Clear and present danger

There are two main challenges currently facing the successful implementation of business continuity measures. Firstly, we must remember what business continuity management is about. It is not about IT, or operational risk management. Business continuity management is part of a core delivery of financial services to customers. Many people in business continuity management have a background in IT or other areas, and sometimes don’t fully understand that everything we do should be subject to maintaining the core activity of the bank.

Secondly there is an image problem. If you ask 20 employees from any company to explain what business continuity management is, all of them will have a different answer. An even bigger problem is that all 20 are convinced their reading of BCM is the only correct one. For example, an employee who specialises in operational risk management will believe BCM is primarily an extension of operational risk management; the IT employee will believe it is an extension of what IT is doing. The next person believes it is about building evacuations and health and safety. You could go through the list: property, relocation, HR, Security, and so forth. The reality is that BCM involves all those areas.

At ABN AMRO, we used to do BCM in the traditional way. This meant using a business impact analysis, risk analysis, and business continuity plans. If you were lucky, these would be tested, but often they weren’t. You would probably find a signature from a senior manager on all of these documents. We would have relocation sites and conduct periodical crisis management training. The perception of business continuity management was an additional cost. Some people appreciated that reputational damage could occur if we weren’t prepared, but still it was seen as an additional cost.

A couple of years ago there was a big fire in Chicago at LaSalle Bank, and ABN AMRO subsidiary at the time – the biggest foreign-owned bank in the Midwest of the United States. It happened on a weekday, and it ruined about three floors. The building is an extremely old one, of special historical interest in Chicago, and addition all the floors above the fire had suffered smoke damage, and all floors below that had water damage. Fortunately there were no casualties, but there were a few people wounded.

To make a long story short, the next day, about 750 of the 3000 employees were working at alternative locations. There was huge media coverage because it was such a vintage high-rise building right in the Loop of Chicago. Our BCM team was prepared for this event, which is why they managed the relocation so quickly. Within a week, they had 1600 people working again at alternate sites. The co-operation with the public services, especially with the fire brigade, but also the police and the municipality was extremely well co-ordinated. All the media attention that ABN AMRO received meant that news traveled far and fast: everyone know there had been this big fire at ABN AMRO, but it was a very positive thing. Despite the fact that this horrible thing happened, because of the good co-operation with the public services, there were no casualties.

In addition to that, despite the fact that a building of 3000 people at the head office of this bank had to be evacuated, there was no business impact. All the branches were open and the ATMs were open. Due to all these factors, instead of this event being a crisis, it was a huge opportunity for positive media exposure for the bank. What in fact happened was that instead of it being a crisis, it was a window of opportunity for media exposure, a way we could tell the world: “Look at us – we are ABN AMRO. Even if something bad happens like this, we are still able and capable to provide you with the services that you ask from us.”

The story goes that there was a BCM insurance that would pay out if we lost any business because of incidents like this. After the event, they started calculating and found out that the business impact was not negative: it was actually a positive one. Because of all the positive media exposure, we had new customers walking into ABN AMRO offices who were looking for a new reliable bank. Now that, of course, was a big change in the whole perception – in the whole attitude towards business continuity management within our bank.

As of that moment, our business continuity management approach started coming back round to focus on our reason for existing: that we are a bank. We’re doing this because we are providing financial services to our customers. That’s what pays our salary. So BCM must make sense. It is a pragmatic approach. We are looking at the most important areas of the bank that have the biggest added value and making sure that those are resilient. Of course, you must retain the traditional part – you need to do your BIAs and BCPs – but you need this wider viewpoint.

This is a double-edged sword. If you’re a bank and you’re struck by lightning, which means suddenly all your operations are down, people will expect you to have a contingency plan. If it comes out in the media that you don’t have any plans at all, or that you don’t have adequate relocation facilities, then that will look extremely bad. Would you trust your money with a bank that didn’t have a backup plan? So yes, there is becoming more and more of a competitive advantage in having business continuity management, or of course a competitive disadvantage if you don’t have it.

Allow me to give you three examples of that. First of all, if somebody walks into our bank – a corporate who wants to do his transaction banking with us, for example – they will issue a request for a proposal, and we will respond to that. In every requests for proposals nowadays, there is always the question, “How did you arrange for your business continuity management?” People use this as part of their selection criteria.

The second example draws on the extreme weather the world has been experiencing recently. You might remember that there was a big monsoon flood in Mumbai a couple of years ago, where there was 90 centimeters of rain that fell within 24 hours. Usually Mumbai is good at handling a monsoon, but this was really extreme – all the roads were flooded, public transport couldn’t drive anymore, trains were stopped, and nothing would run anymore. It was a big issue because people couldn’t go home, and neither could they come to the office.

Within ABN AMRO, we had our offshore centre, upon which the whole world of ABN AMRO is rather dependent! Immediately we invoked the business continuity procedures there for that eventuality so people could sleep in the office. We had certain hotels where people could stay, that was all prearranged. Also the whole infrastructure was still up and running. Our offshoring centre was the only DPO in the entire area that was still up and running: all the other banks were down. That’s my second example of where you can actually be proud, and it’s a selling point – like, “Hey, all the others are down, and we’re still up.”

