Faced with rising exposure to new risks and declining tolerance for disruptions to operations, many organizations are evaluating their ability to respond to crises and mitigate future risk. These companies want to protect their employees, and they understand that the ability to perform and satisfy customers is fundamental to sustaining competitive advantage.

The case for implementing a risk management strategy has always been compelling. If disaster strikes and an organization can't recover in a timely way, the consequences can include loss of revenue, defection of customers, deterioration of brand equity, and permanent loss of shareholder value. Researchers with KPMG say 40 percent of businesses that suffer a disaster go out of business within two years.

As the economics of information, globalization, and technology continue to change the nature of business worldwide, the traditional approaches to business continuity no longer address a widening array of threats. Traditionally, organizations planned for natural or man-made disasters disrupting production, distribution, and data processing capabilities at a single facility. These threats are becoming more frequent, and their impact is growing.

Simultaneously, threats to information assets are becoming significant for enterprises of all sizes. Computer viruses, information security issues, software quality, inadequate data storage, complex technology architectures, and ineffective information asset management practices can open the doors to a catastrophe with the same business impact (if not more severe) as that posed by a physical threat.

Moreover, traditional approaches are reaching the end of their life as standalone solutions. Organizations increasingly operate in multiple locations and depend on information systems. Business processes are carried out in real time, so a disruption has consequences along an entire value chain. The effects of downtime are measured in hours or even minutes, instead of days, and organizations' tolerance for it is decreasing. According to KPMG research (figure 1), 24 percent of organizations say more than 2 hours of downtime is unacceptable. An additional 48 percent say they can't tolerate more than 24 hours of downtime. A capabilities gap has developed, and is widening, between the cost of downtime and the effectiveness of traditional response mechanisms.



Figure 1: A widening capabilities gap -- The effects of downtime are now measured in minutes and hours, and not being able to cope is becoming more costly.

In this environment, preparing for disasters must become part of a larger effort to mitigate risk. Instead of responding to particular events, organizations need to focus on maintaining operations in spite of any event. Thus, the key question for leaders is no longer, "How do I respond in the event of a crisis?" Rather, organizations have to ask, "How do I manage risk so that I'm always there for my customers and other stakeholders?" The answer, and the challenge, is to implement a strategy that takes into account the totality of risk, ensures the welfare of people, and balances the costs of risk management with the opportunity cost of not taking appropriate action. Answering the challenge will result in a successful defense against disasters as well as other benefits with strategic payoffs.

This series of articles from KPMG on business continuity examines the variety of issues that organizations face today. It introduces a framework for managing the risk of disasters in the context of managing the continuity of the enterprise from an information asset perspective. It also discusses a process for implementing a chosen business continuity strategy, integrating it with organizational strategy, and capitalizing on opportunities to achieve and sustain competitive advantage.

The current environment

Efforts to manage unforeseen circumstances that render assets useless and disrupt operations have been a management priority at leading organizations for decades. For example, in the 1960s when American Airlines developed SABRE, the widely used airline reservations system, engineers took great care to ensure the system's reliability. They also kept a standby computer in the event that an outage affected the primary computer running the system. SABRE succeeded while competing services failed, in large part because of American Airlines' innovation, but also because of the reliability of the system.

Prudent organizations maintain and test plans for responding to possible catastrophic events. However, the effects of numerous global trends, and the risks that arise from them, are prompting leaders to question the adequacy of their current capabilities. Indeed, although more than 60 percent of companies have corporate-wide disaster recovery plans in effect, KPMG says, almost 70 percent say they failed to meet all disaster recovery objectives in their most recent interruption.

At the same time, emerging technologies are enabling new risk management strategies that were cost-prohibitive just a few years ago. Appreciating these forces will lead to a wider view of risks and ultimately a broader approach to managing business continuity.

The emergence and growth of information-driven extended enterprises

Organizations are rapidly evolving from manually operated standalone entities to information-dependent extended enterprises. For these new entities, information facilitates competitive positioning, value chains depend on the timeliness of service, and supply chains are technology-dependent. Trends contributing to this evolution include initiatives common in most industries: enterprise resource planning, customer relationship management, supply chain management, mergers and acquisitions, outsourcing, alliances, and e-commerce. Internet-based service suppliers and the globalization of business models are also key factors.

