Business Continuity Goes Beyond Crisis Management
By Ron Brown
When Hurricane Sandy hit the U.S. eastern seaboard in October 2012, it was a stark reminder of how easily our interconnected world can become disconnected, literally leaving companies in the dark. How would your company cope in such a crisis? Would it stumble or stand firm?
A good crisis management plan will get you through the initial impacts of a major event, but to effectively address large-scale disasters and their aftermath, today’s complex organizations need a comprehensive business continuity management (BCM) program that can sustain them longer than the first 48 hours. A well-designed program will see your company through the crisis and on to the restoration of operations and the preservation of your brand. BCM provides the foresight that changes “What do we do now?” into “Here’s what we do, here’s how we do it and here’s who is trained to do it.”
BCM is much more than crisis management. It’s a comprehensive program that helps a company react quickly and effectively when faced with unplanned interruptions, anticipating and mitigating the revenue loss, reputation, compliance, and expense-management impacts of a crisis. This ongoing process includes identification of natural and man-made events with the potential to disrupt business activities, preparation for those events (and prevention, where possible), mitigation of their effects to recover operations, and post-execution analysis to promote greater preparation and resilience during future events.
Hurricanes Sandy and Katrina, the 2011 Japanese tsunami and nuclear disaster, 2010’s Pakistani floods, and the eruption of Iceland’s Eyjafjallajökull volcano — these and other recent climate and geological events represent what a 2011 report from the British government described as “the beginnings of a new kind of future in which mega-disasters are going to be more frequent.”
On the biological front, the combination of increasing population density and urbanization, borderless world travel, and the emergence of antibiotic-resistant superbugs holds the potential for pandemic disease outbreaks. At the same time, human nature and the advance of technology combine to increase the possibility of devastating man-made crises — from cyber-attacks disabling applications or infrastructure to terrorists launching large-scale acts of destruction.
The degree of risk in today’s global operating environment is such that having a risk-resilient design and solid crisis response capabilities is no longer enough. In addition, the best-prepared companies are arming themselves with a complete, validated and coordinated BCM process that covers the full crisis life cycle—from emergency response to crisis management to recovery.
Having an informed business continuity playbook helps ensure that your organization is strong enough to absorb the initial impacts of a crisis; resilient enough to remain standing through the aftershocks; and properly organized to return critical processes to an acceptable, predefined functional level in the weeks and months that follow.
Taking a Holistic View
A good business continuity plan takes a holistic view of the enterprise. It identifies the critical aspects of the business; the components that contribute to their functioning (people, systems, data, networks, suppliers, facilities); the full range of stakeholders affecting and affected by that function (personnel, customers, regulators, etc.); and the internal and external potentialities that could affect a return to operational strength (transportation, power, communications infrastructure, human behavior, etc.). An effective continuity plan:
· Establishes a governance and program management structure aligning your crisis and BCM objectives, and defines authorities, roles and responsibilities (including decision-making and communication structures).
· Identifies and prioritizes critical functions, based on an impact analysis.
· Sets recovery time objectives for the restart of the organization’s various systems, based on overall organizational needs and an evaluation of how long critical functions can remain offline.
· Establishes workarounds to return critical functions to operation when deprived of their usual support structures.
· Defines the parameters of the company’s duty of care during a crisis: whether (and to what extent) it extends its responsibility beyond employees to include contractors, guests, employees’ families, etc.
For the planning process to succeed, organizations need to ensure a high level of commitment and support from their C-suite executives and board of directors; devote sufficient funding to support a continuity plan scaled to the need; and be prepared to conduct tabletop exercises, drills and assessments to determine the viability of plans for varying crisis scenarios and to strengthen participants’ plan knowledge.
Strong Program Management
The success factors needed to establish and build a good business continuity plan include a strong program management function, which is central to the BCM planning effort; organizing and providing a structure for the effort; and helping to manage tasks, activities and dependencies across all functional areas.
The program management office helps capture and organize the information needed for the analysis phase of a BCM project. Supported by the BCM steering committee, the program office coordinates the development of the foundational components of the business continuity plan—those needed to continue the critical products and services of the organization during the recovery phase. The effort needed to develop the business continuity plan is structured using a phased approach that gathers the appropriate requirements. These steps include the following:
· Conduct a business impact analysis and a risk assessment, create impact scenarios and then examine the aggregate organizational view that emerges. Typically, these scenarios are scaled up to involve worst-case events, on the presumption that solutions developed for, say, a thousand-mile-wide Atlantic super-storm would more than suffice for a bad nor’easter.
· Craft solutions to address the impacts and risk. The solutions will form the business continuity plan: creation of a crisis management command and control structure; identification of secondary work sites; establishment of communications and IT architecture; and requirements.
· Create and practice the plans to train and educate and train the organization. Ideally, understanding how your critical third parties will respond to crisis events will enhance your plan’s viability. If you maintain visibility into their plans, you will be better able to understand whether their crisis has the potential to become your crisis.
Preparedness is the first step in response, but response is the critical test of preparedness. Once a company that provides critical services or products has gone through a crisis event, senior management should assess the impact of the event on the company’s operations and controls. It also should provide reassurance to customers, regulators, and other stakeholders that its systems-control environment is positioned to deal with future events.
It can take more than five years to create and mature a business continuity program that management can trust to significantly reduce the impact of major crisis events.
The journey begins by enlisting a full-time resource to coordinate the first efforts of assessing interruption risks and identifying critical business processes. Involving business continuity specialists at this juncture shortens the learning curve for creating effective business continuity plans, as specialists will provide proven industry and operational insight into what works. The result will be tested, easily assessable, streamlined and always relevant continuity plans maintained and owned by the appropriate critical-process owners.
To meet increased threats with symmetrically increased resources, organizations should begin objectively assessing their overall BCM program to determine whether it’s armed with the right tools to reduce the impact that crisis events have on revenue, reputation, regulatory compliance and expense management.
Ron Brown is managing director and global lead at PwC Consulting, specializing in governance risk compliance and business continuity management.