Blog

Productive Paranoia and Business Continuity

business continuity management

One of my favorite authors, Mr. James C. “Jim” Collins, is an American researcher, author, speaker, and consultant focused on the subject of business management, company sustainability, and company growth. He has conducted some brilliant research published across several books such as “How the mighty fall,” “Good to Great,” “Built to Last,” and “Great by Choice.” In the latter title, he and his co-author, Mr. Morten Hansen, present their research that involves 20,400 companies and a set of tests to identify high-performers and uncover the recipe to become one. Their research uncovered that 7 of them not only slightly beat their competitors. 7 of the 20,400 were labeled “10X’ers”. They really thrived. Every 10X case beat its industry index by 10X or more. What were the common denominators for such a success?

Productive Pranoia

In his book, he illustrates his findings by telling the story of Mr. Roald Amundsen and Mr. Robert Falcon Scott and their race to the South Pole in 1911. Both expedition leaders had the same ambition, comparable experiences, and their preconditions was a nearly perfect match. However, a long story cut short (Spoiler alert! Read the book, it’s highly recommended. At least, read his article (i)), Amundsen led his team to victory and safety while Scott led his team to defeat and death. Mr. Collins and Hansen are explaining the vital ingredients to turn ambition into reality – your ambition of a successful company that will thrive 10X compared to your competitors and survive any scenario.

“Business Continuity Management is a natural extension of a risk management system – the more digitally integrated your different risk domains are, the easier it is to create a holistic BCM program.”

The Corona pandemic has impacted us all. Who would imagine this situation? Many business leaders are turning to operations, risk, finance, or IT, asking for a business impact analysis, a business continuity plan, and crisis management. Whilst, depending on the industry, many business leaders hardly know the concept of business continuity. For many business functions, it might be “business as usual,” but, overall, many organizations are experiencing a crisis due to loss of revenue caused by a disruption in the supply chain, market, or delivery capabilities.

To successfully achieve your ambition, Mr. Collins identified, among other things, three principles; “Fanatic Discipline,” “Empirical Creativity,” and “Productive Paranoia,” I found the latter to be highly relevant in the present situation. According to Mr. Collins, part of the answer lies in the behaviors of our leaders.

Mr. Amundsen asked his team many questions starting with the words, “what if.” To him, the importance of having a plan B, a plan C, and even a plan D for a range of different scenarios were vital. My favorite part is where he explains how Mr. Amundsen systematically built enormous buffers for unforeseen events.

When setting supply depots, Amundsen not only flagged a primary depot, he placed 20 black pennants (easy to see against the white snow) in precise increments for miles on either side, giving himself a target more than ten kilometers wide in case he got slightly off course coming back in a storm. To accelerate segments of his return journey, he marked his path every quarter of a mile with packing-case remnants and every eight miles with black flags hoisted upon bamboo poles. Scott, in contrast, put a single flag on his primary depot and left no markings on his path, leaving him exposed to catastrophe if he went even a bit off course. Amundsen stored three tons of supplies for 5 men starting out versus Scott’s one ton for 17 men. In his final push for the South Pole from 82 degrees, Amundsen carried enough extra supplies to miss every single depot and still have enough left over to go another hundred miles. Scott ran everything dangerously close to his calculations, so that missing even one supply depot would bring disaster. A single detail aptly highlights the difference in their approaches: Scott brought one thermometer for a key altitude-measurement device, and he exploded in “an outburst of wrath and consequence” when it broke; Amundsen brought four such thermometers to cover for accidents.(ii)

“To him, the importance of having a plan B, a plan C, and even a plan D for a range of different scenarios were vital.”

Amundsen and his team returned to home base the exact day they planned. Scott never returned. Eight months later, the frozen bodies of Scott and two of his team companions were found; just 12.5 miles short of his last supply depot.

The fascinating story of Amundsen and Scott is a motivating illustration of governance, risk, and compliance (GRC). The part I’m focusing on in this blog is about Risk Management and its sister-discipline; Business Continuity Management and Resilience.

Legislators have since the financial crisis in 2008 adopted regulations for Banking & Finance to ensure resilience in the market in case of unforeseen events, even systematic unexpected events. Some organizations have adopted best-practice Business Continuity Management (BCM) to ensure resilience in such circumstances. However, many organizations lack the capability of BCM and, unfortunately, are suffering in this situation.

Black or grey swans (iii)

Many will argue that the pandemic caused by the Coronavirus could not be predicted, and will classify it as a “black swan.” Politico Magazine posted an article(iv) recently where they claim to have predicted a pandemic, and that policymakers could have seen it coming. In light of this article, the Corona-pandemic will be classified as a “grey swan,” maybe even a white one. My point is that the color of the swan does not matter. What makes some companies different is that they account for one black, some grey, and many white swans to appear during a period – they plan for it – and they learn from it. An interesting observation when looking back at the SARS outbreak in 2003, is that the outbreak came in at least two waves(v) with two months apart. Are we prepared for another wave of the Corona pandemic? These are examples of what Mr. Jim Collins refers to as “Productive Paranoia.” And, just a personal comment – in risk terms, isn’t a pandemic an epidemic that comes with a lead time? And, vice versa, an epidemic is a KRI for a pandemic?

If you don’t have it, start building

Business Continuity Management is a natural extension of a risk management system(vi) – the more digitally integrated your different risk domains are, the easier it is to create a holistic BCM program. A business continuity management program is a requirement in a variety of regulations(vii) across industries and jurisdictions and is mandated and referenced in dozens of certification standards and best-practice frameworks(viii). It exists under different names and functions such as “Resilience,” “Disaster Recovery,” “Continuity Planning,” and more.

BCM is not better than the scenarios planned for, or?

Depending on whether your organization has a regulatory obligation, if your organization is seeking resilience, or a combination of the two, a well-known and recognized standard to base a holistic BCM program on is ISO 22301(ix).

“In risk terms, isn’t a pandemic an epidemic that comes with a lead time? And, vice versa, an epidemic is a KRI for a pandemic?”

Some will argue that implementing a BCM program is too ambitious and will not solve the majority of unexpected scenarios. As with risk management – and with black and grey swans, the purpose is to minimize as much of the unexpected as reasonable according to risk appetite and tolerance, as Amundsen did – build buffers for unforeseen events. Less important is the color of the swan – black, grey, or white.

Corporater is a provider of integrated software for holistic governance, performance, risk, and compliance (GPRC). Contact Corporater or one of our management consulting partners for more information regarding Business Continuity Management.

Download a PDF version of this blog.

References:

[i] https://www.jimcollins.com/article_topics/articles/how-to-manage-through-chaos.html#articletop

[ii] Collins, Jim. Great by Choice (Good to Great). Harper Business. Kindle Edition.

[iii] https://www.investopedia.com/terms/g/grey-swan.asp

[iv] https://www.politico.com/news/magazine/2020/03/07/coronavirus-epidemic-prediction-policy-advice-121172

[v] https://www.bis.org/publ/joint17.pdf

[vi] E.g.ISO31000, COSO, ISO27005, NIST RMF.

[vii] E.g. NCEMA 7000, BASEL, Solvency, BSA, NISD, EBA Guidelines GL 44

[viii] E.g. ISO22301, COBIT, ITIL, ISO9000, ISO27001, ISO20000, IEC 61508, 60300, 61804, ISACA G32, SAS 70, NIST SP 800

[ix] https://en.wikipedia.org/wiki/Cyber_resilience