. 35
( 131 .)


likely that the scenario in the UK would be similar in other parts of the world.
While the latest LCCI survey found that 41% of firms had a contingency plan,
the figure fell to just 29% among firms with fewer than 20 employees.
Comparatively, among firms with 20 staff or more, the proportion with contin-
gency plans is 57% (LCCI, London Business Leaders™ Panel, May 2006).
The LCC considered research by Axa Insurance and Henley Management
College which found that 76% of SMEs had not ˜reviewed business approaches™
since the July terrorist attacks. The report concluded: ˜Despite growing awareness
of the problem, UK SMEs appear to have failed to be stimulated into action ¦
With fewer resources to withstand the business impact of a major incident than
larger firms, under-prepared SMEs expose a significant vulnerability in terms
of their own survival, and the consequential impact on their employees, their
customers and their suppliers™ (Axa Insurance/Henley Management College,
December 2005). According to Professor Jean-Noel Ezingeard of the Henley
Management College: ˜Too many of Britain™s SME managers bury their heads in
the sand when it comes to continuity planning. The fact that 40 per cent of
businesses suffer a terminal failure as a result of an incident proves that more
needs to be done. Continuity planning can be a simple, practical measure
whereby senior managers ask a series of “What if” questions, and for most busi-
nesses, the only cost to the business will be their time. A lot of SMEs tend to
focus on the day-to-day aspects of the business but never look at risk control ¦
Firms can have robust contingency plans with only a small amount of carefully
directed effort.™
In addition to the size barrier, the LCCI™s research found that there are also
differences in business continuity management take-up rates between sectors.
Some 52% of professional services firms, 50% of transport operators and 49%
of ˜other services™ firms have contingency plans but just 34% of manufacturers
and only 21% of retailers said they had a contingency plan.
In the UK another critical barrier to adopting contingency plans is that gov-
ernment advice is provided through government agencies which are not the
points of contact or sources of advice that SME company directors tend to util-
ise. Accurate and timely information from government is a vital aspect of effec-
tive business resilience. If the government™s civil contingencies messages are
only being communicated to a small section of the business community then
this could have very serious ramifications for the resilience of UK plc.
A recent survey by the Federation of Small Businesses found that only
4.4% of SME company directors take business advice from government-funded
business support organisations and just 1.1% seek advice from central govern-
ment bodies (such as the DTI or the HSE). By comparison, directors were much
more likely to take business advice from their accountant (53.7%), their solici-
tor (28.4%) or their bank (8.7%). In fact, company directors were almost six
times as likely to take advice from a trade association, and twice as likely to
seek the opinion of their local tourist board, than from the DTI.
In the UK the LCC has found that another barrier is the nature of the advice
itself. While guidance from policy experts in Whitehall may be thorough and
comprehensive it tends to lack grounding in the realities and constraints of
Chapter 8 “ Business interruption and risk management 167

running a business. For example, the Cabinet Office™s Pandemic Influenza Check-
list for Businesses, 2006 recommends businesses assess their preparedness for a
flu pandemic with reference to 30 tasks or activities. However, 21 of these tasks
require a significant input of time and a further seven, such as more frequent
cleaning of business premises or enhancing mail ordering facilities, represent
considerable extra costs to businesses. Three of the tasks “ finding up-to-date pan-
demic advice, reviewing a communications plan and testing contingency plans “
must be regularly repeated and revised, representing ongoing obligation upon
businesses. The Cabinet Office should also ask itself how practical or realistic
it is to ask SMEs to ˜establish policies for reducing the spread of influenza at
the worksite [by] promoting respiratory hygiene and cough etiquette™ or to
always ˜ensure that communications are culturally and linguistically appropri-
ate™ (Cabinet Office, Pandemic Influenza Checklist for Businesses, 2006).
In order to engage business proactively the LCC has stated that it is import-
ant to ensure that communication with business is practical and fit for purpose.
Departments and agencies should make advice focused and relevant and avoid
trying to use contingency advice to meet other policy objectives, not least
because to do so suggests that the government has failed to grasp the serious-
ness and scale of the threat to business.
Efforts to increase levels of business continuity management must also be
targeted at the right audience. Research has shown that “ as with most areas of
risk management “ contingency planning within firms is a direct result of com-
mitment from the highest levels of management. According to the Henley
Management Institute,
Without backing from the managing director or chief executive, business continuity man-
agement does not happen. (Axa Insurance/Henley Management College, December 2005)

