A lot is at stake when a crisis hits – which, as recent times testify, can happen to even the most competent and unexpected of organisations. When an Australian cloud-based software provider got into financial trouble recently, administration bore the responsibility of telling all of the company’s clients that the treasury systems they had in place would be turned off in a month!
Whilst this may seem like an uncommon occurrence, it is one that illustrates a point around keeping alert to any potential source of disruption – including one of your key business partners experiencing a crisis: “You’ve got to challenge the status quo and continue to look at your assumptions,” says Glen Giffen, Head of Sales for Visual Risk. It may be a case of ‘once bitten, twice shy’ for those particular corporates who were on the receiving end of the software vendor’s own crisis but, for others who are yet to experience such misfortune, to assume that it probably won’t happen to you, and therefore avoid preparation, is a dangerous move.
While it is true that crises sometimes cannot be avoided, it is also true that the outcome can be influenced. The nature of a crisis (which specialist consultancy firm Steelhenge defines as an inherently abnormal, unstable and complex situation that represents a threat to the operations, strategic objectives, reputation or survival of an organisation) is best countered by having procedures already in place. Crises may also not be as uncommon as you think and include: natural crises, causing the loss of workplace accessibility or even total loss of real estate, for instance; technological crises involving single or multiple system failures; and crises of malevolence.
Prefer to prepare
Corporates should be looking to place themselves in the best position should a crisis – natural, financial or otherwise – occur. As Dominic Cockram, Managing Director of Steelhenge Consulting, explains: “When a crisis arises, it is a complex and chaotic environment – usually fast moving. Because the time to respond is precious, you therefore need to have planned beforehand and be prepared so you can react quickly, effectively and decisively.”
Business continuity and disaster recovery (BC/DR) plans are – although most companies hope they will never need to use them – the best course of action in terms of preparing for seemingly random yet potentially disastrous events. Of course, there is a thin line between preparedness and paranoia when it comes to planning, but a business continuity plan should help minimise the latter. It is a means of enabling companies to help themselves prepare for the worst and be able to recover, as well as sustain operations during and after an event as quickly and cost-effectively as possible. Essentially, a BC plan is a fully-documented agreement between management and key personnel (with the buy-in of all staff) that is taken in advance and which covers the steps the organisation, and particular individuals, must take to ensure critical operations are protected.
At its most fundamental level, a BC plan could be the difference between survival and failure. Even in purely commercial terms, being prepared limits the possibility of having to call for (expensive) assistance in a state of desperation. Moreover, “those that are prepared tend to be seen in a very positive light by their investors, and the business is seen as being well led. Those that fail to prepare instead show a lack of foresight and share prices suffer accordingly,” says Cockram.
The attitude towards crisis planning, however, is mixed. “Many businesses operate in high risk industries and take crisis management seriously, partly because regulation may require them to. On the other hand, some corporates are complacent and end up suffering pain when something does go wrong,” explains Cockram. It is important to understand what would constitute a crisis for your business and to ensure the core of your BC plan is sufficiently flexible to cover a multitude of unpredictable scenarios, offering sufficient protection against internal impacts across multiple geographies from local to global, as appropriate.
BC must also consider the external impact, including the likely effect on key business partners and the ramifications of their failure to operate on your own business and the impact of your failure on theirs. A BC plan therefore is best seen as a living, evolving and regularly tested strategy that will give a business the best chance of survival – should the worst happen. Disaster recovery (DR) plans fit into the picture typically as IT-driven procedures that focus on the recovery of software, hardware and data within the BC plan. The aim: to, at least, allow resumption of critical business functions following an event.
Overcoming stumbling blocks
Properly executed, these stages can provide a business with reassurance that it is prepared for the worst. However, a common problem is that within a company there is often no clear ownership of DR. There is a tendency for business operations people – including those in treasury – to assume that another department will take care of it, typically IT. Even if this is the case, colleagues in IT may not always fully understand how critical each business operation is. Thus, no operation should work in isolation when it comes to BC/DR plans. Of course, SaaS-based TMS providers would also have a duty to its clients to provide DR as part of the deal, but it is ultimately the clients’ responsibility to know what to do in the event of a disaster.
So, what is best practice? Wherever possible corporates should be looking to bring BC/DR processes into daily operations, rather than drafting an impressive plan which is subsequently forgotten about. Indeed, a recent report by the International Federation of Accountants (IFAC), ‘From Bolt-on to Built-in: Managing Risk as an Integral Part of Managing an Organisation’, advises against a stand-alone risk management function, citing the poorest risk management as “characterised by reactive crisis management once something has gone wrong.”
Proactive then, is the way for corporates to be. For Steelhenge, development of a crisis management capability is best described as a three-phase cycle involving: pre-crisis planning and preparation, crisis response and post-crisis recovery. The consultancy firm believes pre-crisis preparation should include:
Horizon scanning and risk assessment. Ongoing processes to develop systems that gather, monitor and interpret information that will give early warning of the potential problems.
Response structure. The structure of response staff should be based around the need to provide strategic guidance. Transparency in role assignment and responsibilities is required and the documentation of BC/DR should have a clear ‘lead of governance’.
Gaining experience and validation through rehearsal. Rehearsing the actual response processes within a realistic environment is, according to Steelhenge, “the only real validation of an organisation’s crisis response capability.”
Should the worst happen, crisis response involves the following (all of which are made significantly easier with the existence of a plan):
Information management and situational awareness. Initially, there may be confusion surrounding the details of the event. Therefore, the team must quickly gain a clear understanding of what has happened and what could happen next.
Strategic thinking. Intrinsically linked to the aforementioned point, those who are responsible for business critical decisions need to have the best and most up-to-date information at their fingertips.
Leadership. There must be an identified leader with recognised decision-making authority and accountability. But remember: not everyone is cut out to be a leader in a time of crisis.
Crisis communications. Although the media spotlight is not directly relevant to the treasury function, key players have to inform and update the relevant people on developing financial and operational impacts. Where crisis communication is key for treasury, however, is in the information they provide to shareholders and relevant parties.
The recovery phase involves dealing with the longer-term impacts, taking the crisis as a learning curve and driving any necessary change to avoid mistakes being repeated in the future. This stage should not be underestimated in its complexity and, depending on the nature of the crisis, could take longer than expected.