Friday, 8 June 2012
‘Plan for the worst...’ says UN business continuity boss
Catastrophic events in recent years have lifted business continuity plans to the top of the corporate agenda. So what can risk managers learn from the experience of the United Nations (UN), an organisation that employs thousands of people in countries around the world, many of which are prone to suffering earthquakes, civil strife, terrorism and wars?
First of all, according to the man who is responsible for the continuity of activities at the UN, companies should be prepared to face worst-case scenarios in any situation.
Brian Gray, Head of the Business Continuity Management Unit at the UN Secretariat, said during a conference in Paris on the ISO 31000 that business continuity plans are vital to his organisation.
The organisation needs to guarantee that its operations continue even in the most challenging conditions as they provide key diplomatic services and humanitarian relief.
But often the UN has to deal with cases of extreme complexity. In 2010 its headquarters in Port-au-Prince, Haiti, were completely devastated by the earthquake that flattened the already impoverished country, threatening the ability of the body to help with the rescue and reconstruction efforts.
UN buildings have been the target of bomb attacks in Iraq, Afghanistan and more recently, in Nigeria. The organisation often has to provide aid in countries where the usual logistic channels are disrupted by catastrophes or violent conflicts.
“We plan for all the things that we need to work to be not there. And then we ask what do we do?” Mr Gray said.
In his view it is important to carefully design emergency procedures that bring all the people involved together. Even small routine tasks should be taken into consideration.
“You need to have a plan that allows for all the simple and routine tasks to be back in place. When a large event happens you do not have time to think of the little things,” he pointed out.
Mr Gray emphasised that everybody within an organisation needs to know what to do in an emergency.
In this sense, he said, business continuity amounts to strategic planning that aims to promote changes of behaviour.
People must be trained so that when an incident takes place they automatically change the way they think.
But that is not an easy job as staff tend to ignore the importance of time-consuming preparation even in places where the level of risk is high. “At first business continuity professionals are seen as vacuum cleaner salespeople,” he joked.
Once the message hits home, however, the perception changes completely, as those likely to suffer from the disruption understand the importance of being properly prepared.
A common mistake made by large organisations is the adoption of a programme approach to business continuity plans. In other words, several initiatives are created to deal with specific problems, under the responsibility of different units.
Mr Gray said that such an approach creates problems as it results in many units working by themselves on overlapping issues. In the UN management has made an effort to streamline such processes, he said.
The UN has recently learned that social media technologies can be a powerful tool for business continuity managers. In recent cases they have enabled the organisation to increase its ability to deliver aid.
Mr Gray said that ISO 31000 can be a useful tool for business continuity plans as it helps different parts of a company to speak the same language.
But other participants in the debate were less enthusiastic about the relevance of the standard to business continuity management.
Lyndon Bird, Technical Development Director at the Business Continuity Institute, BCI, told the audience that a specific standard, ISO 22301, has just been launched to help implement business continuity management systems.
Mr Bird complained that the sheer proliferation of standards is actually making the life of business continuity professionals more difficult. “There are so many BCM standards that it confuses the world,” he said. “They confuse me and I do this for a living.”
Mr Bird stressed the differences between risk management and business continuity management.
The former deals better with ‘known knowns’ and non-extreme events and the latter with black swans, or ‘unknown unknowns’, he argued. Mr Bird suggested that both fields must make an effort to better align their activities.