Throughout this series, Compliance officer Derek Smith will address key aspects of a robust Business Continuity Plan (BCP) inclusive of how to develop a BCP, identifying what internal and external factors should be considered in its implementation, and corporate governance surrounding BCPs.
By Derek Smith Jr
Since the onset of the COVID-19 pandemic and increasingly after the first release in this series, I have had numerous conversations surrounding business continuity plans (‘BCPs’). What was evident were apparent deficiencies surrounding scenarios other than cyber-attacks and natural disasters.
Firstly, its eminently important to distinguish bet ween BCPs and disaster recovery plans. A BCP is simply a strategic management process aimed at minimizing the social and economic fallout in a company due to disruptions in normal business activities. On the other hand, a disaster recovery plan is one singular aspect of a BCP that primarily involves restoring essential systems and processes post a disaster.
If your company has no business continuity plan or one that has not been recently updated, let’s discuss key aspects needed to produce and implement a viable business continuity plan.
Team Roles & Responsibilities
Identify key staff at every level of your organization. Unfortunately, it is too advantageous to imagine that during a crisis your organization can sustain all employees. However, plan based on pivotal roles and responsibilities. Your BCP team should include representation of your organization’s executive leadership, human resources, finance, information technology, legal, business and/product lines and regulatory required positions. Ensure that team leads are identified, aware of the responsibilities for themselves and their teams. These teams should be involved in ongoing planning.
Risk Assessments (‘RA’) & Business Impact Analysis (‘BIA’)
Pinpoint risks that are both inherent (automatic) and residual (after mitigating controls are implemented) – then amplify them. Forbes senior contributor Chloe Demrovsky in a recent article noted and I agree, “you should think about how you can continue to operate if 35-40 percent of your workforce is out sick.” I must add that a BCP without both an RA and BIA is ultimately planning to fail during a crisis. An organization should simulate various treats to their business such as man-made disasters, utility failures, cyber-security attacks, natural disasters, intentional sabotage and endemics that can heighten to pandemics. This allows the organization to identify deficiencies in both risk mitigation strategies and core business functions allowing you to design the most logical and realistic plan while keeping in mind the associated risks.
Identify Objectives and Set Goals
This may seem like a no-brainer but, identifying objectives and goal setting without the adequate components could be the deciding factor on whether in a crisis your organization pivots or perishes. One important component of this area is your BCP budget and how long can it be sustained. Also, what are the milestones of your plan and how are they going to be tracked.
This aspect of a BCP is often taken for granted but I would argue that it is equally as important as any other element of your plan. Your plan must have messages that are tailored to your various audiences, such as regulators, internal customers, external customers, news media, suppliers, survivors impacted by the crisis and their families and others. Pre-scripted information should be utilized based on information gathered during your risk assessments and business impact analysis. Communication skills will be paramount in identifying key persons internally or externally to lead a communication and information center or team.
Plan Implementation & Testing
After you have already set your goals, assessed risks and business impact, selected your key team members and developed your communication plan you must implement prevention strategies, response strategies and recovery strategies. The creation of a BCP will not be suffice unless it is tested.
Finally, appreciating these fundamentally crucial steps will ensure that your enterprise is as prepared for a crisis. In crisis your leadership together with the company’s management, communication and planning will set the tone for employee loyalty, customer satisfaction, regulators and other authorities’ confidence in your organization and inevitably your organization’s survival through and after COVID-19 and other crises.