Virtual extended enterprises are an emerging feature of e-business and collaborative commerce. Whereas customers traditionally dealt with their banks through human-operated channels or ATM networks, they can now gain access through online as well as offline channels, and several players have a hand in delivering services.

Extended enterprises present special challenges to how leaders will manage business continuity. Traditionally, an organization would write disaster recovery plans for critical processes and applications. As infrastructure becomes more complex, however, organizations need to consolidate and streamline their contingency planning practices. Moreover, they need to focus on mitigating risk, and assuring customers, partners, and other stakeholders of the availability of information assets.

Many companies agree that information assets, and the complex extended enterprises they enable, are changing the nature of competition. Leaders increasingly appreciate that these assets are also exposing organizations to a new set of risks in the virtual world.

An important consequence of these changes is that the flow of information is no longer connected with the distribution of physical objects. As a result of immense capacity to share information electronically -- across the Internet, wide-area corporate networks, wireless networks, and other media -- the link between information-based, or virtual, processes and physically based processes is dissolving and becoming more complex. Consequently, value chains are dividing into two interdependent streams: one consisting of processes in the physical world, and the other made up of information flows in the virtual realm. Leaders responsible for evaluating and developing future business continuity strategies will have to focus on this division and its potential implications. Ensuring the usefulness of both physical assets and information assets -- as well as protecting the people that are central to both -- will be critical to creating and sustaining competitive advantage and business continuity. Figure 2 shows how organizations can map themselves based on the value and complexity of their information assets, their organizational complexity, and their links with business partners.



Figure 2: The rise of information-dependent enterprises -- The value and complexity of a firm's information assets rise proportionally to its organizational complexity and the sophistication of its collaboration with business partners.

In short, information assets are driving organizations toward networked business models. Such models let organizations create and sustain increased value, but the risk of unplanned downtime becomes more significant.

The paradigm shift

The links between physical and virtual assets will have ramifications for how leaders assess the true cost of unplanned downtime, evaluate their exposure to risk, and set an agenda for management action. Unplanned downtime is estimated to have cost businesses worldwide approximately US$1.6 trillion in lost revenues alone in the year 2000. That number will climb as downtime is increasingly assessed in terms of how it affects both physical and virtual links in the organizational value chain.

Emerging approaches to business continuity have to take into account the extent to which organizational value is now embodied in information (and information-based, real-time processes) as well as physical assets. Real-time capabilities make processes more efficient and predictable, increasing an organization's capacity to take on new value-adding activities and improve customer satisfaction. As business processes move closer to real time, the cost of downtime goes up -- in part because its direct financial consequences become greater. But the more significant issue is the impact of downtime on customer satisfaction, efficiency, reputation, and shareholder value, and the domino effect that problems in these areas can have on profitability and market share.

Assessing the cost of downtime in a broadened context often leads to a new appreciation of the risk of disaster, and whether an organization should measure its exposure in terms of its tolerance for downtime or its need for availability.

Traditional approaches to managing business continuity emphasize recovering from a disaster before a predefined amount of time elapses. The availability-based perspective (table 1) focuses instead on ensuring that the organization will always be able to produce an output or reach some desired conclusion when it needs to do so.

	Traditional	Emerging
Focus	Minimizing the financial impact of disasters	Ensuring financial continuity, customer satisfaction, and productivity despite a catastrophe
Approach	Recovery from single episodes of prolonged downtime	Business-driven continuous availability through management of information and operational risk
Risks	Low-frequency, high-impact disasters	Traditional threats to physical assets and emerging threats to information infrastructure
Benefits	Recovery of degraded service levels 12 to 72 hours after a disaster event	Up to 99.999 percent availability of critical infrastructure as well as performance improvement
Enablers	Documented plans relying on after-the-fact recovery	Emerging technologies and operational excellence

Table 1: New ways -- Business continuity management practices are evolving toward an availability-based perspective.

How an organization can determine what degree of availability is most appropriate within its business model is an important step, as discussed in the next installment of this series.

Be sure to check out part 2 of this series on business continuity.