How to use Business Continuity Planning To Minimize Losses During a Crisis
This article is intended to be an overview on business continuity planning. It’s primarily meant for new entrants into the Business Continuity (BC) space. It’s also a good review for those with more experience. And if you’re an industry veteran, let us know what we missed!
The rarity of disaster scenarios makes emergency preparation easy to neglect. This is as true for global corporations as it is for individual households. During our last major storm here in Seattle, I realized I no longer owned a single candle — after searching by iPhone light, with the power out.
In business, bad planning can cost more than a dark living room. With the complexity of multinational businesses and globalized supply chains, we’re exposed to new and different kinds of risks.
In this article, we provide:
- Enterprise Risk Management (ERM) principles
- Business Continuity (BC) principles
- two brief BC case studies
- brief overview of Business Impact Analysis (BIA)
- useful resources for BC leaders.
ERM and the Role of Business Continuity
Enterprise risk management (ERM) addresses risks to an organization’s objectives. While ERM models can vary across organizations, our preferred ERM model is to group those risks into three buckets.
- External Risks. These are risks arising from events external to the organization (i.e., changes in the broader market, a storm causing a critical vendors’ disruption, a natural disaster, etc).
- Preventable Risks. These are risks arising from inside of the organization. Examples include failures in ethics or compliance.
- Strategy Risks. These are risks inherent to the organization’s objective itself. A young company’s strategic objective may be to double revenue in 2018. Risks are mitigated by assessing and removing blockers to objectives.
By bucketing risks in this framework, ERM leaders can more readily implement controls and mitigations. First, because they arise from within an organization, preventable risks are addressed through leadership, culture, hiring, and compliance — and the goal should be risk elimination. Meanwhile, external risks and strategy risks are typically addressed with scenario planning, stakeholder workshops, and “wargaming” — broadly, group dialogue and planning. These risks are addressed through a set of prioritized questions like, “what happens if an earthquake takes out our data center?” (an external risk) or “what’s going to keep us from doubling our sales?” (a strategy risk).
Business Continuity, within ERM
Within this framework, we recommend Business Continuity leaders work closely with ERM leaders. BC should focus on the identification and prioritization of critical processes and resources supporting the delivery of key goods and services. Using the ERM model above, risks within the BC purview generally fall under the category of External Risks. In general, when disaster strikes, a separate set of systems are activated that seek to minimize the impact of the situation. Business Continuity is the process of developing those systems. (There are times when the focus of BC extends beyond the External Risk bucket. For example, if a compliance risk halts procurement from a critical supplier, then BC should at least annotate this Internal Risk in the Business Impact Analysis, described below.)
A business should have a detailed BC plan to address the prioritized impacts of negative events. These impacts fall within categories applicable across disaster scenarios. For example, a sudden loss of power in a facility necessitates the rollout of a similar BC plan whether the power loss is due to a blown fuse or a fire. Al Berman provides a handy breakdown of these categories in a blog for the Risk Management Monitor[2]:
• “Effects on facilities, making them inaccessible or unusable
• Effects on operational capability, such as supply chain interruptions, processing errors or staff unavailability
• Effects on technology
• Effects on the organization itself, ranging from financial problems to intellectual property rights.”
BC plans for various scenarios should be well-known to those most responsible for their execution. It is also crucial that key staff practice often and rigorously enough to ensure strong execution. Well-designed BC plans designate emergency roles and duties, with named individuals.
Business Continuity in Practice
Modern business continuity plans have much to account for. Today’s supply chains are complex and vulnerable to disruption. The short-term production schedule of a firm could be at risk if facilities are compromised, and longer-term production could be at risk if outsourced suppliers are affected. Good BC planning should address these potential concerns, by priority.
An illustrative example is Intel’s BC response to the Fukushima disaster. “By March 15, four days after the disaster, Intel knew it had no major problems with its direct (or ‘Tier 1’) suppliers,” writes Yossi Sheffi in his book The Power of Resilience[3]. “By March 20, Intel knew that Tier 2 also had only minor problems, but Tier 3, Tier 4, and deeper tiers had more substantive problems. Intel identified 60 suppliers who had issues. Many of them were single-source specialty chemical manufacturers with unique capabilities.”
Intel’s BC team sprang into action. Engineers quickly cleared new manufacturing suppliers’ materials for use, as well as issuing instructions to ration the use of certain essential materials to the minimum, maximizing how long they would last. Buyers were issuing letters of intent and purchase orders alike to quickly procure new supplies for clearance. Sheffi notes that more than 75% of Intel’s materials had been potentially threatened, but the effective rollout of their continuity planning ensured minimal losses.
