Do you see your company unprepared for the same impacts twice? Does your company count the same triggers of the same impacts twice? Need it do so? Business continuity planners must not only ask what might go wrong where in view of past experience; they must also ask what has gone unaddressed and why. Business continuity planners must stop and ask “What is my responsibility to make sure these elements, risks, issues, mistakes, and omissions are properly addressed in a timely, reasonable, and prudent manner?” Past omissions and errors must be a starting point for business continuity planners so that they themselves do not replicate or perpetuate the negative, including discontinuities, dysfunctions, bad experiences, and bad acts. Business continuity planners can be a bigger solution and need not ‘aid and abet’ the company in what goes wrong. Is this not the best ‘lesson learned’ from discontinuities?
Too often companies make pinpoint responses, only dealing with what absolutely, positively has to be fixed now, or yesterday, as the case may be. Good actors by contrast are “responsible, reliable, and really useful,” like Thomas. Of course, even good actors slip, but when they slip, they catch themselves and preserve their mission by reviving what has crashed and renewing their commitment to their tone. Good actors know that the circumstances and past rationales for omissions and errors count, otherwise the entity is doomed to perpetuate and replicate not just the past but the past pattern of omissions and errors.
Some companies, on the other hand, have been known bad actors for years. Looking at the litigation and regulatory record for both troubled and troublesome companies, there is always a distinct history of suppression of business discontinuities, from concealing the conditions and ignoring the rationally necessary responses (BP and TEPCO) to suppressing the discontinuities with bandage fixes, patches, promises, and blandishments. We know that companies such as BP and its ilk think too much in terms of the continuity of the business and cash flow. TEPCO confessed that it failed to put safety, continuity, and risk systems in place lest people think there was danger.
All too often, the ‘business’ becomes a justification for tolerating not just the ‘hair’ on the model, but defects, discordancies,and business roulette. Bad actors are too often excused as “complacent”. Short of criminal convictions, the problem is much less complacency than denial and conviction of invincibility.
Good actor or bad, when faced with discontinuity, one can’t put the “business” ahead of attention to the discontinuities, even if that means a short dose of reputational negative. TEPCO let the verbiage and blandishments of ‘business’ override its real vulnerabilities and the emergent criticalities of systems. It wreaked a rather heavier toll for itself and its customers. Company and its “business” suffer, reputationally, physically, and financially, if discontinuities and discordancies are not addressed straight up.
Remember, in real business terms, that there is settlement value for every lawsuit, even those lawsuits unjustified and dismissed or thrown out of court. Regulatory fines and penalties can be compounded by criminal charges. Business continuity strategy has to be about the minding the discontinuities and discordancies with a sharp eye on the business.
© 2013 S. Caroline Schroder. All Rights Reserved.
Nip Crisis in the Bud
Don’t brood, don’t stew in trouble; resolve your differences through early-stage mediation before crisis can get a grip.
All too often, a business has been mired in brewing trouble for months or years before anyone consults a lawyer. Trouble may come as open conflict, or it may lurk in misunderstood intentions, regulations, terms, reps, and warranties. Trying hard to ignore the problems, businesses can even sail smoothly onward amid success, completely overlooking the impending crisis. However, few problems simply melt away. Eventually the deferred crisis comes. The business may suddenly crash into a wall or may stumble painfully forward into trauma. And all too often, it’s too late for a lawyer to develop a real solution. The next step is litigation or a relationship or strategy which simply falls apart, with costs. The process server arrives at the door, or the early warnings start. The goods are not delivered, the team falls apart, or some facility must be closed. Cash flow lurches to the negative; valued talent leaves; lay offs become inevitable.
Just as often, you don’t have to go there. Recognize the trouble early for what it is and stave off crisis. Whether redirecting strategy or seeking rapprochement, early-stage mediation can get you where you need to be. Mediating differences early on can make sure the legal complaints remain a gleam in some unmet litigator’s eye. Through guided negotiations, independent evaluation, or business conciliation, you can achieve a workable solution. It’s much cheaper than litigation.
Never forget that there is settlement value to every lawsuit. You don’t want to pay for pleadings. Try mediation early on and save the money and risk for execution of a real strategy.
© 2010 S. Caroline Schroder. All Rights Reserved.
In Litigation, Bad Facts Mean ‘You Lose’
When lawyers know their client is going to lose, they like to say euphemistically that the client has “bad facts”. Much of what lawyers do is making up for bad facts as best they can–after the horse has left the barn. For better –and best– results, you need to be “proactive” in judging the whole-world reality: you need to understand the facts, factors, forces, and figures from multiple perspectives from the first so that you are not left with bad facts, bad judgments, bad decisions, and bad, not good, risk. You need to that clarity.
So that you can focus on your goals, you need to work carefully to assess the reality of your world. Compare and contrast what you think and hope with what is real. Tease out the active and sleeping problems and identify real opportunities and risks however remote they might seem–or you might hope.
To derive new possibilities and prioritize what comes next you need to listen and watch and not dismiss anomalies. Isolate real functional irregularities along with the operational anomalies. Analyze the dynamics of your organization as well as the incidents. Follow through on new information and build on your analysis; extend your plans and solutions. You have to get uncomfortably technical, technical beyond the technicality of your profession and into the technicalities which are foreign to your discipline and foreign to your thinking. Build creative solutions.
Gain a realistic picture of where you are and where you can go. Do not ignore the real reality as you execute and integrate. Only then can you actually begin to balance benefits and costs and build a sustainable path.
