Business Continuity Management more critical than ever
Johannesburg - The increasing frequency and severity of disruptions that can impact businesses demands robust Business Continuity Management (BCM) Program that develops strategies factoring in every conceivable ‘worst case scenario’ to business enablers and documenting it within plans to ensure that critical business functions can continue during and after a disruptive event, such as a natural disaster, cyber-attack, or a pandemic.
The COVID-19 pandemic highlighted the importance of having a robust and holistic BCM program in place, with many businesses forced to shut down or transition to remote work with little notice. If the pandemic taught us anything, it’s that anything is possible, and that the severity of disruptions can be devastating, if not fatal for businesses who do not plan with intent and focus.
“COVID-19 highlighted the fact that BCM cannot be approached as a simple tick-box exercise. If you can conceive of a disruptive scenario, then the possibility exists that it can and may even happen, and your only recourse for recovery is to plan and implement workable plans. It especially showed that many organisations’ BCM plans were conservative and scenario-specific in their approach and in turn were unprepared for the scale and depth of the disaster that unfolded after the pandemic struck, and the devastating and long-tailed domino effects it had on every single facet of business and life as we knew it,” says Nicolene Olivier, a Global Risk Consultant at Aon South Africa, a global professional services firm and insurance broker.
The primary purpose of BCM is to identify single points of failure and risk to continuity throughout a company, develop strategies and document them within plans and procedures that will assist to mitigate those risks, enabling organisations to recover from any disruptive event. “We plan as if something has already happened,” says Nicolene. “It is a deeply holistic and comprehensive approach that assesses everything from technology, data protection, to health and safety, required skill sets, communications, operational and financial impacts, to name a few. The end goal is to minimise the impact of such events on a company’s operations, employees, customers and stakeholders,” she adds.
To ensure continuity Nicolene says you need to ask yourself one simple question: What does your business need to operate? And then challenge your belief that ‘worst case’ scenarios may never happen.
Questions to ask that will help you understand your company’s recovery requirements would include:
- Do you need people with a specific skillset on the ground, operational network systems that the business depends upon?
- Are there manual workarounds possible of you lose access to systems and/or applications?
- Does your supplier or external third-party dependency have continuity plans of their own in the event of an incident/disaster?
- If your supplier is not able to overcome a crisis, what is your plan B, C or Z?
When all questions have been asked, business continuity strategies are developed and documented. “It is critical to assign roles and responsibilities within the various plans that make up a BCM program and ensure seamless communication and escalation between the plan role players. There also needs to be buy-in from management who understands how important a comprehensive BCM program is for the survival of an organisation during a crisis,” says Nicolene.
Aon highlights nine key pressure points to evaluate in a business continuity management plan:
- Emergency Response Plan: Establish procedures to immediately respond to an incident/disaster where swift action can be taken to safeguard life and limit injury, such as natural disasters, cyber-attacks, or other crises that could disrupt operations. Start by having a clear definition of what constitutes an emergency in the company and what the first port-of-call is in such an event.
- Crisis Management and Communication Plan: Strategic decision-making and provision of leadership/direction is needed when managing an incident/disaster. The plan needs established procedures on when to invoke a Business Continuity Plan, ensure effective internal and external communication and how the organization will deal with issues relating to Reputation, Brand/Image, Stakeholder’s Confidence and Media.
- Business Impact Analysis: Understand the recovery requirements of business. Identifying, analysing and prioritising critical functions in terms of applications, systems, user requirements, specialised equipment and key dependencies to name a few.
- Risk Assessment: Identifying unacceptable levels of risks to continuity and single points of failure that could result in significant business disruption. These risks inherently have a high impact and a low probability of occurrence. Risk identified should be escalated and managed through an organisation’s Risk Management Program.
- Dependency mapping: Map out any third-party suppliers or processes that could have an unintended effect on your business production line. It is critical to put strategies in place that will allow you to bypass steps in the production line or find alternative solutions as and when needed to allow the operational side of the business to continue, unhindered. You should also review or audit third parties’ business continuity plans to ensure they have plans in place to respond to incidences/disasters.
- Business Continuity Strategies: Identify, evaluate and select the most appropriate strategies for each critical business component that enable the continuation of essential business processes within appropriate timeframes based on their urgency.
- IT Disaster Recovery (DR) Plans: Review IT DR plans to ensure processes and plans in place will meet the businesses’ recovery requirements.
- Training and Testing: Having such a plan on paper means nothing without testing the strategy, confirming whether communication within the program reaches its intended targets and what setting up a remote business office/operation would look like. Ensure that employees are trained in their roles and responsibilities during a crisis, and regularly conduct awareness sessions, drills and simulations to test the effectiveness of the plan.
- Continuous Improvement: Annually review and update the BCM program to ensure it remains relevant and effective in the face of changing risks and business needs.
“BCM is a mission-critical part of a company's risk and resilience strategy, helping to ensure the resilience of the organisation and its ability to adapt to and recover from unexpected events. It is also at this junction, that talking to a professional risk advisor with deep specialisation in BCM is an invaluable exercise. It requires a comprehensive and fluid business continuity plan, backed with a comprehensive insurance and mitigation strategy that will enable better decisions that lead to the best possible outcomes for your business in the face of a crisis,” Nicolene concludes.
Leave a Comment