|
|
|
|
 | ||
| ||
 | Blindsided is the authoritative guide to crisis management. This "how to" handbook gives essential advice that every manager needs to know when a crisis hits. Written by CMI Founder/CEO Bruce Blythe, it's a fascinating, easy-to-read guide that draws on Blythe's 20+ years of experience as a pioneer in crisis management.  | |
On August 3, 2007, President Bush signed into law Public Law 110-53. This law, known as "Implementing Recommendations of the 9/11 Commission Act of 2007" was created as an opportunity to establish guidelines and systems to enhance crisis preparedness of America's private sector organizations (the Federal 9/11 Commission reported that 85% of the nation's critical infrastructure is under the ownership and control of the private sector). The law was enacted on the premise that it is in the nation's best interest that private sector organizations have some proven, independently verified level of organizational preparedness and resiliency, as measured and reported upon by this voluntary certification program, to further the nation's ability to operate and recover during local, regional and national emergencies from whatever source - natural disaster to further acts of terrorism. The law provides an opportunity for private sector organizations to achieve a certification which would include verifiable elements of:
Voluntary Preparedness Certification: A View from the Stakeholders Seats
(By Chris Duncan, The Conference Board, May 2008)
The purpose of this article is not to explore the inner workings of the law, the certification itself (which is still yet undefined), or how and when it is likely to be implemented (still under development, and already beyond the deadlines specified in the law). This article assumes that the certification process will be in place and implemented and explores how voluntary preparedness certification might be viewed by interested internal and external parties alike. Assuming that the certification is in place, what is the business value? Why do it at all? Who will use the certification, and for what purposes? Who will ask questions? Who will care?
Three broad categories of stakeholders will assign some value to certification, and each will use it in a different manner. The three broad categories of stakeholders are:
All three of these stakeholder categories have one thing in common - the voluntary certification provides an independently verifiable "signal" to interested parties of a material change in the organizations risk profile and indicates a measure of organizational resilience that each finds value in. This concept of "signaling" is a common one in corporate America - companies send "signals" constantly, communicating to the marketplace, hopefully in a transparent and legal manner. A "404" material weakness finding in your financial statements signals to investors that there may be additional uncertainty in the financial controls and reporting accuracy of a company, and therefore reliance upon the financial statements should be reviewed. The hiring of a high profile executive and subsequent press release signals to investors that new ideas and capabilities have been added to the leadership team, and may signal future business intent. A warning on sales trends as part of earning guidance tells investors that future earnings might not be as robust as in the past. The announcement of an acquisition or joint venture in a new market area signals that the company's business strategy is changing. The company that receives a voluntary preparedness certification is signaling to interested parties that the organization has a certain minimum level of organizational preparedness and resiliency in the face of many risks. There are many parties that have a vested interest in this externally verified capability.
Stakeholders in Corporate Governance and Oversight
A voluntary certification by an independent body provides members of the company's board of directors the opportunity to validate, via external means, that management is addressing certain risks and the organization has some appreciable level of organizational resilience and response capabilities to operational disruptions from many sources. Boards, in particular their audit committees, typically are responsible for overseeing that management has sufficient capabilities and processes in place to effectively manage the business, and the risks, of the organization. Having an external preparedness certification measured against some national standard is very helpful to a board in validating that management has addressed at least in some verifiable manner, a subset of risks (and needed response) of the organization, and is one data point for helping to satisfy their legal accountability. A voluntary certification could be useful as a defense in claims against the company and the board if the failure of a response plan results in material loss to shareholders (duty to prepare). The risk, insurance, BCP or security manager (collectively, a "risk manager") that is leading BCP/crisis planning and response often has difficulty in showing a board that the organization has the right capabilities and plans in place - the board has neither the time or bandwidth to delve into the extensive plans or risk strategies a company might have in place. Having independent verification by outside experts is likely to be viewed as additional "oversight" comfort without having to invest significant amounts of finite board time in reviewing detailed plans. The company that cannot tell its board that they have received and surpassed the standard as it is ultimately promulgated may be placed in an awkward situation of explaining "why not"? Given that most large companies have sophisticated BCP and Crisis Management plans that will likely far exceed the standard, this may be more of a "check the box" opportunity for the risk management professionals, but they should not underestimate the need for the board to cross confirm what management is telling them via this external validation. The certification provides another data point that the board and the C-suite can use as a validation of certain management effectiveness, and as this voluntary certification process become more widely known and reported in the media, management can expect questions and inquiries from audit committees, CEOs, general counsels and other senior executives. Internal and external auditors are likely to use this voluntary certification process as an verifiable, external standard to measure the effectiveness of overall organizational resilience relative to management effectiveness, and one element of proof of effective internal controls (such as in SarBox 404) in Business Continuity Planning, Crisis Management, and overall risk management effectiveness. This verifiable, testable, documented certification is exactly the sort of defined standard that makes reviewing this area of management accountability and controls much easier - no longer do auditors have to send in a junior accountant, who has little experience in risk management programs to ask about what a company's BCP and Crisis Management plans are, and ultimately make very subjective evaluation of their effectiveness. With this certification in hand, it is likely that the auditing profession will rely, at least in part, upon this national, externally validated standard for determining if effective controls are in place in this important management area.
