I have been arguing that South African businesses are vulnerable to a growing number of high-impact, unexpected threats - black-swan events, in other words. I want to emphasise the point about the unexpectedness of these events.
These events range from the massive (for example, the Twin Towers attack) to the relatively localised (for example, three power sources fail at the same time for different reasons) - but they all fall outside the ambit of the likely risks identified during the business impact analysis phase of the business continuity management programme.
Clearly, the only way to prepare for such events is to make sure the company is as resilient as possible. This means that over and above its specific preparations for identified risks, it is innately prepared to recover from any disaster.
To achieve this, the company needs to move beyond a tick-box approach to business continuity management, really to integrate its principles into the way the company operates - in other words, to create a corporate culture that sees resilience as a central value.
Easy to say, hard to do
The starting point lies, as it usually does, with the board and executive management team. Directors in particular bear the ultimate responsibility for the company's sustainability; clearly its ability to recover from disaster, including unexpected and unplanned-for disaster, is a key element of sustainability. Boards need to make sure they understand exactly what every person's roles and responsibilities are in the event of an incident. Are the appropriate policies in place, for one?
But it goes beyond ensuring that the mechanisms are there. Boards also need to ensure the mechanisms are well understood by the whole company, and they are constantly being tested and reported on. (There's a natural filtering process as information flows up through the company, as bad news is rephrased or even suppressed).
I want to emphasise the need to test the company's business continuity procedures regularly. This testing should be approached not in the spirit of trying to achieve a pass mark but rather as an exercise to build fitness. Failing tests is thus much more important than passing them, because it teaches the company more and promotes growth.
Testing/ exercising should be seen as a visit to the gym rather than the final of the World Cup, in other words.
Indeed, over time, the scenarios used should stretch the company's capabilities so it develops the capacity to cope with the unexpected. In so doing, I need hardly add, its ability to cope with identified threats will also improve substantially.
Share