Skip to main content

Article

Why Business Continuity Plans Fail

Many companies have risk management programs in place, but still fall short on several aspects that could undermine their ability to cope with a crisis.

Imagine you're the firewatcher atop the watchtower for your businesses. In the universe of risk today, how do you know which risks to look out for when new threats constantly come to the fore, while others might need to be deprioritised? 

Faced with clear and present challenges from an increasingly complex risk landscape, many medium and large organisations today are still playing a costly game of catch-up: The Marsh Risk Resilience Report found that only 24% of companies have a comprehensive process to anticipate emerging risks such as cyber risk and climate risk—two risks that could severely disrupt critical business value creation processes regardless of industry, sector or geography. Medium- and large-sized organisations typically have existing risk management processes in place, including the implementation of and maintaining risk scenario specific business continuity plans (BCPs). 

When the global pandemic started, many organisations invoked and executed their business continuity plans. But when the crisis escalated and severely impacted the global supply chain, the shortcomings of scenario-specific BCPs and their inability to withstand a prolonged impact were revealed. The ongoing shortage of semiconductor devices that has affected businesses worldwide across multiple industries was in part precipitated by the global supply chain disruption. 

In summary, many organisations that did not anticipate a worst case maximum probable loss scenario when developing and maintaining their business continuity and crisis response plans and programs. In turn, these organisations lacked integrated business continuity and crisis management plans that are agile, flexible, robust, and scalable—attributes that these plans must have in order to enable organisations to respond effectively to multiple known and unknown risk impacts over time.

Risk resilience challenges facing medium- and large-sized organisations

Despite their best intentions, managers, and business leaders commonly report facing inertia and friction when driving comprehensive and enterprise-wide risk management frameworks that encompass integrated business continuity and crisis management programs. The list below are some of the common challenges encountered by medium- and large-sized organisations that can often lead to ineffective risk and crisis responses:

Prioritising risks:

  • The risk methodology typically focuses on improving risk profiles based on risk controls and risk tolerance, and overlooks risks with potentially catastrophic impacts. For example, the recent MMB survey on People Risk revealed ‘blind spots’ including non-communicable health conditions, deteriorating mental health, and workforce exhaustion.
  • There is a common bias towards prioritising risk treatment actions to mitigate risks to tangible assets such as property. The potential impacts on intangible assets such as reputation and branding, as well as human capital, are often overlooked. (In 1975, tangible assets made up 83% of the market value of S&P 500 companies, according to merchant bank Ocean Tomo, with intangible assets such as intellectual property representing the remaining 17%. By 2015, those figures had reversed, with intangible assets making up 84% of the S&P 500’s market value.)
  • There is a tendency to overlook ‘grey rhino’ risks, which are lower probability risks that have significant impact over time (including an extended global pandemic and an extended supply chain disruption). These risks, such as debt crises and IT infrastructure breakdown, have been outlined in the WEF Global Risks Report, produced in partnership with Marsh McLennan, SK Group and Zurich Insurance Group.

Identifying and quantifying risk exposures:

  • Organisational silos make collaboration across the enterprise difficult during risk assessment exercises, often resulting in a failure to identify exposures.
  • There is considerable time lag between business continuity planning and program implementation to accurately determine exposure in a fast-changing risk landscape.
  • Where exposures have been identified, the prioritising of risks tend to be highly subjective when viewed through different roles and lenses from within the organisation.

Inadequate top management commitment and leadership; which often leads to the following:

  • Business continuity and crisis management objectives not aligning to important strategic and operational corporate objectives.
  • Insufficient and/or incorrect resources being allocated to ensure business continuity and crisis management plans—such as the conducting of drills to ensure organisational crisis response preparedness—are maintained and updated annually. Regular reviews of plans help ensure organisational response and recovery capabilities remain effective in mitigating both planned and unplanned risk impacts.
  • Risk management teams and committees lacking strategic guidance, often facing difficulty in identifying appropriate bespoke solutions such as risk transfer and risk allocation. For example, failing to prioritise business continuity and crisis management strategies and actions based on potential business interruption impact over time, pre-defined recovery time objectives, as well as dependencies on time-sensitive processes and/or other internal and external processes.

In a world when risks emerge faster than businesses can evolve and adapt, medium- and large-sized organisations need to resolve these challenges by taking a strategic and highly coordinated process-based approach to risk management and business continuity planning

Business Continuity Management: How to boost its effectiveness

Marsh can help your organisation improve existing risk management processes and business continuity plans for enhanced agility and resilience during crises.