Survey on business interruption and security
Bearing in mind the LCC report, it is useful to note that The Conference Board
published a report Navigating Risk: The Business Case for Security based on a
year survey of 213 senior corporate executives. Those responsible for security
and chief information officers were excluded from the survey to enable it to
gauge the role and influence of business security managers among general
senior executives. The surveyed companies most concerned with security are
companies in critical infrastructure industries (including energy and utilities,
chemicals and transportation), large corporations, multinationals with global
operations, and publicly traded companies.
˜Security directors appear to be politically isolated within their com-
panies,™ says Thomas Cavanagh, senior research associate in Global Corporate
Citizenship at The Conference Board and author of the report. ˜They face a chal-
lenging search for allies when they need to gain support from upper manage-
ment for new security initiatives.™
The survey found that experts from security directors themselves, the execu-
tives most supportive of security matters are those in risk-oriented positions,
such as CIOs, risk managers and compliance officers. It also found little linkage
Part B “ Overview of the Economic Aspects of Business Risks

between the level of support for security initiatives and the level of influence
over security policy within the companies surveyed. In general, the most sup-
portive executives were not the most influential, and the most influential execu-
tives were not the most supportive. In addition, most senior executives surveyed
reported that they have little direct responsibility for most aspects of security.
Moreover senior executives are often heavily involved in specific security deci-
sions even though they are not directly accountable for them.

Alignment with business objectives
In the survey executives were asked how effectively their company™s security
was aligned with their company™s business objectives “ in other words, to what
extent their own company™s security operation contributed to accomplishing
the firm™s overall mission in the marketplace. The most effective alignment was
found on issues of operational risk, such as complying with government regu-
lations (cited by 79%), protecting confidential information (74%), meeting cer-
tification standards (72%), and maintaining business continuity and ensuring
customer safety (both 71%). Limiting financial risk (62%) and defending
against litigation (60%) are also viewed as areas in which security was effect-
ively aligned with corporate functions.
However, in the survey companies reported less alignment of security with
long-range strategic objectives of the firm. For example, among senior execu-
tives, 56% see their company™s security operation as effectively aligned with the
need to keep pace with competitors, and half of the sample believes security had
been effective in reducing insurance premiums. Much lower proportions saw
security as contributing toward enhancing the value of the brand (44%), man-
aging the supply chain (36%), or pursuing new business opportunities (35%).
˜At one level, these results are perhaps surprising and a bit disappointing,
since they suggest that security remains a function that is mired in operations in
the eyes of senior executives™, says Cavanagh. ˜But if security executives could
successfully relate security initiatives to the competitive posture of the firm “ for
example, enhancing the appeal of the brand “ they might be able to bolster the
case for such initiatives as part of a long-range strategy, giving them more promin-
ence in the thinking of the board and the firm™s senior management.™
In critical infrastructure industries, evidently 87% of the executives sur-
veyed saw effective alignment of security with compliance needs, compared
with 70% in the non-critical industries. Similar gaps were seen with regard to
protecting confidential information (77% effective alignment in the critical
industries vs 69% in the non-critical industries), meeting certification stand-
ards (77% vs 65%), maintaining business continuity (75% vs 68%), and keep-
ing pace with competitors (60% vs 54%).

Value of security programmes?
As SERM has found, the search for effective measurement of risk has become
an essential part of the management process in security as in other aspects of
Chapter 8 “ Business interruption and risk management 169

corporate life. Increasingly, security directors are asked to establish a business
case for undertaking security expenditures.
Survey participants said that the most useful approach for determining the
appropriate level of security spending in their companies were those that
enable executives to determine how much a security problem would cost the
firm in terms of liabilities or lost business. The most helpful values found in the
survey were the cost of business interruption, cited by 64% of executives; vul-
nerability assessments (60%); and benchmarking against industry standards
(49%). Another group of values was explicitly related to insurance costs, such
as the value of facilities (44%), the level of insurance premiums (39%) and the
cost of previous security incidents (34%).
˜Unfortunately, the measures available for analysing the effectiveness of
corporate security tend to be much less sophisticated than those that have been
developed for other corporate functions such as finance, human resources, and
information technology™, says Cavanagh.

Insolvency and meaning
One of the main repercussions of business interruptions is insolvency.
Moreover insolvency can lead to business continuity problems. This can be a
complex area approached differently in various countries. In this section the
current focus is on the UK and US, bearing in mind also the discussions in
Chapters 21 and 22.

