This post will provide an outline of business continuity planning. It is mostly intended for newcomers to the Business Continuity (BC) arena. It's also a fantastic review for more experienced readers. And if you're a seasoned industry professional, let us know what we missed!
Because catastrophic scenarios are uncommon, it is easy to overlook emergency planning. This is true for both multinational organizations and individual homes. During our most recent huge storm in Seattle, I discovered I no longer had a single candle – after looking by iPhone light with the power off.
Bad planning in business might cost more than a gloomy living room. We are exposed to new and varied types of dangers as a result of the complexity of international corporations and worldwide supply networks.
This article contains the following information:
- Principles of Enterprise Risk Management (ERM).
- Principles of Business Continuity (BC).
- There are two brief BC case studies.
- A basic introduction to Business Impact Analysis (BIA).
- BC leaders will find these materials valuable.
The Role of Business Continuity in ERM
Enterprise risk management (ERM) deals with threats to an organization's goals. While ERM methods differ every company, our recommended ERM model categorizes risks into three categories.
- External dangers. These are risks resulting from occurrences outside of the firm (for example, changes in the broader market, a storm disrupting a vital vendor, a natural disaster, and so on).
- Risks that can be avoided. These are dangers that arise from within the organization. Failures in ethics or compliance are two examples.
- Risks associated with strategy. These are hazards that are inherent in the organization's goal. The strategic goal of a startup firm may be to quadruple sales in 2018. Risks are reduced by identifying and removing roadblocks to goals.
ERM leaders may more easily implement controls and mitigations by bucketing risks in this framework. First, since they occur within an organization, avoidable risks are handled through leadership, culture, recruiting, and compliance — with risk elimination as the ultimate aim.
Meanwhile, scenario planning, stakeholder workshops, and "wargaming" — in general, group debate and preparation — are commonly used to handle external threats and strategy hazards.
These risks are handled by a series of prioritized questions, such as "what happens if an earthquake destroys our data center?" (an external risk) or "what will prevent us from doubling our sales?" (a strategic risk).
ERM's Business Continuity
We propose that Business Continuity executives collaborate closely with ERM leaders within this framework. BC should concentrate on identifying and prioritizing vital procedures and resources that enable the supply of critical products and services. Using the ERM model described above, risks under the BC's scope are classified as External Risks.
When a disaster hits, a distinct set of mechanisms is engaged to try to mitigate the effects of the crisis. The process of building those systems is known as business continuity. (There are situations when BC's attention goes beyond the External Risk category.
For example, if a compliance risk prevents procurement from a vital supplier, BC should at the very least note this Internal Risk in the Business Impact Analysis (detailed below).
A firm should have a thorough BC strategy in place to manage the most serious consequences of unfavorable occurrences. These effects fall into groups that apply to all catastrophic circumstances.
A sudden loss of power at a plant, for example, needs the implementation of a comparable BC plan, whether the power loss is caused by a blown fuse or a fire. In a blog for the Risk Management Monitor, Al Berman gives a helpful summary of these categories.
- "Impacts on facilities, rendering them inaccessible or unusable"
- Impacts on operational capabilities, such as supply chain disruptions, processing mistakes, or workforce shortages
- The impact on technology
- The organization's own effects, ranging from financial issues to intellectual property rights."
Those primarily accountable for carrying out BC plans for various circumstances should be well-versed in them. It is also critical that key personnel rehearse frequently and thoroughly enough to guarantee effective implementation. Emergency tasks and responsibilities are assigned to designated personnel in well-designed BC plans.
Practice of Business Continuity
There is a lot to consider in modern business continuity strategies. Supply chains are becoming increasingly complicated and sensitive to change. A firm's short-term production schedule may be jeopardized if facilities are disrupted, while longer-term production may be jeopardized if outsourced suppliers are harmed. A good BC strategy should prioritize these possible risks.
Intel's BC response to the Fukushima tragedy is a good example. "By March 15, four days after the disaster, Intel knew it had no major problems with its direct (or 'Tier 1') suppliers," Yossi Sheffi writes in The Power of Resilience. "By March 20, Intel knew that Tier 2 also had minor issues, but Tier 3, Tier 4, and deeper tiers had more serious issues." Intel discovered 60 vendors who were having problems. Many of them were one-stop specialized chemical producers with one-of-a-kind capabilities."
Intel's BC team reacted quickly. Engineers swiftly certified new manufacturing suppliers' materials for use, as well as providing orders to limit the usage of some vital elements to the bare minimum, increasing their longevity.
