A critical component to effective risk management

There are many events that might impact a businesses’ operational capacity. The death of a chief executive officer, owner or key staff member can cause untold hardship, while fire, flood or earthquake damage can hamper operations as companies wait for insurance settlements and repairs.

Other risks to business continuity include supply chain interruptions, the loss of a major client, production line failure, outdated technology, product failure or contamination, and an interruption in telecommunications or power supply. The failure to plan for post-event survival is a risk in itself!

How should you protect against business interruption risks? An effective BCM strategy ensures operational sustainability, which in turn underpins the company’s share price, stakeholder relations and reputation, among others.

BCM is implemented over four stages to achieve five generic objectives. These objectives are:

• To anticipate the damage that could be caused by internal and external uncertainties, and to minimise the impact thereof;

• To select measures to enable fast resumption of important business activities in an organised manner;

• To protect and preserve people, information and physical assets;

• To ensure continued profitability by securing an ongoing revenue stream; and

• To protect the company’s reputation.

The first stage of a BCM strategy is to develop and draft a cost-effective policy that integrates business continuity with other business processes. Stage two is an assessment of potential business impacts and risks as well as identifying and evaluating options for risk reduction and post-event business recovery. Most of the leg-work takes place in stage three, where four issues are addressed, namely:

• Establishing the program by which business continuity will be achieved;

• Positioning training and capacity-building initiatives for the successful implementation of the business continuity plan;

• Implementing the standby facilities and risk reduction measures specified by the BCM strategy; and

• Developing the required business recovery plans and procedures.

The operational management and maintenance requirements of the strategy are captured in stage four, which addresses the how, what, where and when of BCM. A company must allow for business continuity testing, review and maintenance on an ongoing basis.

The strategy’s effectiveness must be assessed and updated, at least annually. You should adopt a company-wide approach to ensure that the strategy is formulated around actual risk exposures rather than individual perceptions of risk. Crucial aspects to keep top-of-mind throughout the process include:

• Detailing what the organisation’s objectives are with the strategy;

• Outlining what processes will be used to achieve these objectives;

• Identifying business critical processes, including the activities and resources the processes comprise of;

• Discussing event scenarios and doing an accompanying business impact analysis to estimate the possible duration of the outages and the resultant impact on objectives;

• Estimating a maximum acceptable outage for each process, including how long it will take before continuity is disastrously affected.

Existing risk management strategies must be documented too, along with alternatives should these controls fail. You should identify ways in which the business can still meet its objectives, including alternative resources and steps that can be taken to restore normal operations.

The BCM plan should also address the implementation and documentation of all the preparatory and reactive procedures necessary to give effect to the chosen strategies, including:

• The acquisition of duplicate, supplementary or stand-by facilities;

• Agreements with third parties to supply resources and/or facilities;

• Permits from authorities for alternative ways of working;

• Identification and preparation of alternative work locations;

• Identification, roles and responsibilities of the response/recovery team;

• Descriptions of the activities to be performed in the initial response, business recovery and restoration phases;

• Descriptions of the alternative arrangements (workarounds) and rectification procedures;

• Specific action plans for each identified disaster scenario, from initiation to full recovery, including personnel responsibilities, resource and facility requirements and detailed task descriptions; and

• Lists of internal and external contact details.

Managers can effectively plan for BCM events by playing the "what if” game. They should ask: What if our IT networks went down? What if our key documents were destroyed? What if our staff could not gain access to the building for days, weeks or months? And what if we had casualties?

As you extend the question set to include external business relationships, you might ask: What if our customers could not contact us? What if our suppliers could not supply us? What if our customers could not pay us? What if we could not pay our suppliers? Etc.

You must avoid "textbook” scenario planning and steer clear of using industry standards as your only source of information. The BCM plan must be based on the actual loss or unavailability of key resources, regardless of the circumstances. You should also make BCM an integral part of your day-to-day business processes.

Another sensible approach to BCM is to ensure your plan is fully developed before contacting backup site vendors. And remember: BCM is business-driven, not IT-driven! A restored IT system is no good unless the operational infrastructure is restored too.

Nowadays you can use software management tools to build and maintain your analysis, planning and procedure information… And you can also make sure that your BCM plans are automatically backed-up and accessible at short notice.

Keep your plans concise and avoid including background analysis and history with actual procedures… A history lesson is not helpful in times of crisis. You do not want to work your way through chapters and chapters of project history before you get to the first recovery step.

• Prioritise the allocation of resources and responsibilities;

• Respond to an event in a quick and efficient manner;

• Risk forecast information about the business and its vulnerabilities which would otherwise not formally be investigated or discussed; and

• Leverage risk transfer and insurance benefits of various shapes and forms.