Deal with change before change sets its own path through your business.
© 2010 S. Caroline Schroder. All Rights Reserved.
When Business Continuity and Risk Go Wrong
We all know all too well that business continuity and risk management fail. But why? The starting point must be to examine those failures and look for fundamental gaps in knowledge and understanding of complex interactions and impacts. The most obvious is that business continuity and risk management are far too often marginalized, off somewhere in administration. Isolated from the business model, much as CIO’s and IT have themselves complained of being isolated for years, these personnel don’t really gain access to the strategic plan and people, the core of the company’s goals and mission, the real work. They do for the people who will let them in. They see the business systems and processes in isolation. They do what they know. They follow old paths, replicating old patterns, and veering off onto familiar trails. For companies to have fully functional, strategic business continuity and risk management, these personnel must be brought in from off center to fully participate in business model. However, the first order of business for business continuity and risk management must be to examine the failures and look for patterns, anomalies, and where they made false assumptions or mistook impacts. Only then they can move on to complete their improved process, integrated with strategic planning, and legal analysis for the future.
All people are, of course, creatures of habit. So too with business continuity and risk personnel. When there has been a failure, the starting point must be to ask “what has gone unaddressed and why.” Continuity and risk personnel must examine those failures and look for patterns, anomalies, interconnections and where they made false assumptions or mistook impacts. As they do get down into the weeds of failures, they must figure out what their responsibility is to make sure these elements, risks, issues, mistakes, and omissions are properly addressed in a timely, reasonable, and prudent manner. Where the responsibility lies with someone else, continuity and risk personnel need to note it, communicate it, and determine whether changes are possible or not. Then they can move on to complete their own improved process even as events unfold and risks mature and pass into new risks and other impacts.
Looking at the litigation and regulatory record everywhere, there is a distinct history of suppression of the ‘dis-continuities’, from concealing conditions and ignoring rationally necessary responses (BP and TEPCO) to suppressing the critical weaknesses and festering disasters with bandage fixes, patches, promises, blandishments, and pinpoint responses that only deal with what absolutely, positively has to be fixed now—or yesterday, as the case may be. The dysfunctions are usually chronic and the ultimate fallout generally catastrophic, not only for the company but the public. Good actors by contrast maintain and occasionally, of course, have to renew a mission and tone of being “responsible, reliable, and really useful.”*
Continuity and risk personnel need to beware the verbiage and blandishments of passing over discontinuities and impacts for ‘the good of the business.’ There is always pressure from those who believe that ‘momentum’, mission, and overall success will override the real vulnerabilities and the emergent criticalities of systems and processes, assets and people. Among bad actors, ‘the good of the company’ becomes a justification for tolerating not just the ‘hair’ on the model, but defects, discordancies, and business roulette. More than one plaintiff, regulator and whistleblower has demonstrated convincingly that a company, government, university, or other entity has placed the “organization” ahead of realistic organizational self-examination and self correction. “The company” and its “business” (meaning revenue, reputation, and superficial stability) has been used as an excuse for bad thinking and bad acts by a long roll call of companies, which have then gone on to oversee disaster.
The company and the business will eventually suffer, financially, reputationally, and physically, if the vulnerabilities and criticalities, discontinuities, and impacts are not addressed. For those inclined tolerate the discontinuities and “insure away the risk”, remember that even if the company tolerates the impacts on itself, customers, employees, and the public, there is also settlement value for every lawsuit. “Absorb-able” regulatory fines and penalties can be compounded by criminal charges. The real ‘lesson learned’, is that the circumstances and past rationales for omissions and errors count, otherwise the entity is doomed to perpetuate and replicate not just the past but the past pattern of omissions and errors. Business continuity and risk strategies have to be about the discontinuities and vulnerabilities with eyes on the business, eyes with the perspective of the model and the plan.
©2013. S. Caroline Schroder. All Rights Reserved.
RM is to BC as
“The Night Watch” is to ‘All Heck Breaking Loose’
Visualize the Risk to Business Continuity relationship as a Venn diagram with concentric circles, BC inside Risk, not interlocking, intersecting circles. For optimal planning and risk identification, risk and business continuity should be combined so that risk and continuity managers adequately think through the circumstances and impact of discontinuity and realities and impossibilities of continuity planning and execution. It is easy to misjudge the ease of business continuity and to miss the subsidiary risks. Combining the risk and continuity better ensures that the voice of business continuity is heard at the board and C-team levels, and likewise that those directors’ and executives’ particular concerns and needs make it down to business continuity managers. Cross-company and cross-silo communications cause uncertainty enough; of all people, risk and continuity managers need fluid communications at the most difficult times and out at the edge of company knowledge and personal understanding or imagination, if you will. These critical missions should not be put at risk of falling through the gaps but blended for optimal assessment and judgment.
Business continuity teams have a specific mission with particularized tasks; it is specialized work. Risk is the broader mission and subsumes business continuity. The risk committee must be the experts in the wider spectrum of all that can go wrong–or merely differently. Put another way, the risk committee with its broader range of issues should be responsible for oversight and tasking of the much more narrow, specialized business continuity committee. Risk spots the gaps and tasks business continuity with bridging them. The business committee adds value by drilling down into the practicalities and details of weekly, daily, hourly operations and then making recommendations up to the risk committee for approval while also overseeing implementation of plans and actual physical execution of tasks.