Something similar to that happened a couple of years previously. There was a big outage in the United Arab Emirates, which led to a considerable IT failure – an infrastructure failure in the public networks, because of which all the ATMs were down. There was only bank that still had their ATMs up and running, and that was ABN AMRO. Now how good is that for your reputation?

Those are the things you take pride in. And then you’re also proud of being a member of that bank if you’re an employee.

Approaching BCM

I believe that many companies that undertake BCM in the traditional way spend 80 percent of their time chasing managers of non-critical functions, so that they update the continuity plans for non-critical functions: a non-efficient use of time. BC managers should focus on the real priorities. You don’t do that by having a business continuity plan and business impact analysis per unit, per location, totally independent from each other. You end up with a massive number of isolated impact analyses for every unit in every country around the globe, and remember ABN AMRO is a bank of 110,000 people in 60 different countries with thousands of offices.

In the new world today, we are consolidating those business impact analyses, but keeping a practical level of detail. This consolidation provides transparency of the most critical activities. This allows us to know the right priorities when advising the crisis management, but also to set priorities in investments in building resilience. You can imagine that all those business impact analyses amounted to many documents: a lot of paperwork. The added value was actually quite limited because we could not see which of those processes were the most important ones. If there was a crisis management team getting together, it was up to the individual knowledge of this organisation – of the individual members of the crisis management team – as to where they would set their priorities. We as business continuity managers could not possibly tell them what the most critical functions were, because that was all hidden in those large amounts of individual documents, per unit and per location.
The profession of business continuity management is developing rapidly, and it has a few consequences. The industry standard for BCM is growing, and everybody today can expect that a respectable bank should have relocation seats and business continuity in place.

New school

I see lots of potential in ‘new school BCM’: Instead of starting by writing impact analysis and continuity plans from scratch, the BCM process starts from the other side: they start with a gathering of the crisis management team CMT. This senior management is called into a room, and asked to run through a scenario. While running through that scenario, you develop your requirements and documentation. Instead of starting with the documentation, you end up with the documentation. Depending on the situation, this concept can be more pragmatic than old school.

With such more pragmatic approach, you also come across practical risks that you never expected. A while ago I was in Amsterdam in the basement of our head office, which also homes a few IT servers. Right in the corner there was a big black box, which raised my curiosity. I asked what it was, and was told it was a telephony switchboard. I then asked about the box standing next to it, and was told it was the backup server for the telephone switchboard. Some further investigation revealed that if something would happen to both those boxes – not inconceivable, given their proximity to each other – then all our banks internal telephone numbers in the Amsterdam area– could be disconnected, potentially even unrecoverable. In that situation, all 50,000 individual telephone lines would have to be reprogrammed and activated. To me, that was a real continuity risk, but this would not be surfaced in a normal BIA process. I am sure that similar continuity risks exist in all companies. Needless to add that this particular issue in our company has immediately been mitigated.

Maturity

In the past, BCM was done because we had to: because the Financial Authorities required it. An external consultant was contracted to do a ‘BCP project’ in the bank. The approach was ‘old school’, using thick template documents (about 50 pages for the BIA and even more for the BCP). Every manager was told to fill in these templates. Of course, the typical manager would call his secretary and ask her to fill it in for him. Once returned, the manager would flip through it but have little time or interest to read it. He would sign it, give it back to the consultant, who would report a status green and tick in the box (and the consultant was paid a nice fee).

The flaws with that system are obvious. That’s how I came onboard. When I started with BCM, I was responsible for the corporate and investment banking part of the bank in the Netherlands, an organisation of about 3500 people. I inherited 10 megabytes of zipped text file business impact analysis, and another 10 megabytes of zipped business continuity plans, and this massive stack of paper was the core or business continuity management at that point in time.

I flipped through these thousands of pages with text, but found it to be of very little use. There was hardly a single plan that made sense or could be used in a real situation. Metaphorically speaking, I believe that the best continuity plans are written by the business manager, who on a Friday afternoon, sitting back in his chair, looking out the window, simply thinks of what might happen to him, and how he should prepare for that. I have more faith in plans that are written on the backside of a cigar box by a manager, provided he understands what he’s actually doing.

How to approach BCM

Companies should approach BCM by linking it to the objective of the company. If you’re a bank, link it to delivering financial services. If you sell shoes, link it to selling shoes. BCM supports that core activity of the company, by developing a response to disruptions of any nature. By staying in control if unexpected things happen. This requires people that understand the business. I’ve seen many people in business continuity management that bring in experience from other areas – IT, Risk, yes even the Military. However, they are not bankers, and sometimes have little interest in banking. I think that is fundamentally wrong. A good business continuity manager must have affinity with the business they supports. The best continuity managers may therefore be people from the business itself.

About Willem Anne Hoekstra

MBA MBCI, joined ABN AMRO Bank NV in 1998. With a prior background in Finance and Management Accounting, he was responsible for different areas of Business Continuity Management in ABN AMRO for many years.

First being responsible for BCM in the bank's Dutch investment banking activities and in later years as Global Business Continuity Manager, he has built up extensive experience with, like Crisis Management, BCM planning and priorities, awareness programs, IT- and housing recovery and testing.

Willem Anne holds master level in Economics and Communication science, plus an MBA. He is currently working on a PhD research on the subject of Organisational Cultures.