Business Continuity Goes Beyond Crisis ManagementPosted 2013-05-17 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Crisis management will get you through the initial impact of a disaster, but you need a comprehensive business continuity program to sustain you beyond 48 hours.
By Ron Brown
When Hurricane Sandy hit the U.S. eastern seaboard in October 2012, it was a stark reminder of how easily our interconnected world can become disconnected, literally leaving companies in the dark. How would your company cope in such a crisis? Would it stumble or stand firm?
A good crisis management plan will get you through the initial impacts of a major event, but to effectively address large-scale disasters and their aftermath, today’s complex organizations need a comprehensive business continuity management (BCM) program that can sustain them longer than the first 48 hours. A well-designed program will see your company through the crisis and on to the restoration of operations and the preservation of your brand. BCM provides the foresight that changes “What do we do now?” into “Here’s what we do, here’s how we do it and here’s who is trained to do it.”
BCM is much more than crisis management. It’s a comprehensive program that helps a company react quickly and effectively when faced with unplanned interruptions, anticipating and mitigating the revenue loss, reputation, compliance, and expense-management impacts of a crisis. This ongoing process includes identification of natural and man-made events with the potential to disrupt business activities, preparation for those events (and prevention, where possible), mitigation of their effects to recover operations, and post-execution analysis to promote greater preparation and resilience during future events.
Hurricanes Sandy and Katrina, the 2011 Japanese tsunami and nuclear disaster, 2010’s Pakistani floods, and the eruption of Iceland’s Eyjafjallajökull volcano — these and other recent climate and geological events represent what a 2011 report from the British government described as “the beginnings of a new kind of future in which mega-disasters are going to be more frequent.”
On the biological front, the combination of increasing population density and urbanization, borderless world travel, and the emergence of antibiotic-resistant superbugs holds the potential for pandemic disease outbreaks. At the same time, human nature and the advance of technology combine to increase the possibility of devastating man-made crises — from cyber-attacks disabling applications or infrastructure to terrorists launching large-scale acts of destruction.
The degree of risk in today’s global operating environment is such that having a risk-resilient design and solid crisis response capabilities is no longer enough. In addition, the best-prepared companies are arming themselves with a complete, validated and coordinated BCM process that covers the full crisis life cycle—from emergency response to crisis management to recovery.
Having an informed business continuity playbook helps ensure that your organization is strong enough to absorb the initial impacts of a crisis; resilient enough to remain standing through the aftershocks; and properly organized to return critical processes to an acceptable, predefined functional level in the weeks and months that follow.
Taking a Holistic View
A good business continuity plan takes a holistic view of the enterprise. It identifies the critical aspects of the business; the components that contribute to their functioning (people, systems, data, networks, suppliers, facilities); the full range of stakeholders affecting and affected by that function (personnel, customers, regulators, etc.); and the internal and external potentialities that could affect a return to operational strength (transportation, power, communications infrastructure, human behavior, etc.). An effective continuity plan:
· Establishes a governance and program management structure aligning your crisis and BCM objectives, and defines authorities, roles and responsibilities (including decision-making and communication structures).
· Identifies and prioritizes critical functions, based on an impact analysis.
· Sets recovery time objectives for the restart of the organization’s various systems, based on overall organizational needs and an evaluation of how long critical functions can remain offline.
· Establishes workarounds to return critical functions to operation when deprived of their usual support structures.
· Defines the parameters of the company’s duty of care during a crisis: whether (and to what extent) it extends its responsibility beyond employees to include contractors, guests, employees’ families, etc.
For the planning process to succeed, organizations need to ensure a high level of commitment and support from their C-suite executives and board of directors; devote sufficient funding to support a continuity plan scaled to the need; and be prepared to conduct tabletop exercises, drills and assessments to determine the viability of plans for varying crisis scenarios and to strengthen participants’ plan knowledge.