Some situations require special considerations, like the safety and comfort of employees. Procter & Gamble, whose Folgers Coffee brand had four plants in the New Orleans area, began rolling out their BC plan before Hurricane Katrina made landfall in 2005[4]. When Katrina hit, P&G had ceased all New Orleans operations and instructed employees to evacuate. After the storm passed and all employees had been accounted for, the company assessed the damage.
With most of the houses in the New Orleans area uninhabitable, P&G set about providing food, housing, health care, and counseling to its employees. The company also issued interest-free loans to help its workers through the crisis, and offered employees a seven-days-on, seven-days-off schedule. These considerations for its people helped ensure that P&G had a workforce able and willing to help it recover from the hurricane, and the company became the first New Orleans manufacturing facility back online after Katrina. Sheffi notes, “From a business standpoint, P&G in 2005 shipped 96 percent of the previous year’s volume despite the disruption, and its first-quarter 2006 brought record volumes, with business back stronger than ever.”
The NYT article linked below references the pro-employee, pro-business, and pro-moral reasons for the aggressive BC response from P&G. The vice president of P&G’s global coffee unit is quoted as saying, “Getting the plant up and running is absolutely critical to maintaining Folgers’ leadership share position because we are entering the peak consumption period.” Meanwhile, Louisiana Governor Blanco said that Procter’s prompt decision to reopen gave promise to region that had been economically and emotionally devastated by the storm: “Anyone who thinks New Orleans businesses are lost and not coming back needs to wake up and smell the coffee.”
Writing a BC Plan
There are fairly well-established practices for putting together a BC plan that have become standard in the industry. Many resources are now distributed by the government. FEMA provides resources for BC planning as a part of their Ready[5] public information campaign. They provide the following overview on writing a BC plan:
• Conduct risk analysis. “Conduct a business impact analysis to identify time-sensitive or critical business functions and processes and the resources that support them.”
• Build mitigation plans. “Identify, document, and implement plans to recover critical business functions and processes.”
• Engage stakeholders. “Organize a business continuity team and compile a business continuity plan to manage a business disruption.”
• Test and train. “Conduct training for the business continuity team and testing and exercises to evaluate recovery strategies and the plan.”
Every BC plan begins with a business impact analysis (BIA). A BIA identifies impacts to the business that could result from a crisis situation, orders them by importance, and estimates their probability, consequences, and potential cost. A BIA will also determine the recovery time objective (RTO), or the timeframe during which each theoretical issue will result in unacceptable consequences. The analysis should be assembled into a report, which will establish the priorities for each department in the case of an emergency. These will vary depending on the nature of the business, so a detailed BIA is crucial.
As for the BC plan itself, several components are universal while the specific format can vary. The business continuity strategy informs the overall approach to crisis management and recovery. BC strategy should include options like the following:
- to defer business functions until the threat has subsided,
- to disperse business functions to unaffected subsidiaries or departments,
- and to relocate to an alternate site.
In the examples above, P&G deferred, ceasing operations until the disaster had passed, and Intel dispersed, quickly shifting its supply chain to unaffected suppliers.
Where the overall strategy guides the plan, departments of the business should update their own BC documentation, guided by BC leaders. Occupant emergency (OE) planning refers to the organization’s response to an incident that physically threatens its employees. The recovery of IT infrastructure is commonly called disaster recovery (DR) and the organization’s DR practices are generally outlined in a DR plan. An incident response (IR) plan refers to the organization’s practices in the event of a cyberattack. A full list of industry-specific definitions can be found at the helpful BCM Institute Crisis Management Glossary[6].
Additional resources can be found online, like the National Fire Protection Association’s Standard on Disaster/Emergency Management and Business Continuity Programs[7]. Additionally, the BCM Institute’s BCMpedia.org[8] is a handy encyclopedia of business continuity. There are also BC-related magazines and journals, such as the Disaster Recovery Journal or Continuity Magazine.
In summary, as disasters over the last 12 months remind us, BC planning is essential for nearly all businesses. As supply chains become more complex and businesses become more connected, vulnerabilities increase — but as successful examples have shown, disruptions and challenges don’t necessarily mean long-term consequences for your company.
Stabilitas is grateful for this contribution by guest writer Sean Goldie.
[1] http://www.continuitycentral.com/feature0178.htm
[2] http://www.riskmanagementmonitor.com/risk-management-and-business-continuity-improving-business-resiliency/
[3] https://www.amazon.com/dp/B015F05SWO
[4] http://www.nytimes.com/2005/09/21/business/at-least-some-can-wake-up-and-smell-coffee-in-new-orleans.html?_r=0
[5] https://www.ready.gov/business/implementation/continuity
[6] http://www.bcmpedia.org/wiki/Category:BCM_Institute_Crisis_Management_Glossary
[7] http://www.nfpa.org/assets/files/aboutthecodes/1600/1600-13-pdf.pdf
