Companies' business processes can be significantly affected by unforeseen events, not only in this country but also in manufacturing countries of places of procurement. The current reports about the coronavirus and its effects demonstrate this conclusively and they are hitting companies with full force. Unforeseen technical events can cause great damage too. The aim of Business Continuity Management (BCM) is to minimise risks like these and to take the most appropriate precautions in the event of serious disruptions.
Modern business processes are becoming increasingly susceptible to disruption. The main reasons for this are IT-supported operating processes and reliance on third parties as a result of outsourcing and out-tasking, as well as the integration of numerous partners worldwide. Major events are complex scenarios, particularly when they are international, and constitute a business risk that cannot be ignored, especially when company employees are affected.
Most business continuity programmes either assume that people will not be affected by an event, or they outline scenarios assuming a rapid return to work. The issue of IT-BCM ought not to be ignored, especially after numerous events that have occurred with trans-regional, sometimes even global effects (winter storms, floods, epidemics, influenza pandemics, etc.). In Switzerland especially, events like these are often underestimated.
It is relatively easy to identify sites where work can be restored (on alternative sites, for non-production-based sectors). On the other hand, it is difficult and expensive to disperse institutional knowledge and protective materials over a wide area. Estimates suggest that in the event of a pandemic, staff will be absent from work for between 25% and 40% longer than usual, which would affect operations for several weeks or even months. However, even in the event of occurrences like flooding, landslides or avalanches, entire company departments can be out of action for long periods of time or not be reachable by the workforce.
What we are seeing at the moment is that many companies are having to deal with the threat of major, cross-regional events. The coronavirus, as well as the growing number of climatic events, are certainly playing an important role in this. Current reports are prompting managers to question the readiness of their own company to deal with events like these.
Every realistic BCM scenario provides a unique opportunity for business continuity professionals to review their programmes in terms of the “availability of people” and the resources required more generally.
Business Continuity with system
The requirements for a BCM system are defined by ISO 22301 and numerous other guidelines and best practices, and these provide companies with a code of practice to help them set up, operate and optimise their systems. The systematic approach to operating a BCMS takes into account the generic elements of management systems such as the organisational context, leadership, planning, support, operation and optimisation, and therefore has the same basic approach as ISO 27001:2013 or the NIST CSF. A system starts with the question about the context for the company:
1 – The development of company-specific assumptions and the identification of important business processes
Managers play a key role in the threat analysis for the company – but also in making assumptions. The following key questions need to be clarified:
- What does a scenario incident mean for the company; specifically the sites, production, logistics, customers, infrastructure, staff, etc.?
- What are the assumptions that are specific to your company, both domestically and internationally?
- What are the critical components of the company? (Especially for the ones that are highly dependent on people, you need to pay attention to potential Single-Point-of-Failures (SPF) and critical value flows.)
- What are the critical products for your most important customers?
- Which components can be affected, for how long and to what extent, without damage occurring and at the point when damage occurs?
- Are the business processes implemented in such a way that they could have a significant impact on the business if the scenario event occurs? For example, is the product located in a single warehouse, or can phone numbers (such as call centre or support numbers) be re-routed?
- Who are the most important stakeholders in the organisation – both internally and externally?
Formulating the answers to these points provides a decision-making framework for effectively selecting and subsequently managing strategy options. In addition, it is important to understand the relationship between the processes and to develop a ranking based on this.
2 – Identifying mitigation and response options
Defining options for risk management (strategies for risk reduction and business continuity) starts by establishing or expanding the crisis management process. This is followed by defining tactical strategies for coping with or reducing the risk of staff absence.
To do this, a cross-functional planning team should be set up. This team will establish specific methods and strategies to proactively reduce or limit the impact of an event. They also identify responses or immediate measures to keep the damage down to a minimum. Options will include monitoring processes or strategies for a functioning work environment.
Ultimately, every company will have a unique risk mitigation strategy. However, it is also important to consider general points such as:
- Options for remote working, e.g. home office
- Decentralising critical assets (including resources, warehouse, production, etc.)
- Temporary interruption of non-critical processes and services
- Focusing on resources on critical tasks and processes that have a direct impact on your business.
- Building up emergency stocks of crucial products, components, etc.
- Pre-qualifying alternative partners
- Together with key suppliers and partners, developing joint crisis management plans.
Creativity and brainstorming: these are the keys to identifying and developing the right response strategies with individual, predefined trigger factors for your company.
3 – Prioritising options based on risk and devising the response plan
Once the options and potential strategies have been identified, the risks should be assessed and the strategies prioritised, for instance, based on a cost-benefit analysis. To do this, suitable criteria for strategy implementation have to be identified. At the same time, an escalation plan must be documented, preferably supplementing the existing crisis management plan.
4 – Organisational preparations
Ultimately, the company must be prepared for events. These measures should include:
- Procuring the resources required
- Ensuring availability
- Providing the IT resources required for remote working. Don't forget points like bandwidth requirements and licenses for remote access.
- Taking cyber security into consideration even when an event of this kind occurs
- Creating and implementing training programmes
- Developing plans to raise awareness
- Carrying out exercises and simulations.
5 – Practice the plans and carry out awareness-raising exercises
Alongside developing and documenting strategies and plans, it is important to rehearse threat-specific plans and carry out awareness-raising exercises. The ability to act is negatively impacted by uncertainty and ignorance, so knowledge is the best technique for mitigating risk. Training and awareness-raising activities should be focused on the crisis management team and on internal and external stakeholders, for example by means of intranet or blog posts, presentations, newsletters, online training, etc.
Ultimately, exercises are the most important element in BCM for instilling security and trust in everyone involved. This also allows experience and knowledge to be grown in a “stress-free" environment and to identify vulnerabilities and areas for improvement.
Employees are an important aspect of Business Continuity Management
Planning for staff absences in the short, medium or long-term is the most serious issue that BCM has to deal with. Developing an understanding of where the staffing weaknesses are and how these “weaknesses” overlap with the most critical processes is fundamental to planning for employee absences.
Understanding this, in conjunction with ensuring a proven crisis management process and strategies to mitigate risk, is an extremely effective response to events and a means of recovery afterwards. The process described stays the same, although the risk mitigation strategies that affect the likelihood of loss are different.
Business continuity management is a challenge. This is why you should seek external support at an early stage from people who have the appropriate practical experience. InfoGuard can provide you with support in the most wide-ranging aspects of Business Continuity Management – contact our BCM and ISO 22301 experts.