“By the time you hear the thunder, it’s too late to build the ark.” – Unknown
In today’s global economy, organizations don’t have to be in the same region of the world for their operations to be affected adversely by a catastrophic event. A prime example: the Tohoku earthquake in Japan in 2011, and the tsunami and nuclear crisis that followed. Simply consider Japan’s dominance in the auto and semiconductor industries, and it’s not hard to imagine how these events created ripple effects for companies in Europe, the United States and elsewhere. Many leading businesses suffered losses in the millions – and some in the billions – due to the triple disaster in Japan because they had assumed risks in their supply chain from which they could not recover on a timely basis when the “unthinkable” occurred.
Business continuity management (BCM) is an overarching strategy encompassing crisis management, business recovery planning and information technology (IT) disaster recovery.
Extreme weather, systems failures, cyberattacks and pandemic risks are just a few examples of plausible adverse events that can occur. In 2012, natural disasters alone accounted for $186 billion in global economic losses, according to a report by insurer Swiss Re.
Nobody can predict when the next disaster will strike or, importantly, whether it will impact the footprint of a company’s operations, including its upstream suppliers and downstream channels. That said, companies can prepare by making BCM part of their risk management strategy.
In December, Protiviti published the third edition of our Guide to Business Continuity Management. While it offers a much deeper dive than this blog allows, to start this conversation, here are some elements of a good contingency management program:
- Program design and deployment – Comprises policies, standards and responsibilities for each key area: crisis management, business resumption and IT disaster recovery.
- Business impact analysis (BIA) – Represents recovery objectives for business processes and technology, with business and economic justification for each.
- Risk assessment – Identifies and prioritizes threats and failure scenarios to which the organization may be vulnerable.
- Strategy design and implementation – Establishes a cost-benefit analysis of the organization’s needs, and driven by the result of the BIA and risk assessment.
- Documentation – Encompasses response, recovery and restoration procedures to enable effective business continuity operations.
- Testing – Validates and continuously improves continuity strategies and plans.
- Training – Keeps business continuity plans “top of mind” for employees.
- Compliance monitoring and audit – Ensures compliance with business continuity standards.
That’s for starters. We also find that most companies want some savvy lessons learned based on the experience of others who have faced catastrophic disasters and significant disruptive events:
- Decentralize core IT functions, so that if any one location is effectively wiped out, other sites can perhaps pick up the slack. While redundancy costs, it can save the day when the unexpected happens.
- During business continuity planning, consider all scenarios stemming from the impact of losing strategic sources of supply for a period of time as a result of natural disasters and terrorism. Assess the immediate impact to the supply chain (e.g., specific suppliers, products and markets) both in terms of supply outage and financial impact, determine expected recovery time following disruption, and implement pre-defined and tested response plans to minimize the impact.
- If the unthinkable were to happen and affect a single source supplier or strategic supplier on which the company relies:
– Supplier relationships honed over a period of years cannot be replaced overnight with an expectation of comparable performance levels. Strategies to expedite the recovery process include identifying alternate suppliers or contract manufacturers that can assist following a no-notice manufacturing or logistics disruption.
– Engaging alternative suppliers may require changing product specifications or working closely with other key suppliers to develop alternatives, and may carry risks of quality issues that must be managed carefully.
– Contingency planning might also point to the merits of inventory buffers to protect against the uncertainties of supply and demand, maintain customer service levels, as well as prepare for unpredictable events.
- Don’t rely on government assistance. As you conduct BCM plan reviews and exercises, search for unspoken assumptions about the availability and timeliness of government assistance. It may not be what you expect or need.
- Plan to relocate employees to a recovery site or assume they will be unable to come to work in the days following a disaster. Some low-wage workers will simply never return, so you need to have a strategy for replacing them.
- Provide early response to facilitate a faster recovery. When a natural disaster appears imminent, encourage your employees to relocate early, increasing the likelihood they’ll find accommodations as close as possible to the recovery site.
- Give employees a reason to stay close and help you rebuild. Employees’ first concerns will be their families and homes, so develop and communicate an assistance plan in advance.
- Make plans in advance for transportation back to the main work site. Air, rail and bus traffic may be compromised for months after the event.
- Stick to your plan. When disaster strikes, many enterprises fail to follow their continuity plan, often because the plans are too detailed or unfamiliar to the people who actually have to carry them out. Evaluate your BCM plans to ensure that the information is complete, accurate and actionable. Subject-matter experts should be involved in that review.
As you put your BCM plan into place, remember that you don’t operate your business in a vacuum. Even if your physical plant and human resources have been restored to functional status, supporting infrastructure — including sanitation, utilities, mass transit, telecommunications, hotels and restaurants — may not be fully restored for many weeks, even months. Do what you can right now to make sure everyone else’s recovery efforts don’t negatively impact yours.
That’s a few thoughts. Anyone out there have any experience actually implementing a business continuity plan in a difficult recovery situation? Anything else you think should be added to the dialogue? Please share your experiences in the comment section below.