Where does voluntary certification fit into a successful Enterprise Risk Management (ERM) program? ERM typically includes the far reaching organizational ability to scan the horizon looking for risks from all quarters, prioritizing them, and putting in place systems, cultures, controls and response plans to address the key ones as best you can with the finite resources available. Unfortunately, in spite of the plethora of ERM standards floating around, ERM does not lend itself to a nice neat box of standards to measure against, but having a voluntary certification for preparedness is a valuable external validation of organizational preparedness, an essential element in any robust ERM program.
The smart risk manager will use the voluntary certification as a comfort factor in communicating upward and outward to various governance and oversight stakeholders on the effectiveness of organizational resiliency, and use his or her limited time to focus the C-suite and/or the board on the exceptions and key improvement areas. Likewise, expect risk managers to use the certification process as a means to rally the organization around achieving this public certification - the goal of achieving voluntary preparedness certification can be used just as effectively as a rally point as achieving a VPP Star facility award is to OSHA.
External Validation for Other Stakeholders
There are many other external stakeholders that have an interest in whether or not a company is prepared for organizational risk and response. Shareholders, institutional investors, and credit rating agencies, just to name a few, have a strong interest in understanding how "at risk" future cash flow is and how well it is protected from avoidable disruptions. An external validation of organizational resilience is likely to be viewed as reliable data that there is less risk to future cash flow disruptions from various (operational) risks. A voluntary preparedness certification could be construed as a market "signal" that the company has achieved a certain level of organizational resilience, and therefore has a higher degree of likelihood of absorbing surprises and crises while continuing to deliver on the business objectives. All things being equal, companies in similar businesses with similar capital structures, management, product, etc., the one with a higher degree of resilience (or a lower likelihood of organizational disruption) would be a better investment and have a higher degree of operational cash flow certainty (a positive for credit rating agencies).
For example, in Standard & Poor's "Request for Comment: Enterprise Risk Management Analysis for Credit Rating of Non-Financial Companies" (November 15, 2007), S&P proposes to integrate ERM analysis into the evaluation of a company's overall business profile. Why? "Companies with superior ERM should have less volatility in earnings and cash flow, and will optimize the risk/return relationship". They further note that the combination of ERM management practices (which includes the very capabilities included in voluntary preparedness certification!) is "fundamentally consistent with the underlying nature of credit ratings". S&P reinforces the concept of signaling by saying "ERM also provides a new and clearer language for transferring information about management's intentions and capabilities, which are critical to credit evaluation…although we do not expect ERM to eliminate losses, firms with good ERM should not only have smaller losses in adverse times, but also rebound more quickly from those losses." One of the more telling statements in this request for comment is "we will look for firms to show that they are practicing emerging risk management in expectation of negative events, and will also look for the results of such planning during and after adverse events." It sounds an awful lot like organizational resilience, crisis management and response capabilities are going to be a relevant issue of fact for at least one rating agency, and other rating agencies are exploring the integration of ERM into their rating systems.
The Social Responsibility movement has caused companies increasingly to provide disclosure on how good a citizen a company is for its people, the community and the world in which it operates. Corporate Social Responsibility often focuses in on community involvement, sustainable use of resources, environmental responsibility, the support of diversity and corporate responsibility to its employees and customers. The Department of Homeland Security noted in the Voluntary Preparedness law that private companies control over 85% of the key infrastructure (utilities, telephony, food, medical care, etc.) essential to the societal risk management response to crisis. The voluntary certification initiative is a recognition that crisis and humanitarian response is a function public and private entities including: (1) government (FEMA, National Guard, Coast Guard, many others); (2) social "net" systems such as non-profits (Red Cross, religious organizations, and volunteer groups); and (3) the business community. If your organization is part of the critical infrastructure of the nation, or a key player in humanitarian response in the midst of a local, regional or national disaster, not having a voluntary certification might be construed as a major weakness in an organization's "face" in the local community and on the world stage. When others rely upon your company for their survival or recovery and you fail in your obligation to be there for them, and they are harmed accordingly, the societal response is likely to be swift, negative, and public.
