When I recently visited Switzerland for the first time, I had expected to see packs of St. Bernards frolicking in the alpine landscape, dispensing brandy to lost hikers. Not so. The few St. Bernards one does see are just there for tourists to coo over. It made me wonder: how many businesses expect some kind of corporate St. Bernard to bound to the rescue in the event of a disaster? Like the brandy-bearing rescue dog, we would like it to be true but, sadly, it is not. Businesses need systems and plans in place to achieve a level of Business Continuity Management (BCM) appropriate to the organisation – big or small.
A common myth is that BCM only relates to unplanned physical or kinetic events leading to serious disruption to an organisation. These might include product recall (following manufacturing or supplier non-conformities), fire, flooding, extended power outage or breakdown of ICT systems due to significant hardware failure or malicious activities by hackers.
However, one other type of emergency is not always considered. Loss of reputation. Not so tangible but, potentially, just as much of a disaster waiting to happen. And reputation doesn’t just mean intangible things such as profile or marketing. It can mean reduction in tangible things such as share price or sales figures.
Reputational damage can arise through a number of scenarios. A significant breach of safety or environmental systems is another (just think of the fallout of the Deepwater Horizon incident and the aftermath for BP).
Another loss of reputation might arise from probity. It is sometimes said that the art of leadership is not about doing things right but, rather, doing right things. Ethical policies and behaviour are coming more to fore in many public and private sector organisations. This is due, in part, because stakeholders – including customers – expect right things to be done. Increasingly stakeholders don’t want to be involved with organisations that do not think it a priority to have systems in place to ensure ethical policies and practices are consistently followed rather than just spouted on websites and glossy presentations.
There are many ways to achieve this. One of the newest and shiniest tools in the kit is BS 10500 which is an Anti-bribery Management System (ABMS). It is in the same family of Standards as BS 25999 which has developed into ISO 22301 for BCM. Both work on a Plan-Do-Check-Act cycle and are process based management systems rather than compliance systems.
Reputational damage to an organisation can arise from allegations of bribery or fraud. The allegations don’t even necessarily need to be true for damage to be done. Trust and reputation are concepts which are hard to build up and easy to damage.
So, when devising a BCM system there should be adequate systems and resources in place to deal with emergencies and a plan for returning the organisation back to normal, all of which should be reviewed and tested. These plans should consider issues of probity. BS 10500 expects risk assessments to take place for anti-bribery and a part of this would be considering potential outcomes.
In particular, how would, say, a whistleblowing scandal be managed? How would key customers and other stakeholders be calmed? How in the senior team would deal with the media? Who would deal with the lawyers and enforcement agencies? If the Gold, Silver, Bronze command structure is put in place for dealing with major emergencies then this can work for major probity incidents too. In fact, it is arguably even more important.
In reality, with a proper BCM and ABMS there should be no need for corporate St Bernard dogs carrying copies of BS 10500 and ISO 23001 as well as the brandy! You would already have copies yourselves and implemented them.
There is currently an offer running in relation to the ABMS Documentation Toolkit and ISO 22301. By purchasing the toolkit, you’ll receive a copy of the eBook ISO 22301 A Pocket Guide for free. This offer ends at the end of July 2013 – so don’t miss out!