“The Value of planning is not the plan itself, but the mindset, it creates.”
Businesses are meant to run continuously to earn anticipated revenues, and any interruption either expected or unexpected to daily operations, is not only costly but can also badly stain a business’s reputation. No matter what size and type of business it is, one must be prepared with a well-thought-out Business Continuity Plan (BC).
In fact, Sun Tzu, wrote about contingency planning some two and a half centuries back, highlighting the advantages of backups and scenarios planning to prepare for unforeseeable events.
In the early 1970s, Pierre Wack, a business planner in the oil industry, predicted very early that OPEC would disrupt the oil market by demanding high prices for oil in the Middle East. Pierre’s company was one of the few who were well prepared for this contingency, and that allowed them to move from being one of the modest to the most profitable companies.
It is quite surprising that despite the wake-up calls of 9/11, the tsunami in Indonesia (2004), Hurricane Katrina (2005), COVID (2019), the latest floods in Pakistan (2022), and numerous other catastrophes, businesses still struggle to have appropriate BC plans, due to lack of support from top executives of some organizations.
Despite the above-mentioned fragility, with the passage of time and while witnessing its huge benefits, BC planning has grown into a complete industry of its own, mostly by developing comprehensive statutes, regulations, standards and guidelines. Besides other activities, BC planners also help in organizing data backup, hot-site, telecommunications, software tools and building BC’s testing-training of organizations.
Business Continuity Plan (BC)
After the attack of 9-11, while many companies subsequently ceased to exist, those with a comprehensive BC plan in place were able to sustain the sudden business shocks. Later, the American Management Association also stated that about 50% of businesses that suffered from this major disaster without a BC plan, never re-opened for business. This reality was felt and noticed by the business community, the world over. Resultantly, businesses started implementing BC planning, while organizing, and safeguarding lives, assets, revenues and values.
As BC is still a relatively young discipline, the expertise, best practices and standards are still being regularly revised. Some of the important documents on the subjects are ISO 22301-2019, NFPA 1600, ASIS Standard on BC, Australian Standard-BCM Handbook, etc. In certain countries, the BC plan has become a business necessity, as failure to comply would bring irreparable damage to a business, and would lead to legal actions if events are not handled as per the law.
A comprehensive BC planning involves a considerable investment in time, technology, consultation, training and finances. If we put it simply, it is an ongoing process of (1) evaluating risks and their impact on critical business functions, (2) developing strategies and procedures for mitigating those risks (3) and restoring critical functions as quickly as possible when a disruptive event occurs.
Now in the subsequent paragraphs, we will be discussing the BC process in more depth. For better conception, the process can be divided into five different phases:
Phase 1 – Identify
This phase comprises a Risk Assessment (RA) by identifying any conceivable threat that could disrupt business and the severity of the impact of those risks, whether high or less likely, short or long term. These threats can be broken down into three categories: natural, human and technical; examples of those threats can be terrorism, crime, kidnapping of key personnel, hacking of a company’s network or website, flooding, earthquake, major disruption of electricity supply, pandemic and what not.
Phase 2 – Analyze
Next in line is a Business Impact Analysis (BIA), where you further analyze the already discussed threats, risks, impacts and likelihoods. Consequently, the BIA identifies (1) key business functions, (2) financial and non-financial impact if there is any interruption to those functions for any length of time (3) and prioritizes the risks according to their impact. The BIA is principally the foundation of any BC plan; and for this very reason, a complete segment in the succeeding paragraphs has been dedicated to it.
Phase 3 – Design
By now, we have completed RA & BIA in the previous two phases; and collectively, the RA and BIA identify the risks and the impacts of interruptions on critical business processes. This critical information provides the basis for completing the design phase, i.e., developing appropriate recovery strategies for critical business processes and writing a plan to ensure continuity. While preparing for handling potential business interruptions, you need a complete plan that considers risks, impacts and step-by-step recovery strategies in various emergency scenarios. A plan provides comfort to handle interruptions and resume operations quickly while aiding the decision-making process and making it easier to take appropriate action.