The insolvency debate
Key areas of concern are the:
Role of the banks;
Appointment of an insolvency practitioner (IP);
Priority of debts;
Costs of insolvency; and
Problem of cash flow and causation of insolvency.

There has also been extensive debate regarding the appropriateness of the UK™s
regulatory framework relating to insolvency and business failure. It is not
intended to go into the present laws of insolvency (which is a vast subject) but
rather to consider the meaning of insolvency. What, then, is usually meant by
insolvency? Generally:
The inability to pay debts as they mature;
Under the American Bankruptcy Act (1898) the insufficiency of assets at a
fair valuation to pay debts; or
Part B “ Overview of the Economic Aspects of Business Risks

Under other laws the insufficiency of assets at a fair saleable valuation to pay
debts (see James A. Machachlan, Handbook of the Law of Bankruptcy).

The second meaning is sometimes referred to as the balance sheet insolvency
test and is the predominant meaning in civil law jurisdictions. Non-lawyers are
accustomed to using the term ˜insolvent™ as an adjective, such as an insolvent
debtor whereas lawyers sometimes use the term attributively as a noun, that is
˜an insolvent™.
Also relevant is the concept of bankruptcy, which generally refers to the:

Fact of being financially unable to carry out one™s business and meet one™s
engagements, especially to pay one™s debts;
Fact of having declared bankruptcy or having been adjudicated bankrupt
under a bankruptcy statute; or
Field of law dealing with those who are unable or unwilling to pay their

In this respect the relevance of the American approach has been widely
debated in the UK. In the US the phrase Bankruptcy Act refers to the law of
1898, which governed bankruptcy cases filed before 1 October 1979. The phrase
Bankruptcy Code refers to the Bankruptcy Reform Act of 1978 (frequently
amended since then), which governs all cases filed since 1 October 1979. What
is well known in American law “ and increasingly understood here “ is what is
called Chapter 11. In American legal usage Chapter 11 has become synonymous
with corporate reorganisation for the purpose of handling debts in a structured
way, under the protection of a federal bankruptcy court. The phrase is often
used attributively. By way of example it has been noted that, ˜The purpose of a
Chapter 11 filing is to give a chief executive an opportunity to reorganise a
financially troubled business by putting its creditors on hold. When the money
problems have been straightened out and the company restored to health it
emerges from the protection of the bankruptcy courts and picks up where it left
off™ (John Taylor, ˜Bankruptcy was a disappointment™, New York Times, 10
December 1989, paragraph 7 at page 11). Therefore a common colloquialism
that has evolved is to go Chapter 11. By way of example in a review of John
Rothschild™s work Going for Broke (1991) it was also noted: ˜Of course
Campeau™s badly overextended retailing Empire would soon go Chapter 11 any-
way, throwing thousands out of work and rippling damage through the US
economy™ (Book note, American Way, January 1992 at page 78).
Although to go Chapter 11 does not appear to have the stigma often attached
to insolvency and bankruptcy evident here, certainly the consequences for
business “ as well as personal consequences “ may in practice be devastating.
This has been witnessed in many very recent cases, such as Kmart and Global
Crossing as well as the controversial Enron case study that has been so publi-
cised and analysed (see also Chapters 21 and 22). This led to calls to make US
directors more accountable and to require a new team of managers under
Chapter 11 rather than leaving the existing management in place. In some ways
Chapter 8 “ Business interruption and risk management 171

the US is moving closer to UK thinking, to make it more difficult for bankrupts
to be forgiven their debts and to be rehabilitated without sanction. It is recog-
nised that insolvency may be a result of mismanagement, rather than purely
misfeasance or fraud.
Nevertheless it must be appreciated that the stigma that attaches in the UK,
together with the ongoing practical repercussions of business interruption and
failure “ insolvency or liquidation “ often means that a valuable contribution to
the business economy is damaged. This can happen, for example in circum-
stances that are often beyond the control of the small business at risk and are
disproportionate in effect. Solutions remain imperfect when considering sus-
tainable risk management and different jurisdictions look to each other. For
instance, in some ways the UK is moving closer to the US by attempting to
make it easier for companies to be rescued and make it less of a crime for an
individual to go bankrupt. This is where there is no blame involved. It can be
appropriate in circumstances in which small business often finds itself, that is
with cash flow problems in circumstances beyond its control through the late
or non-payment of debtors.


. 35
( 131 .)