Are exit strategies defined, anyway? - Some reflections on Business Continuity

Ansgar Toscha
8 december 2015

Business Continuity Planning (BCP) and Management (BCM) are key when it comes to preparing for both known and unknown threats that have the potential to bring down critical parts of the business. Business critical areas could be IT-systems, employees with unique skills, key production sites, single source suppliers, IPR's or others and may - depending on the industry - span over one or a number of different parts of the business. Accordingly, analyses made (Business Impact Analysis, BIA) need to be comprehensive and structured to certainly identify the most critical areas that need to be covered by BCP and BCM.

The related ISO standards from 2012 define Business Continuity (ISO 22301 and ISO 22313) define as the "capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident" and give guidance on how to define, implement and continuously improve Business Continuity according to the Plan-Do-Check-Act-model.

Operational vs. strategic mitigation

Experience shows that the challenge for setting up an appropriate BCP is in many cases not the identification of critical business areas itself which is often discussed as a purely operational matter, but rather defining the right level of risk mitigation to prevent severe consequences of a disruptive event which at the end of the day often ends up in strategic discussions, which in turn makes the discussion more complex.

An example; a production site producing unique parts in a possibly politically unstable country might make sense from a labor cost and tax perspective but in the mid or long-term might expose the group to a higher level of risk of delivery problems due to e.g. social unrest, capital repatriation problems, sudden customs restrictions, or a natural disaster. Hence, to discuss BCP in terms of fences, sprinklers and firewalls to protect the operational functionality of the site is in this case not enough because even when the site might still be able to operate, it might become impossible to get the products out of the country. This adds a strategic dimension to the discussion and requires a plan B or even an Exit-strategy as a part of a full-scale BCP.

But is the organization really prepared for painful strategic (exit) decisions?

Are Exit-strategies defined, anyway?

From my view, Exit-strategies are often not seriously enough discussed and thought through as it would be necessary when it comes to investment decisions concerning manufacturing or supplier footprints, among other. That phenomenon indicates weaknesses in organizations' capability to set up and analyse worst case scenarios, both from a short and long-term perspective. Or simply, the scenario is clear, but the management is not willing nor has the time to discuss the worst case to its ultimate possible consequence.

But why is that?

Do YOU want to be the party-killer?

Let's stick to the example above. Making strategic footprint decisions are in most cases built on a business case that is the result of structured investment processes and ROI or NVA calculations. One-off disruptive incidents that some day may make all calculations obsolete though may pop up in the discussions but are often considered as low-likelihood events and therefore not worth to discuss in detail. So, why being the party-killer bringing up scenarios that hardly will occur? In these cases, perceived opportunities dominate the discussion towards decision making.

Negative vibes may be suppressed but management forgets that even low-likelihood events may hit you tomorrow.

Exit-strategies are an opportunity by itself

The world is full of examples where exits were done too late, or not at all, which in turn led to even worse disasters. Following ongoing discussions about disaster recovery, managing unknown risk like black and grey swans, it's time that mananagement teams get better in setting up and analyzing worst case scenarios. This includes that low-likelihood events are taken more seriously. This is an important condition that Business Continuity Plans deserve their name, and develop their full potential for the benefit of the business.