Phase 4 – Execution
Now, with an articulated plan, it is time to reduce it to an easy-to-follow set of documents. In general, a plan will consist of an executive summary, safety and recovery procedures, incident response, command and control, communications and business resumption. One may choose to follow a format tailored to specific needs. After completion, the plan will be published and will be disseminated to all stakeholders for execution and training.
Phase 5 – Measure/Testing
Any plan isn’t truly a workable plan until it has been thoroughly tested. Tests may take many forms, including penetration, scenario, Table Top Exercise (TTX) and audits (which are both internal and external). Testing real-life scenarios, including actual role-playing, to test how easily the plan documentation is understood is important and it is to know if it has all the information required to appropriately deal with each situation. Testing will not only verify strategy but also expose gaps.
Over a period of time some BC best practices have matured, which are tabulated below:
- Don’t cut corners
• Business continuity is a process, not a checklist
• Business continuity is a continuous program, not a one-off project
• Perform thorough RA and BIA
- Keep it simple
• Don’t try to do it all at once
• Don’t try to create the perfect plan in one go
• Don’t produce a 100-page document, rather should be easy to follow
- Don’t try to cater for every conceivable scenario
- Stretch your BC planning budget as per the required obligation
- Don’t reinvent the wheel
• Learn from past experiences
• Follow a standard or handbook
• Use technology
• Plan exercises at a convenient time
• Practice periodically
- Involve your stakeholders at every step.
- Review your plan whenever there is a change in your organization that may affect the plan
- Make BC part of your everyday culture
Business Impact Analysis (BIA)
The Business Impact Analysis (BIA) is a thorough, methodical process of analyzing and evaluating the impact of interruptions on your daily operations; and at the same time, recommends ways and means to immediately start the recovery process.
Performing a BIA would ensure that you know (1) the criticality of each business function, (2) would observe the interdependencies of different segments, and (3) understand the type and severity of an impact of any specific interruption.
The second and most important part of BIA is planning the recovery process by gauging the maximum time your organization can live without any process before its health and survival start getting jeopardized in an emergency (Maximum Allowable Downtime or “MAD”). Calculate the resources required/available for recovery processes to a minimum acceptable level within the maximum allowable downtime (MAD) slot.
BIA eliminates guesswork when disaster strikes. It is like a physician who trains for years before going into practice, which is to minimize guesswork when they treat a patient. Likewise, a BIA will take the guesswork out of planning, and one would exactly know how to recover from the crisis; moreover, you will have the justification for the decisions, based on solid, comprehensive data and sound analysis.
A well-crafted BIA will let you exactly know which processes are critical for survival and which processes need to be recovered first, so you won’t mistakenly apply resources to less critical processes. The recovery requirements identified in BIA (dependencies, required resources, maximum allowable downtime, etc.) become the test criteria by which the recovery plans, and those of critical suppliers, must be judged. Without this benchmark, it would be difficult to have an accurate way to gauge whether recovery strategies will be effective or not.
The prerequisites for a successful BIA are (1) the plan must have top-down support from senior management, (2) as BIA is an ongoing project and its ingredients should become a culture of the organization, (3) most importantly, it should be kept very simple, (4) and lastly, consider hiring an outside professional, as an outside expert can provide a more objective view, and secondly, it will be easier to get buy-in for the BIA process from top management.
Data gathering and its analysis is the foremost process of BIA. Although data collection is a quite common talent, nevertheless, some important techniques are; inviting as many people from each department as possible -confirming the same information through different methods -observation is the best data collecting tool as a lot of things can be gathered merely by observing people at work -surveying may be involved for collecting information from individuals through a questionnaire -face to face interviews may also be conducted for data collection. A significant element of data gathering exercise is to determine internal and external interdependencies and succession planning of an organization.
Analyzing the business impact factor is the next process, where an impact or consequence of an individual interrupting events, whether tangible or intangible, will be examined. The important impact factors are financial, operational, reputational, legal and regulatory. It is also pertinent to mention here that an assessment of ”Single Points of Failure” will also be assessed in this segment.