Buyers were sending letters of intent and purchase orders in order to obtain additional supplies for clearing as soon as possible. According to Sheffi, more than 75% of Intel's materials were possibly jeopardized, but the excellent implementation of their continuity strategy averted minimal losses.
Some scenarios necessitate specific considerations, such as employee safety and comfort. Procter & Gamble, whose Folgers Coffee brand has four operations in the New Orleans region, began implementing their business continuity plan before Hurricane Katrina hit in 2005.
When Hurricane Katrina came, P&G halted all activities in New Orleans and ordered all personnel to leave. The firm inspected the damage after the storm had gone and all personnel had been accounted for.
With the majority of the homes in the New Orleans region being unusable, P&G began giving food, lodging, health care, and counseling to its employees. The firm also provided staff with interest-free loans to assist them get through the crisis, as well as a seven-day-on, seven-day-off timetable.
These concerns for its employees helped guarantee that P&G had a workforce capable and eager to assist in its recovery following Hurricane Katrina, and the business became the first New Orleans manufacturing site to reopen after the storm. "From a business standpoint," Sheffi says, "despite the disruption, P&G shipped 96 percent of the previous year's volume in 2005, and its first-quarter 2006 brought record volumes, with business back stronger than ever."
The New York Times story linked below discusses the pro-employee, pro-business, and pro-moral grounds for P&G's robust BC reaction. According to the vice president of P&G's global coffee operation, "getting the plant up and running is absolutely critical to maintaining Folgers' leadership share position because we are entering peak consumption period."
Meanwhile, Louisiana Governor Bobby Jindal remarked that Procter's quick decision to reopen brought hope to an area that had been economically and emotionally decimated by the storm:
"Anyone who thinks New Orleans businesses are lost and not coming back needs to wake up and smell the coffee."
Making a BC Plan
There are certain very well-established procedures for putting together a BC strategy that have become industry standards. The government is currently in charge of distributing many resources. As part of its Ready public communication campaign, FEMA provides materials for BC preparation. They give the following summary of developing a BC plan:
Conduct a risk assessment. "Conduct a business impact analysis to identify time-sensitive or critical business functions and processes, as well as resources that support them."
Create mitigating strategies. "Identify, document, and implement plans to recover critical business functions and processes."
Involve stakeholders. "To manage a business disruption, form a business continuity team and create a business continuity plan."
Perform testing and training. "Conduct training for the business continuity team, as well as testing and exercises to evaluate the recovery strategies and plan."
A business impact analysis (BIA) is the first step in every BC plan. A BIA evaluates possible business impacts from a crisis scenario, prioritizes them, and calculates their likelihood, consequences, and potential cost.
A business impact analysis (BIA) will also define the recovery time objective (RTO), or the timeframe during which each theoretical issue will result in unacceptable outcomes. The analysis should be compiled into a report that outlines the priorities for each department in the event of an emergency. These will differ depending on the type of the firm, thus a thorough BIA is essential.
In terms of the BC plan itself, certain components are universal, however the particular structure may differ. The whole approach to crisis management and recovery is informed by the business continuity plan. BC plan should contain the following options:
- to postpone business operations until the threat has passed,
- to distribute business functions to unaffected subsidiaries or divisions,
- and to relocate to a different location.
In the preceding cases, P&G delayed, suspending operations until the tragedy passed, while Intel dispersed, rapidly transferring its supply chain to unaffected vendors.
Departments of the business should update their own BC paperwork, directed by BC executives, where the overarching strategy directs the plan. The reaction of an organization to an occurrence that physically threatens its personnel is referred to as occupant emergency (OE) planning.
The recovery of IT infrastructure is frequently referred to as disaster recovery (DR), and the DR procedures of an organization are typically documented in a DR strategy. An incident response (IR) plan describes the procedures that an organization will follow in the event of a cyberattack.
The BCM Institute Crisis Management Glossary is a comprehensive collection of industry-specific terminology.
Additional information, such as the National Fire Protection Association's Standard on Disaster/Emergency Management and Business Continuity Programs, can be accessed online.
Furthermore, the BCM Institute's BCMpedia.org[8] is a useful business continuity encyclopedia. There are additional periodicals and journals dedicated to business continuity, such as the Disaster Recovery Journal and Continuity Magazine.
To summarize, as recent tragedies have shown, business continuity planning is critical for practically all firms. Vulnerabilities develop as supply chains get more complicated and organizations become more connected — however, as successful instances have proven, interruptions and challenges do not always indicate long-term implications for your firm.
0 Comments