INTRODUCTION – BUSINESS CONTINUITY PLAN
The Covid-19 pandemic has required many businesses to blow the dust off their business continuity plans and has exposed them to the reality of needing to support ongoing operations while reacting to a crisis in real-time.
While there are many conflicting statistics about if and how long a business can stay afloat after it has experienced a disaster, one thing is certain, we are witnessing an increasing number of incidents from natural disasters, accidents, sabotage, power and energy disruptions, environmental disasters and cyber-attacks. The current Covid-19 pandemic is, of course, a dramatic and worldwide example of this.
Is your business prepared to weather a significant disruption that threatens your ability to continue? How will your recovery plan shape up as we emerge from the other side of the Covid-19 crisis? Do you have a plan that will enable your organization’s critical services or products to be continually delivered to clients? If not, it is time to assess/build your business lifesaver.
The diagram below shows 5 key steps to developing and refreshing a business continuity plan.
Step 1: Analysis
The first step in creating your plan is completing an as-is analysis to identify the critical activities in your organization. In addition to identifying the activities that must continue, the harder task can be achieving agreement with your stakeholders and clients on what activities have to be maintained at peak performance and service levels, what activities and services will need to stop (even if only temporarily), and what activities and services will be provided at a lower level. Once you know what is most important, prioritize the activities for continuous delivery versus recovery, estimate the time required to recover and the issues that are unique to your organization or that are highly complex.
The financial impact should not be overlooked: how long can your business operate without key revenue generating products or services while incurring costs to recover? Covid-19 has generally seen businesses be flexible with “client-friendly” cancellation policies and moratoriums on payment demands. But then, as a direct consequence, many businesses are not only losing customers and sales, they are also having to refund deposits, provide incentives to keep existing customers, and incur costs to support new ways of operating. All this is resulting in the bleeding of cash.
Step 2: Risk Assessment
Here you need to consider internal and external threats to your critical business activities and operations. And of course a robust BCP needs to consider all potential threats and scenarios. Depending on your location, the risks for certain types of threats may be greater than others. For example, if you are located on the East Coast of North America, the threat of a hurricane is higher; if you are on the West Coast along the entire American continent, or a location along many other fault lines across the world, the threat from earthquakes and tsunamis is much higher. Where electricity supplies are less robust, the threat of power outages and extended power outages will be a greater concern. Then there are many risks that you would want to consider regardless of your location and for which you will need to make sure your plan has specific procedures, pandemics being a current example, but fire and flood are common risk examples as well. You will also want to assess how tolerant management and clients are to operating at a reduced or minimum capacity and for how long. Risk assessment is about understanding your organization’s vulnerabilities and identifying ways to avoid, reduce, or mitigate the risks associated with them.
Step 3: Develop Recovery Procedures
Preparing for step three in the plan involves outlining how you will respond to an incident once it happens. It is the very detailed, step by step tasks and procedures that need to be taken to meet the challenges and reduce the risk to your organization’s people, operations and assets. You may identify the need to change your operating model to make it more resilient by implementing virtual work models, retaining redundant capacity/multiple sites, and/or establishing a hybrid workforce of human and digital workers. For example, many organizations have implemented remote working as a key and immediate strategy to achieve social distancing during the Covid-19 crisis, and several of these may retain some degree of remote working in their “new normal” to strengthen their ability to react to the next business disruption event. Others are working to integrate Intelligent Automation (such as Robotic Process Automation, Machine Learning, Chatbots, National Language Processing, Artificial Intelligence and Blockchain), into their processes to provide scalable capacity, improve productivity, and strengthen resilience.
Once you have your risks identified and understand your operating model, you then need to prepare your response. In this step of the cycle, you want to organize recovery teams, determine task recovery procedures, and develop work site and technology recovery plans. Additionally, you will need to consider the impact on personnel. First and foremost, their immediate safety, but after the dust has settled, they will want to contact loved ones or need transportation home. This can be challenging if they have lost their personal items such as keys, phones and their wallets. In the days and weeks to follow, having counseling available for them and their immediate families will go a long way in helping them feel they are a valued part of your organization. It is also useful to develop a detailed communications and an external public relations plan. How your organization handles the media can prevent negativity and can help you maintain some level of control over what the community, your staff and investors are hearing and believing.
Step 4: Communicate & Integrate
A plan is only useful if people know about it. Once you have developed your plan, you need to communicate it to your staff and integrate it into your company’s policies and culture so that everyone knows where to find it, what it contains, and how to use it. It should be designed for stressful and confusing situations; therefore, it needs to use simple terminology. Hard copies and electronic format should be easily accessible (on and off-site) and, contingent on resources available, a web portal is a great tool to maintain versions and increase access. Other groups that you will need to communicate with include your neighbors, community, customers, suppliers, and banks. Having pre-prepared messages will decrease the time it takes to communicate with these key groups when an incident does occur.
Step 5: Test, Train & Maintain
The only way to know if your plan will work is by testing it. Your staff needs to know what to do, where to go and how to work together. Running test exercises increase survival likelihood and minimizes impact, they can also enhance public image. To train your teams, familiarize your staff and test your plan, there are three different types of exercises that can be performed: seminar, table-top and live. Below is a diagram outlining their major characteristics:
Even a table-top exercise that is scheduled in advance can be made more realistic and effective with a few simple changes:
- Announce at the start of the exercise that the senior leader was called away at the beginning of the crisis (perhaps to represent the organization at a regional response team), so several individuals in the room need to take on new roles.
- Invite external stakeholders, key suppliers and clients to join the exercise and represent their organization; if this is not possible, assign these roles to actual people to role play.
- Assign roles to non-essential staff to act out to represent some possible individual reactions, for example:
- “Deadline Diana” who is working on a very important task that she is committed to completing within the next hour. Diana reacts to the situation as if nothing is happening.
- “Laughing Larry” is trying to lighten the seriousness of the situation and is using humor inappropriately to distract participants.
Whether it is after a training exercise or a real event you have experienced, it is crucial that you update your plans and procedures to make sure you address any weaknesses in the plan. What would you do differently to better protect your business? It is important to review your plan on a regular basis to ensure that details remain current. Updating the response team members’ full contact information is a good example of information that can quickly become outdated.
Business Continuity Plan should be a consideration at all levels of the organization, from strategic planning all the way down to your daily operations. At Chazey Partners, we believe successful recovery from a crisis event depends on your people and your readiness – not on your organization’s size, infrastructure, equipment, or technologies. Our structured Business Continuity Plan approach provides pragmatic recommendations for your current BCP strategy, and also offers integrated solutions to develop a BCP program suitable to your organization’s unique needs and circumstances.