DISASTERS (natural, environmental, man-made, accidental and deliberate) have dominated the news recently, so much so that FDs are obliged to re-focus and concentrate on their disaster recovery and business continuity plans.
I believe the FD’s role extends to protecting the business in all circumstances, and we are obliged to take a leading role in this duty. This is true even in those organisations that employ a senior risk officer (a worthy successor to the health and safety overhead).
Although I take a pragmatic and philosophical view of serious disasters, after having been caught up in New York at the time of the 9/11 attacks, I am certain that disasters in some form are highly likely to inflict even the highest quality and best prepared organisations, and the threats to business continuity are constant but often naïvely ignored. Cyber-attacks, which merit their own field of specialist study, have become a form of sophisticated warfare and institutionalised sabotage.
Recent examples include when the BBC websites were brought down by a distributed service denial attack by a group opposing Islamic State, and HSBC lost its online banking service for two days. Other cyber-attacks have hit Talk-Talk, Home Depot, Staples, JP Morgan and Sony Pictures on a monumental scale. So none of us are immune but some organisations continue to be complacent, such that their DRPs are disasters themselves.
In my own organisation, I am personally responsible for leading the disaster recovery team which meets quarterly to review our contingency plans, and I report the status to the board as a standing item.
I have agreed with the board our Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), and I pander dutifully to one board member’s belief that these were his original ideas (who knows everything about everything). One of the ways the team stays engaged is to do a scenario audit, usually as a roundtable exercise. The latest example assumed that no-one could travel around London nor communicate via mobile networks as a result of a terrorist incident, and it showed us how little control of our own destiny we have, when faced with anything other than relatively minor incidents.
At a less dramatic level, the most likely events are rather mundane and usually take the form of power outages and IT failures, but FDs should take these very seriously in a business continuity context. As our economy’s dependency on IT, big data and electronic communication grows exponentially, our protection measures are not keeping pace despite the growing industry of specialist suppliers in this field. I doubt that the assumptions made in deciding whether to fund, for example, a hot standby facility are universally robust and not everyone understands well enough the risks inherent in using the Cloud. However, the IT plan is only one of several within the overall DRP; it should never be left to the IT team alone, and risks to the integrity of accounting and finance systems are abhorrent to most FDs.
The processes of risk management, business continuity planning and disaster recovery planning have a habit of exposing a number of weaknesses that might otherwise be less obvious. Some of these can be insured against; some can be mitigated by management practices; but others may emerge as contingent liabilities so large and unquantifiable as to threaten the very existence of the business.
It would be pointless and laughable to make financial provision for these potential liabilities, but in not doing so we are faced with a dilemma: What value do the accounts have if we do not make adequate provisions? I can see similarities between this and the highly misused but little understood FRS17 pension standard with which we created a national time-bomb liability despite many experts rejecting its underlying logic. Let’s not go there; let’s be prepared instead.
The SFD spent some of the warmest and wettest December since records began in 1910 at a CFO network event in Reading, and thankfully avoided the floods but did not miss the worst New Year start for the Stock Exchange.