Building Sustainable Business Continuity Programs for Resiliency
By Tony Rock, Vice President, Leadership & Operations, NAVEX Global
This article was created in partnership with Compliance Week and was originally published in the Identifying & Mitigating Coronavirus Risk eBook.
Complexity breeds both opportunity and risk. This simple truth underpins the multifaceted struggle that all organizations must engage in every day. As firms of all sizes become increasingly dependent upon international markets, supply chains and workforces, the potential risks posed by world events continue to grow in both severity and variety. This is especially true of global threats such as international conflict, environmental disaster or pandemics, as they can affect multiple components across a variety of business processes. Further, the growing size and scope of these events almost guarantee they will impact entire markets in unanticipated ways, to unknown effect. This, paired with the tragedy of the commons, can often lead businesses to eschew planning efforts, relying instead on outside intervention from governments and NGOs.
However, while global crises can appear intimidating, they are fundamentally not dissimilar from other forms of business risk. In fact, large-scale events like pandemics are best understood—and addressed—not as singular threats but as composites of business risk. Every organization routinely faces a variety of risks to their operations, logistics, etc. To mitigate these risks, all firms should adopt sustainable business continuity management programs that address key processes, are rigorously tested and comprehensively reviewed, and are continuously monitored and updated. Properly configured, such a business continuity program will ensure organizational resiliency, enabling businesses to effectively manage the cascade of interconnected disruptions caused by global risks.
Cataloging Key Processes & Building a Program
Every effective business continuity plan begins with a thorough accounting of all an organization’s key processes. This starts in consultation with the firm’s department heads and the chief executive team, creating an inventory of all processes to assess which ones are instrumental to the organization’s core functionality. This should include all major operations, as well as inbound and outbound logistics including supply chains and distribution networks. All four of a given processes’ key components—people, resources, vendors and assets—should be identified.
Once key processes have been determined, organizations should build plans designed to address potential disruptions. Alternative suppliers or transport options should be identified; staffing plans for critical human resource losses should be detailed, etc. Articulating these preliminary plans is the critical first step in building a functional, resilient program.
Testing & Reviewing Business Continuity Plans
Once preliminary plans are in place, organizations should begin the process of testing and review. Testing generally begins with the construction of “what if” scenarios. When testing business continuity with respect to global risk events, firms may want to start with questions such as “What if large-scale protests disrupt the government in country ‘A’?” or “What if a volcano erupts in region ‘B’?”
With scenarios defined, table-top exercises can be conducted to review the impacts and effectiveness of a business’ continuity plans. Testing for global threat scenarios can be especially valuable, as events that are geographically remote may have profound impacts on key processes that may not otherwise be readily apparent. For example, 2017’s Hurricane Maria damaged several key Puerto Rican factories responsible for producing the IV bags U.S. hospitals use to administer medication, triggering a nationwide shortage. Global threat scenario testing of an organization’s business continuity plan can help firms anticipate such risks.
After testing, companies should conduct a review to identify and address potential conflicts and/or additional resulting complications. Often, a plan will have unforeseen consequences for adjacent processes or components; a different supplier may impact your staffing or resource needs, for example.
Testing and review can help ensure that these unintended effects are also accounted for. Plans also need to be evaluated to ensure they meet all relevant compliance and contractual mandates.
Monitoring for Resiliency
Crucially, all risk must be continuously monitored, with plans updated to reflect any and all changes. Business processes are necessarily fluid, as are the broader circumstances surrounding them. Vendors, suppliers, staff and resources change over time, impacting business operations and logistics. Similarly, world events such as natural disasters and geopolitical changes can alter an organization’s processes.
To be truly resilient, a business continuity plan must account for the organization’s present, not its past. In some respects, relying on an obsolete business continuity plan can be more dangerous than having no plan at all, as it can provide a false sense of security. Over the past decade, there have been several prominent instances where the negative effects of a major risk event have been exacerbated by the fact that a business’ continuity plans were out of date, listing vendors, suppliers and people who were no longer appropriate, relevant, or—in at least one instance—living. Continuous monitoring allows an organization to identify and proactively address these changes.
Ensuring Plan Access & Availability
Finally, it is critical that a business’ continuity plan be up-to-date and easily accessible. Given the continuously changing risk landscape that modern businesses face, particularly with respect to global events, it is impossible for organizations to achieve this through paper-based systems or spreadsheets alone. Single pane of glass solutions can help organizations effectively manage their business continuity plans by providing a single unified and universally accessible hub.
However, planners must also be cognizant of the fact that systems access may not always be available, particularly in the case of a natural disaster or similar event. For this reason, organizations should always make regularly updated hard copies of business continuity plans, as well as online backups. Achieving organizational goals requires that business processes perform as intended. But when processes are at risk, firms need to know they can rely on business continuity plans that are carefully curated, comprehensive and current.
By adhering to best practices for key process identification, rigorous testing and review, continuous monitoring, and universal accessibility, firms can be properly positioned to recover when processes are interrupted or disaster strikes.