Did COVID-19 Expose Your Business Continuity Plan? Here’s How to Do Better Moving Forward
In the months since the coronavirus upended our world, business continuity plans (BCPs) have been put to the test. Or, unfortunately in some cases, made up on the fly in response to the unprecedented interruption in business. And while many organizations have, or will, take a financial hit from COVID-19, what is less clear is what will happen in the coming 6 to 12 months.
Fortunately, those organizations that had BCPs in place have generally been in a stronger position to respond nimbly under these uncertain circumstances. Companies with plans that identified the most critical parts of the business (i.e., which markets and customers to prioritize, alternative supply chains, or what to do if staff can’t come into the workplace) have a competitive advantage.
Unfortunately, some companies were caught flatfooted.
According to the Global Board Risk Survey that Ernst & Young (EY U.S.) conducted with 500 global board members and chief executive officers, even before the COVID-19 outbreak, only 21% of board members believed their organizations were very prepared to respond to an adverse risk event from a planning, communications, recovery and resilience standpoint.
COVID-19 has made evident the need for — and importance of — such plans to help make an already difficult situation slightly more manageable and to ensure employers are doing right by their customers, employees and stakeholders.
And while a pandemic is not a normal occurrence, natural disasters, fires and other threats are more likely to impact an organization’s resilience. Having a solid BCP in place will help protect a company’s reputation, financial position and competitiveness.
Get the Board Onboard
While it is up to the business to decide where the responsibility sits, risk managers are well positioned to develop and implement BCPs. They generally have sufficient links within the business to make it effective.
However, it is the responsibility of those more senior in the organization — preferably at the board level — to state a commitment at the outset and ensure the necessary resources, both in terms of people and capital, are put in place to make the process effective.
Know Your Business Inside and Out
At the heart of everything is understanding your business sufficiently well. What are the most critical processes in your business that enable you to do business and what are your alternatives if you cannot complete those processes as normal?
This is where a business impact analysis comes in.
A forensic tool to measure financial and market-related impacts to an organization in the event of a major disruption, a business impact analysis is at the heart of the whole business continuity management process and provides a systematic approach to understand what the critical aspects of your business are that are needed to deliver products and services into your market.
Seven Key Questions for Risk Managers
To ensure your BCP is taking an enterprise view of risk, there are several critical questions that risk managers should be asking about the company:
- Your mission and strategy — what is your organization trying to achieve?
- Your products, markets, money — what products and services do you deliver?
- Into what markets?
- How much money does each product and market generate?
- Your operations — what processes enable their delivery?
- What could happen to the processes to stop those operations?
- The business impact — what would happen to your business if the processes stopped?
Asking these questions will generally enable you to determine something else critically important: What is the bare minimum you need to do, or have, in order to survive as a business? The BCP itself must have strategies to help you to achieve that.
Fully Fleshed-Out Strategies
Far too often we see that organizations have failed to create a fully formed BCP. There will be plenty of great background information but not what they will do if disaster strikes.
Common shortcomings include a lack of continuity strategies and a tendency to plan for a team to meet to formulate a response. But you can’t simply say, “These people will meet and decide what happens next.”
At the heart of every plan should be strategies to maintain the effective delivery of critical products and services. These must include giving people charged with responsibility for crisis management clearly defined actions that could be taken to maintain the business.
Crystallize who makes that decision or that call. You don’t want to be left wondering in the moment what decisions you have to make and who is going to make them.
Testing and Updating
Once you’ve got a plan, it’s important to see how it will hold up in a crisis.
At FM Global, we test our BCPs at least once a year, at both the corporate and operational levels.
Incident Command Teams (ICT) go through case scenarios facilitated by our corporate risk manager. As they go through this exercise, the ICTs discuss actions that they would take at different stages of the scenarios, guided by the strategies set out in the BCPs.
Beware of a False Sense of Security
Recently on these pages, I wrote about steps risk managers could be taking to prepare for anticipated natural disasters, like the current Atlantic hurricane season, while also navigating the pandemic. While natural hazards can, and do, happen frequently, a pandemic hopefully is a once-in-a-century event, if that. At the heart of either scenario is to beware of complacency.
For this reason, making a gross assumption that because a company deals well with the coronavirus, for example, will mean that its BCP will respond equally well to a different disruptive event is inadvisable. An earthquake or sudden equipment breakdown will give you no time to prepare your response. Customers are unlikely to be so forgiving if you are not resilient and able to serve them and you can be sure that your competitors will look for any opportunity to gain an advantage.
The times we are living through are indeed unprecedented, but the response must not be. The reaction must always be to understand your business and its critical processes, know what your alternatives are if things fall through, and to plan and delegate your next steps thoroughly ahead of time. &