This brings us naturally to the impact of having a voluntary certification on public relations and public perception. In the event of a crisis directly involving your company or if your company's response effectiveness is critical to dealing successfully with a public disaster, your actions, even if they are effective, will always be second guessed by your employees, the public and other stakeholders. "Public" second guessing comes in many forms -- the media, local, state and national governments, your shareholders, your employees and others. Unfortunately, even with a "certified" plan in place, bad things happen in the world and the response plan may not always work as intended, so if your response is perceived as inadequate, being able to say that one has met a certain standard promulgated by the government, verified by a third party, may be a reputation risk mitigation asset that can help deflect some adverse impact on your company's reputation. This "deflection" point may also be useful as a defense in the courts if legal action results from a disaster and a company's failure (or perceived failure) in response. There is a reasonable likelihood that plaintiff counsel will bring up your lack of certification when an event occurs that impacts others, and your response is perceived to be inadequate. Most corporate defense counsel would rather have an externally validated preparedness certification to use in your defense! If you already have a great BCP/Crisis Response program, why wouldn't you want to have an external validation?
Employees also have a significant stake in the company's future. An external certification gives employees increased confidence that the company is prepared for issues that can affect their livelihoods and their personal ability to survive a catastrophe. The employee's well-being and the company's well-being post an event are intertwined. A company cannot recover from a crisis without employees, and the employee's immediate needs being met, and therefore an effective BCP/Crisis Management plan will address employee needs. If you fail to have an effective response plan for employees affected by an event, you are almost certain to have significant employee morale and turnover issues, and you most certainly will not be able to recover your business as fast as you would like. Any additional sense of security a company can provide to its employees in the uncertain and increasingly hazardous world in which we live, is an intangible benefit to the employee that can pay long-term employee relations dividends.
Insurance companies have a stake in understanding an organization's resilience to loss, insuring property, business interruption, extra expense, loss profits and other risks of the organization. The voluntary certification is a helpful signal to this stakeholder as well. Based on my experience as a former chief risk officer and now as an executive in the insurance industry, it is likely that the voluntary certification will be used not necessarily as a direct discount on insurance, but a subjective factor on an insurer's desire to insure certain risks, or as a subject element in pricing. For example, faced with two mid-sized manufacturers with similar plant, equipment, and revenue, which one would you rather insure for business interruption, one with or without a voluntary preparedness certification? As an insurer with hundreds if not thousands of business customers, these insurers don't have the time (or the personnel) to review in depth each and every BCP plan, particularly for small to mid-sized clients. You still might insure both clients, but you might give more of the benefit of the doubt (and pricing) to the certified company.
In Directors and Officers liability insurance for public companies, for example, a high corporate governance score in the Institutional Shareholder Services ISS Corporate Governance Ratings gives the high scorer a leg up on getting better coverage and less costly D&O insurance in the hands of an effective broker and risk manager (all else equal), but it doesn't mean that a low scorer won't get covered - the underwriter will just look at the low scorer with greater scrutiny. Larger companies with professional risk managers will use this voluntary certification as a differentiation vs. competitors in their industry in competing for favorable insurance terms and expanded capacity. The net (positive) conclusion of certification is it is likely to be a subjective advantage in insurance negotiations, but don't expect to see scheduled discounts on your business insurance like having an alarm system in your home or airbags in your car.
Customers, and Competitive Positioning
Voluntary certification is likely to be viewed as evidence by customers that you have achieved a certain level of organizational dependability and resilience they can rely upon. A strong argument can be made that a voluntary certification is likely to be viewed similarly to a "SAS 70". A "SAS 70" is a report issued by an auditor that independently assess and reports on the internal controls of a service organization, so that its customers can reasonably rely on this service provider's information or service that it meets certain standards in order for the receiving company to prepare its financial statements. Typical service organizations subject to SAS 70's are those outsourcing services that impact the control environment of their customers such as insurance and medical claims processors, trust companies, data centers, application service providers (ASPs), credit processing organizations and clearinghouses. These service companies obtain "SAS 70's" in order to be reviewed and audited once by an independent auditor that evaluates against generally accepted standards, and to avoid having all its customer's auditors review them individually, which could be a crushing administrative burden. A supply chain executive that wants to know whether a supplier has a certain level of organizational resilience in delivering goods and services might find this certification quite valuable, and eliminate each "purchasing" company from having to audit or review each and every supplier's BCP and Crisis Response program, and the supplier from having to respond to each and every BCP request. In effect, it standardizes company specific purchasing standards for documenting suppliers risk management and BCP capabilities, simplifying interaction with your customers, and contractual compliance.
It is possible that a voluntary certification could be a competitive advantage in the marketplace. If two companies have the same price and quality, but you have demonstrated via the certification that you are more likely to be a consistent supplier in the face of potential disruptions and your competitor cannot, the rational supplier choice is to chose the more resilient organization, particularly if your good or service is a critical component or service in your customer's ability to generate revenue.
