Over time, many corporate leaders have come to think that business continuity planning (BCP), which Forbes refers to as organisational resilience, means investing in a recovery facility and procedures for unlikely events like earthquakes or fires. Yet he stresses that this is a misperception.
On the contrary, says Forbes “the real value of contingency planning is gaining a competitive advantage.” Preparing plans to continue the business is good management, just like having insurance in case unexpected events happen. “Managers buy insurance because people will criticise them if they don’t have it, but they usually won’t be criticised if they don’t have a contingency plan,” he adds. “The only way BCP can be looked at as an expense and the only reason people don’t pay attention is if they think those risks won’t happen.”
The secret to turning organisational resilience into an opportunity, he believes, is to make investments of time and money that add value every day, not just in a disaster. More than just IT disaster recovery or security, real resilience includes being able to handle the full range of responses a company needs to keep its business going, whatever happens.
Siemens Corporation, for example, took advantage of contingency planning to improve business at its regional headquarters in Singapore. In its planning, the company focused on what to do if the 1,500 sales and marketing staff members working in its office could not access the building. Instead of constructing a recovery facility that would be used infrequently, if ever, Siemens instead created a shared hot-working site in another part of the city. It changed business processes to allow staff to work from home permanently, although staff can still come to the shared centre to meet with a client, prepare materials and do other tasks. With 100 seats in the centre connected to the corporate systems, Siemens has the security it needs in a facility that doesn’t sit idle every day, while receiving a positive return on its investment and having effective backup plans in place.
Another company that benefitted from planning for organisational resilience is NTUC Income, one of the largest insurance companies in Singapore. The firm became concerned about its concentration risk when there were forecasts of flooding, since all its offices were within a one-block radius. After assessing where and how to move staff, NTUC decided to relocate several hundred people permanently to a location at least 5 kilometres away, so they could also continue to operate in an emergency. It set up a service centre in a new location and renovated the old office before leasing it out at a rate that pays for its BCP many times over.
“What we’re seeing globally,” Forbes said, “is more and more people working outside traditional offices. This remote shared office facility concept is something that banks are also going to pay attention to. The Siemens example shows how it is a business advantage.” Moreover, technology is making it possible to distribute processing power over a large number of computers, and distributed processing also increases resilience.
Focus on the Actual
Rather than focusing on unlikely events such as fires and earthquakes, Forbes insists that organisational resilience should concentrate on those that are going to happen and include the skills – operations, security and technical – needed to address any form of disruption.
The difficulty is that human beings have cognitive biases, like the so-called ‘recency effect’. As he notes “we are most concerned about what happened yesterday,” which is why events such as the floods in Thailand or the Philippines attracted most attention. “I would argue that those events, the headline-grabbers, do a disservice as they distract from less visible, more subtle, but more dangerous risks.”
In Singapore, for example, the events that had the biggest impact on businesses have been infrastructure-related rather than headline-grabbing floods. Train breakdowns, a fire at a SingTel facility that took out phone services all over the island and a bus strike that kept workers from getting to their offices had the greatest impact on businesses and consumers alike. “The effect on a business that depends on the transportation and communications sectors is much greater risk and has much greater impact than a typhoon,” said Forbes. “Business continuity has obviously been focused on extraordinarily-unlikely, high-impact events. I think it’s much better to focus on organisational reliance for more ordinary events.”
What leading banks are now doing is actually operating every day from dual locations. Even if there was a fire in an office building on a small island such as Singapore, Forbes said, “it will take four hours to walk down 50 flights of stairs, get to an assembly point, have management decide to activate the plan, find transportation to the back-up location, get the IT department there, set up systems, go to backup systems, log in and start working. Four hours is too long in an active treasury trading room, for example.”
While testing the back-up location is beneficial, “the problem with the testing regime is the same as with fire drills. Fire dills never involve any fire,” Forbes said. Similarly, IT disaster recovery testing is conducted on a weekend so it doesn’t disrupt the business. “The difficulty with that approach is you cannot prove by that kind of testing how long it will actually take to recover in a real emergency. It tells you that you know what to do, but it won’t tell you how long it will take.” What is preferable is making tests progressively more difficult until you have confidence that you could run a test without giving staff advance notice.
Rather than seeing business continuity planning as a required but wasted expense, businesses can use it to create operational resilience and even to grow business revenue. Whether the problems are disasters like floods or infrastructure woes such as telephone outages and transport breakdowns that stop employees from working, companies that take a new approach will be better prepared and enhance business performance while ensuring they are ready for whatever happens.
We have been witness to a series of significant security events recently around payment execution, from Leoni in Germany through to ABB in South Korea and SWIFT in Bangladesh to name a few of the major headlines.
The revised Payment Services Directive regulation, regarded as one of the most disruptive in Europe’s financial services sector, will begin to make an impact on January 13, 2018.
The cost of compliance efforts for banks has increased exponentially in recent years. This is especially true for those banks that are active in the global trade finance domain, where the overwhelming expectation is for compliance requirements to become even more complex, strict and challenging over time.
This year promises to further the regulatory compliance burden imposed on financial institutions. How are firms in the sector responding to the challenge?