This article is part of a larger academic publication that is currently under review at the Journal of Business Continuity & Emergency Planning.
One of the foundations of Business Continuity Management is that it empowers line management to perform those tasks that ensure resilience for their own units. This takes place in the analysis phase, where middle management examine their critical processes and suppliers and measure the impacts of a possible disruption to such key assets. To understand the criticality of a specific asset, the company establishes tolerability thresholds though initial consultations with top management. The next step is then to build continuity measures to guarantee continuity of operations (ISO 22301:2019). Possible such measures include but are not limited to:
- Alternative work arrangements to be less dependent on physical premises;
- Health and safety arrangements for the main work location;
- Horizon scanning activities to detect changes in the market and the competition and prepare accordingly;
- Communication plans to deal with media sources appropriately in the case of a crisis;
- Cross-functional training to duplicate skills and avoid single points of failure;
- Discussions about continuity arrangements with suppliers;
It is worth stating that there is no one-size-fits-all paradigm for continuity solutions, each company necessities different arrangements; however, BCM ensures that line management pays attention to this process, preventing a centralization of the continuity and resilience process that can lead to inefficiencies.
The principle of decentralization is not so different from other types of decentralization that are taking place in several companies, small and large, around the world. For instance, Netflix has long embraced a policy of Freedom and Responsibility, where employees are free to make decisions and they are not subject to micromanagement over their daily decisions, stimulating creativity and innovation. Similarly, Johnson & Johnson, who have more than 130,000 employees worldwide, delegate to their local branch the decision to undertake the most relevant business strategy to their area. Eventbrite even take this principle to the next level, allowing the users in their network to create and promote their own events without any involvement from central management.
Obviously, this type of philosophy has challenges as well as benefits, both in creating business opportunities and protecting organizations. For the sake of this paper, we will focus on how effective decentralization can be when building resilience and how to avoid common mistakes.
Some see the decentralization of protective disciplines such as BCM as an evolution of resilience. Power (2009) highlights this issue in his paper “The risk management of nothing”, stating that organizational risk should be a synthesis of various risk perceptions within the company, in all its width and length. The risk of a centralized, traditional interpretation of risk identification and mitigation can result in a lack of visibility over certain vulnerabilities or changes that might affect the business.
BCM achieves this outcome through consultations with line management in the analysis phase, which is a central component of its lifecycle. On the other hand, risk management has evolved through the years to obtain a similar result, turning into Enterprise Risk Management (ERM). Today, organizations are much more likely to employ ERM, since it provides a more holistic understanding of the risks and opportunities lying ahead. This includes the creation of risk facilitators or risk champions that will support the sharing of risk management tasks.
For a company to be truly resilient, ERM and BCM must coexist and probably overlap in some cases. Hence, it makes sense to include ERM when discussing decentralization in resilience. The current discourse about organizational resilience after all revolves around the collaboration among different disciplines and it is common to hear that even other adjacent functions to ERM and BCM, such as cyber security and health and safety, are a collective responsibility.
This reasoning begs the question of how to engage with multiple departments and collect all relevant information about single points of failure or risk concentrations. Some widely adopted practices include:
- Initial workshops with top management;
- Workshops and awareness sessions with line management;
- Initial self-assessment questionnaires, possibly with the use of software;
- Interviews with line management to discuss about critical assets;
- Classification of BCM and other resilience activities as a priority with top management;
- Quality review of pre-existing plans and arrangements, to assess the outcomes and methodologies of the information collected up to that point;
All of these activities aim at collecting granular intelligence on the internal shortcomings of an organization, going into detail to appreciate how vulnerable it is and how it can become safer. In this sense, decentralization parts ways with traditional risk assessment methodologies such as the risk matrix. Whilst the matrix can be a helpful tool in showing at a glance the overall risk appetite of an organization, it presents several issues when it comes to an actual in-depth understanding of the risks.
First of all, it is often unclear how the different categories are defined. Usually, a risk matrix will range from low risk to medium risk or even catastrophic, but seldom the presenter explains the quantitative values behind it. Furthermore, a risk matrix does not take into account the correlation among different risks. An adverse weather event could fall into the medium risk bracket, but it does not consider possible spill over effects such as IT outages, loss of physical premises or staff safety.
Therefore, as the world moves towards new business models that exempt from a centralized, rigid command structure, organizations necessitate a new approach to risk and resilience where BCM can play a central role in line with modern business cultures. It is also a rather inexpensive approach, since the central BCM (or ERM) team can be small and agile and act as facilitator within the organization, delegating the more operational tasks to each department or function. Finally, and most importantly, a decentralized approach truly allows management to understand their very own company, with a complete view of its strengths, weaknesses, and both internal and external interdependencies.