Now that many companies have settled into the new normal — with staff working remotely and offices closed completely or operating below capacity due to restrictions from social distancing — the next looming danger is complacency.
One of the biggest initial lessons from the COVID-19 pandemic is that businesses cannot afford to let their guard down and must use every opportunity to address any operational challenges exposed by the pandemic. This means, now is the time for businesses to reexamine their business continuity and resilience programs. To help companies stay focused on business continuity management (BCM), Protiviti has released its Guide to Business Continuity & Resilience in a readily accessible FAQ format.
Additionally, at a recent virtual event, “Moving Forward with Business Continuity and Resilience,” Protiviti’s experts discussed how organizations are adapting their BCM plans to the current crisis and why it is imperative to continue to prepare for future disruptions. Below are some of the highlights from that event.
How the Pandemic Has Changed BCM
For most organizations, what was anticipated to be a short-term, work-from-home stint has become a prolonged period of flux and uncertainty, and crisis and continuity teams have adopted a number of measures to effectively deal with the disruption. Compared to normal times, today’s teams typically share information more frequently — at least a few times a week and sometimes multiple times a day — and react to unscheduled triggers with more urgency.
In a sign that organizations are placing a greater emphasis on BCM response than in the past, many teams have adopted the habit of integrating after-action reports into a continuous improvement program. Additionally, companies are reevaluating their crisis command centers to gauge their performance, including whether or not the teams are monitoring relevant information and how effectively they are responding to needs in different locations. Many companies are also beginning to talk about incorporating change management into BCM programs.
Some organizations are evaluating the full cycle of the BCM response to disruptions. The practice extends planning beyond the initial reaction to an event. For example, rather than focusing primarily on moving to an alternative site after a business disruption, the organization would also focus on how to return to normal business operations. This is a key consideration today as many businesses contemplate a phased return of workers to the workplace.
Planning for Multiple Emergencies
Having experienced the COVID-19 pandemic firsthand, BCM planners can no longer downplay the potential of any type of national or global catastrophic event, nor should they shy from planning for multiple incidents occurring at the same time or in rapid succession. New crisis and continuity plans should consider how future events could affect remote workers and workplaces at the same time, particularly from a technology, cybersecurity and regulatory point of view.
The days of sitting in an office and opening a physical binder that contains a crisis management plan are all but over. If they haven’t done it already, BCM teams need to ensure that plans are available digitally and accessible from anywhere on mobile devices. This includes establishing access levels for appropriate personnel.
Planning for Third-Party Risks
Third-party risks have always been a top concern of business leaders; however, the pandemic’s severe disruption to supply chains has only amplified this risk. From a BCM standpoint, companies should consider redesigning supply chains to be more agile, including identifying alternate sources of supply, reshoring operations where necessary, moving manufacturing closer to the point of sale, and automating processes. The supply chain redesign should also focus on eliminating single-source vendors and concentration risks.
Also, organizations should apply more discipline and rigor in the vendor assessment process, including performing due diligence on third parties’ BCM plans and establishing a predefined supply risk strategy that anticipates problems. It may be necessary to incorporate predictive indicators, impact analysis and scenario planning as part of an effort to enhance overall supply chain visibility and resilience. Be prepared for added costs when pursuing these endeavors.
In this dynamic environment, organizations are also concerned about BCM oversight — who should own crisis management and continuity planning? Often, designated executives provide top-down guidance and dedicate the resources to facilitate the program. Owners are typically underneath these executives and include department heads and leaders tied to the overall company strategy. The next layer of personnel, BCM coordinators, are responsible for performing many of the tactical activities.
In April and May, many organizations were mobilizing their existing BCM teams or forming new crisis management teams to guide the response to the pandemic. Those mobilization activities provided confirmation that the companies had representation across all critical business units, including operations, human resources, finance, legal and IT.
Traditionally, many companies have taken a process-specific view when considering the impact of disruptions and how they should inform BCM plans. However, organizations should consider zooming out and determining if those processes are effectively represented within the BCM program to ensure the continued delivery of products or services to customers.
Another element to evaluate is how the planning process aligns with the governance structure of the program. In general, individuals on continuity and crisis teams who make decisions and communicate with their respective team members should play an important role in business resumption planning.
Improving the BCM Program
Given the differences in organizations and how they view their risk profiles, there is no single correct way to perform or govern business continuity and resilience planning. Protiviti takes the view that a good plan today is better than a perfect plan tomorrow. Still, it is important to continuously improve the plan, and one of the best ways is to incorporate a feedback mechanism within the BCM program.
Business leaders should avoid focusing on one specific crisis when reviewing a BCM program. Instead, they should utilize the organization’s business impact analysis to determine broader vulnerabilities and select strategies to mitigate them. It is important to also examine how a crisis will make the organization stronger or “antifragile” versus simply aiming to get back to normal following a disruptive event.
The pandemic has given companies the opportunity to not only assess the performance of their BCM programs but to also make sure that the structure and strategies are in place to anticipate and respond to the next event. For more information on these topics, please access a replay of Protiviti’s BCM webinar and/or visit our business continuity guide.