Listen to the news for just an hour and you’ll hear all the justification you need for business continuity planning: labor strikes, civil unrest, hacker attacks, natural disasters, manmade disasters, and a host of other events with the potential to abruptly halt critical business operations. Yet much like the TV news, many business continuity plans just skim the surface, leaving out crucial elements necessary to respond to such events.
Conventional wisdom holds that business continuity planning (BCP) is mainly about information technology (IT) and the nuts and bolts of IT disaster recovery. Not so. BCP produces significantly more value when it goes beyond just keeping IT systems running or restoring a damaged facility. What’s at stake? Protecting reputation, maintaining market share, reducing exposure to stakeholder lawsuits, enhancing insurability, and minimizing risk. For all these reasons, BCP should be a core business practice.
In the past, technology has clearly played a key role in the business continuity process. In today’s climate, for a recovery plan to be successful, technology must be treated as an enabler rather than a solution. IT cannot, by itself, address organizational resiliency. This shift in outlook demands that BCP be more closely tied to overall business planning. A true continuity plan must go beyond traditional emergency response and become an important part of a company’s strategic focus.
The following six questions will stretch the limits of how business leaders view BCP. For companies with continuity plans in place, these questions may stimulate concern over whether or not they would be fully prepared should the unthinkable actually take place.
Is business continuity a strategic or tactical issue for your organization?
Task-driven continuity plans create documents the size of large telephone books, but tactics quickly become obsolete and irrelevant when not tied to an enterprise-focused strategy. By making BCP part of strategic planning, senior managers gain a more robust perspective on the recovery process. For instance, an event’s impact on key staff and critical assets is often overlooked. An effective business continuity plan must consider protection of these assets to ensure an organization’s ability to restore its revenue flow. Business leaders who have engaged in aggressive cost-cutting actions in pursuit of a better profit margin should be aware that they have likely exposed themselves to significant new risks as a result of these actions.
Does your BCP emphasize keeping customers whole in addition to restoring damaged assets?
An effective business continuity plan does more than identify the steps required to restore halted operations. Many traditional disaster recovery plans limit their scope to emergency response, such as evacuations, first aid, and facility protection. These, however, are just early components of a business continuity plan. Making emergency response the primary objective at the expense of larger strategic considerations can leave a business unprepared in the event of a crisis. In contrast, an effective business continuity strategy considers risks beyond facility restoration; such a strategy establishes contingencies to these risks, such as prearranged alternate sourcing, and includes intentional operational redundancies.
Does business continuity support your company’s operational effectiveness and lean initiatives?
Inventory reduction has been a rallying cry for U.S. businesses trying to become leaner, more efficient organizations. But when an incident threatens to stop the flow of goods and services to customers, managers must already know (as a result of their business continuity due diligence) how long current inventory levels and safety reserves can continue to meet demand. BCP helps businesses decide if a short-term gain in the bottom line is worth exposing the organization as a whole to increased long-term vulnerability.
Companies don’t always need an in-depth business impact analysis as a foundation for developing a business continuity plan. But underwriters, shareholders, and government regulators have demonstrated growing interest in knowing which resources a lean business can deploy to launch and maintain a recovery plan. A holistic look at the organization through the lens of the business continuity process provides reassurance for all stakeholders and demonstrates the prudence and foresight of senior management.
Have you factored BCP into your fiduciary responsibilities?
There are not many examples of leaders in fiduciary roles being taken to task for lack of BCP planning, at least for now. It is only a matter of time before stakeholder suits against an unprepared business become more commonplace.
Sarbanes-Oxley considerations have placed a new emphasis on ensuring that companies keep their businesses whole. Insurance underwriters are now asking for a more thorough review of an organization’s BCP. Many organizations claim an effective plan is in place without actually satisfying the underwriter’s need for detailed BCP documentation, thereby compromising their fiduciary responsibility.
When was the last time senior management tested business continuity?
Companies must constantly evolve to meet competitive challenges in the global marketplace. From costly investment in new products or services to satellite offices in new markets, each change introduces increasingly critical assets to protect or restore, and key liabilities and exposures to mitigate. Making business continuity part of overall business planning and practices is key to ensuring that a recovery strategy evolves with the business and is capable of supporting an effective response. One way to ensure BCP remains a part of your everyday business practices is by conducting regular tabletop exercises. This allows senior managers to invest in the development of their plan, which will identify weaknesses and enhance existing response actions before the plan is actually deployed.
Are you prepared to respond to the public and your customers within 15 minutes of an event?
In today’s climate of instant media, a business has a maximum 24-hour window to set the tone of its response to a crisis, though in many cases, senior management will need to react much faster. Stakeholders demand to know what has happened and what the organization is doing about it. A relatively minor event can escalate quickly into a serious crisis when customers respond impulsively, looking to mitigate the impact on their own operations and consequently overloading the organization’s communication systems. This vulnerability is especially acute with operations such as call centers and Web sites, where failure is instantly visible.
Management may only have moments to respond in order to prevent a small event from escalating into a serious crisis. Prior planning and preparation are key to this rapid response. The days of issuing a “no comment” statement are long gone; in fact, such a response may lead some to jump to the conclusion that there is a serious problem or wonder what it is that the organization is not willing to disclose.
Who delivers the reassurances is just as important as what is communicated. Internal communications professionals should always be made part of the crisis management team and used as the initial spokespersons, especially while the parameters of the crisis are still in flux. However, effectively maintaining or reclaiming a company’s reputation will require that senior management be prepared to explain the situation and remedial steps that are being taken, once the extent of the problem is known. Communications that manage public and customer perceptions must be integrated with a business recovery strategy to eliminate stakeholder uncertainty and provide clear information about what happened to the organization and what management is doing to repair it. Even government agencies, with unlimited expertise and funding, are not ensured of effective communications in the aftermath of a crisis without effective planning—just look at New Orleans during and after hurricane Katrina.
The bottom line is that BCP is no longer a luxury. If a pharmaceutical provider of life-saving drugs loses a key supplier and can no longer supply customers with the medicine they need to stay healthy, that provider will be answerable for the lack of planning. If the product has a short shelf life and no plan exists to easily migrate to a competitive drug until after the crisis ends, there’s an immediate impact on millions of people and perhaps an irreversible blow to an organization’s reputation and, ultimately, market share. Likewise, an unexpected event is no longer an adequate excuse for a loss in shareholder value. Management and stakeholders are beginning to recognize the potential for business interruption. The bar is being set higher, and will only be cleared by those organizations whose leaders make continuity of their business operations a prime objective.
Jerry Coletta heads Milliman’s business continuity consulting practice and is based in the company’s Boston office. He has been involved in risk management and consulting for much of his career, and developed Milliman’s state-of-the-art, graphics-based business continuity methodology. Jerry is a chemical engineer by training. He is a nationally recognized expert in manufacturing, distribution, and supply-chain-related business continuity processes. He has published numerous articles, has contributed to several academic volumes, and has accepted many lecturing and teaching assignments.
Bill Carolan is a consultant based in Southern California who is part of Milliman’s business continuity consulting practice in Boston. He has worked in risk management for more than 20 years, and specializes in the design, implementation, management, auditing, and testing of business continuity plans. Bill previously practiced law, and later directed risk management services at a large property and casualty insurance brokerage firm. He is a member of the California Bar Association and the American Society of Safety Engineers.