Before conclusion, we need to familiarize ourselves with certain terms, i.e., Recovery Point Objective (RPO) is the maximum amount of loss a business unit can sustain during an event; Recovery Time Objective (RTO) is the time in which the business must recover and resume its critical functions; Work Recovery Time (WRT) indicates the duration of time needed to recover. Maximum Tolerable Downtime (MTD) denotes the point of survival, beyond that point one would have to conclude business resumption.
By now the manager would be well equipped with all the required material to prepare BIA and present it to the management for approval, after compilation. There is no standard pattern of BIA, which is being strictly followed internationally, but it should possibly cater all the ingredients mentioned in the above paragraphs.
Operational Resilience (OR)
In the corporate world, operational resilience is usually defined as the ability of an organization to change or adapt during times of stress, disruption or uncertainty. Making it more simple, operational resilience allows your business to keep working during turbulent times.
A question arises here, what is the difference between BC and OR? In my opinion, the major difference is that BC constitutes tailor-made solutions, which are pre-decided about foreseeable turbulent situations; whereas an organization with enhanced OR capability would be able to deal with even unforeseeable situations with the same ease. The catchword here is changing and shifting between varied strategies without compromising on BC, during disruptions. BC is more precise, whereas an organization’s operational resilience will allow your business to stay flexible and effective, no matter what are the circumstances.
Those leading operational resilience programs at organizations do not necessarily have responsibilities for risk management. The OR team looks at how the organization’s risk architecture can help them to accelerate the design, implement their approach, and also prevent unnecessary duplication.
The basic step in becoming operationally resilient is accepting that disruptive events will eventually occur, and that these events will need to be managed effectively, with multiple solutions. An organization needs to have forward-looking plans that can be applied across a range of potential disruptions. An organization should proactively prepare to withstand and adapt to disruptions that will inevitably occur.
Operational Risk Management generally focuses on minimizing risk, through the development of controls that reduce the impact and probability of an event. Operational Resilience goes beyond this point and promotes a deeper understanding of a business, and focuses on building capabilities to deal with risk events when they materialize, rather than purely focusing on building defences to prevent risk events from occurring.
Operational Resilience is gaining number of appearances on the regulatory agenda of many industrial sectors. For example, the Basel Committee on Banking Supervision has recognized that Operational Resilience should be approached beyond the scope of typical operational risk management.
Operational Resilience is not an old concept and is still in the process of being tested-reformulated-retested, consistently. Nevertheless, the possible process to improve the Operational Resilience of an organization can be – (1) identify Risk appetite and impact tolerance, (2) map and assess important business disruptions and dependencies, (3) test the scenarios derived from your own experience, i.e., successes, near misses, and incidents, (4) invest in solutions with the most suitable responses and management actions, (5) the final step is to have appropriate strategies related to communication with all the relevant internal and external stakeholders.
These first years of the 21st century can be best described as an era of rapid globalization, which is altering our world in many ways, as we are more connected and more interdependent than ever before. Risks are magnified in an environment in which disruptions spread swiftly across borders, businesses, and organizations.
In light of the above, organizations those have meticulously gone through the BC procedure often find themselves much more confident with their solutions. Selecting the right process for BC can make or break your setup. During the planning phase, take time for due diligence before choosing any solutions and partners; and then it is more likely that you won’t possibly have any bad experiences.
BIA is an essential component of BC, as it helps to understand all the business processes, which are critical for the organization to survive for a longer time, during crises. It also helps you understand how processes and resources depend on each other and further helps to make the best possible allocation of limited resources. Furthermore, BIA eliminates the need for guesswork; and finally, it also creates the foundation for evaluating and testing your recovery strategies.
In order to have an effective, improving, and well-maintained operational resilience process, it has to be practiced regularly, with the lessons learnt being integrated into subsequent plans. A critical point is to ensure that any incidents or near misses are studied honestly and openly within the organization, to warrant that the Operational Resilience is constantly evolving to tackle any possible interruptions.