The Impact on Small and Mid-Sized Businesses
While the advantages of certification are substantial, achieving a certification within a small to mid-sized company also is highly likely to represent a substantial investment of work and resources, particularly for those that have no plan in place to start with. A disturbing survey of 200 small and mid-sized businesses in New York, conducted by NYU and the Center for Catastrophe Planning and Response, indicated that only 25% of surveyed businesses had a formal preparedness program in place. While the data is sparse, it is reasonable to assume that outside of the New York, where disasters and catastrophic events are still top of mind in all business owners, an even smaller number of smaller to mid-sized have any preparedness plans in place.
Why don't more companies, especially those at the epicenter of 9/11, have more formal plans in place? The major reasons given were lack of information on how to prepare (46%), lack of financial and staff resources (41%), lack of expertise on how to prepare (32%), and absence of a strong business reason (26%). Increasing organizational preparedness and achieving a voluntary certification goal, however defined, requires a certain scale and investment of resources within an organization in order to develop the plans, test the plans, and document the plans, all essentials in order to meet the likely certification requirements. Larger companies have more specialized management and resource teams, and often have professionals with extensive backgrounds in business continuity planning, risk management, security and employee response to lead corporate efforts. These specialized resources are needed as larger companies' challenges to have robust organizational resilience programs in place are complicated by the increased complexity and scope of extensive operations and geographic diversity and have to have this depth of talent and resources to manage the complexity. Smaller companies might have more contained operations, or more centralized assets and risk issues to consider, but they also have less scale to invest, more generalists in leadership positions without the specialized "risk" knowledge that larger companies enjoy and typically less discretionary project resources. Just keeping the lights on and meeting payroll is typically the challenge in smaller companies, much less thinking about long term organizational resilience programs. Having a good crisis management plan is a substantial management investment that larger companies might have greater scale to invest in, but it still remains a challenge for smaller to mid sized companies to accomplish unless required to for competitive reasons, or for regulatory reasons.
It is likely that smaller and mid-sized companies will initially be reluctant to adopt the voluntary certification program due to these resource constraints and potential intimidation by the work that needs to get done to achieve certification. One way to overcome this obstacle is to have easy-to-use and cost effective planning, implementation, testing, and documentation tools, and supporting "help" networks and resources, for small to mid-sized companies to engage to reach this certification. Given how important the small to mid-sized business community is to the economy, and the national resilience capability, this has to be addressed. For small to mid-sized companies to fully adopt this voluntary certification, the marketplace will need to deliver affordable and easy to use Preparedness/BCP/Crisis Management tools and services that can be delivered in a scalable manner (i.e. to thousands and tens of thousands of users).
Similar to Newton's Law that objects at rest will stay at rest unless acted on by an outside force, most smaller and mid sized business will take a "wait and see" attitude while larger companies move to have their existing programs certified first, unless required to as part of a supply chain selection strategy. One can reasonably expect the early adopters in the small to mid-sized realm to be companies that are "strongly encouraged" to have the certification by their major customers - when the Fortune 500 require this certification as "entry to the game" as an approved supplier, then the market demand for this certification will grow in the small to mid sized business realm. However, the major purchasers are not going to impose the need for certification unless they are confident that achieving the certification is not an undue burden on their business partners. Having the right tools in place, as noted above, will make it easier for the business community to "get in motion" towards this increased organizational and national resilience outcome.
In summary, there are many business reasons why a company may want or need to be certified. Having an awareness of their motivations and interests in a voluntary preparedness certification is essential to being able to respond effectively to this new law, and to those stakeholders that will inquire about it. Effectively used, it can be used as an asset to help those charged with increasingly organizational (and national) resilience to accomplish their mission. However, small and mid-sized companies will be slow to embrace this certification unless those in the supply chain provide the economic motivation, the standards are clearly defined, the process not an undue burden, and inexpensive, easy to use tools and resources are delivered by the marketplace to help them through the process
.Chris Duncan, McCart's Chief Operating and Financial Officer, has a varied career in diverse companies (entrepreneurial and large public companies), with leadership positions in senior management, finance, operations, risk management and insurance, as well as on boards of for profit and not-for-profit entities. The Atlanta Georgia based McCart Insurance Group is a privately held property casualty, benefits, and HR outsourcing company serving medium to large companies across the US, and as Georgia's only Assurex Global Partner.
His background includes Chief Operating Officer of a public company in the alternative energy arena, Managing Director of Marsh in Atlanta, Georgia, the airline industry's first Chief Risk Officer at Delta Air Lines, and multiple positions within the PepsiCo companies of Frito-lay (Dallas) and KFC (Louisvillle, KY). He started his career at Ford Motor Company in Detroit Michigan and also held early career positions in consulting with Coopers & Lybrand, and Towers Perrin.
Active in the community, he also is the Vice Chairman of "Open Hand" (Atlanta based meal delivery non-profit delivering over one million meals annually in the Atlanta metro area to the disadvantaged, sick and recovering needy of the area), and board member of The American Geographical Society, the nation's oldest professional geography organization, based in New York.
