Business Continuity Management - Part 2.

Business Continuity Management is a topic that should be of concern to any organization, whether non-profit or for profit, whether small or large, whether a startup or a well- established and mature business; it is basically an integral component to your Crisis and Risk Management planned activities.

This article is the continuation of last week's posting (http://www.modernghana.com/news/703113/business-continuity-management-part-1.html) and it is just my personal view on the topic, coming from hands-on experience in several settings & organization and yes it is a topic very dear to my heart.

What is really the Value of a Business Continuity Plan?

Frequently people see the BCP as a regulatory or legal need and they fail to see any other benefits in all the investment of time, money, and resources that has gone into developing the Business Continuity Management Plan.

Besides the usual ‘theoretical blah-blah’ increased profits and productivity, market confidence, reputational protection, and employee morale, a Business Continuity Plans can provide an organization with the following benefits:

• Improved Supply Chain assurance.
• Making vendors better business partners since risk is ‘transferred’ to their operations too, ensuring that their own approach to business resilience best supports YOUR organization so you both can weather a crisis effectively together.
• Reduced insurance premiums and liability exposure.<-CFOs love this.
• Reshapes/re-establishes the corporate agenda and strategic approach to risk management. Risk management becomes a supporting element of business development and daily operations in all possible geographic footprints of the organization.
• Brings awareness and understanding of corporate risks and liabilities to all (via proper education/ training and testing cycles): clients, partners, employees, shareholders, etc...
• Establishes a culture that embodies a common vision and outlook/ ’method of attack’ for risk.
• Improves management and employee confidence and morale.
• Supports better business planning and practices.
• Ensures informed decision making to strengthen strategic plans and responses.
• Provides an evidence chain for investigations and audits.
• Meets industry, governmental, and other regulatory requirements.
• Protects directors and all other corporate officers against liability charges and claims.
• Aligns business with risk management to ensure effective business.
• Enhances business discipline and internal controls.
• Demonstrates duty-sense, care and sound management practices.
• Reduces reputational and liability risks, and protects both brand and investor confidence.
• Strengthens business continuity and recovery—improving productivity and profit levels.
• Ensures the identification and best use of organic and external resources.
• Defines the business strategy, including expansion, new market entry, and downsizing.
• Protect the company’s business and corporate interests.
• Safeguards Client Interests
• Identifies, Evaluates, and Assesses Risk
• Map risks and guides management responses.
• Deters, Avoids, Shares, Transfers, and Mitigates Risk
• Measures Enterprise Resilience (do you know of another way to do that?)
• Protects Critical Business Activities
• An organization-wide uniform terminology or Crisis & Risk Management (don't underestimate this)
• ….

What about Best Practices?
The World (or definitely the Internet, is full of them). But with BCP, because every business is so unique and because of the complexity involved, think of all the Best Practices as points of awareness for BCP-input that a definitive list of guidelines.

Remember to simple involve all people in your organization and go a proper BIA – Business Impact Analysis, going through several iterations of your BIA.

That simple!
.
What is BIA?
“A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment. Operations may also be interrupted by the failure of a supplier of goods or services or delayed deliveries. There are many possible scenarios which should be considered.

Identifying and evaluating the impact of disasters on business provides the basis for investment in recovery strategies as well as investment in prevention and mitigation strategies.”

You start by creating relevant BIA questionnaires and you initially interview the relevant managers and other employees –basically those with detailed knowledge of how the business manufactures its products or provides its services- within a given business unit or functional area.

You basically ask those managers and other employees to identify ALL potential impacts if the business function or process that they are responsible for is interrupted. The BIA should also identify ALL critical business processes and resources needed for the business to continue to function at different levels.

According to ISACA, the objectives of the BIA are as follows:

• Estimate the financial impacts for each business unit, assuming a worst case scenario.
• Estimate the intangible (operational) impacts for each business unit, assuming a worst-case scenario.
• Identify the organization’s business unit processes and the estimated recovery time frame for each business unit.

But possibly BIA, might be a good topic on its own for a feature article.

Can you do it “cheap”?
Depends on your industry- type and size of your organization. In most cases, make friends of your neighbors: for example, agree with another company a few buildings away that you both keep a spare room where the other can keep stuff and come and ‘stay’ there/ operate from there in case of an emergency So, if you got a partial flood in your floor, some of your employees can temporarily work, based on the premises of your ‘friendly neighbor’’. This is just a simple and most common example, but I am sure people come with several other creative ideas to reduce business continuity cost and risk.

Some personal stories.

• Both in 2008 and in 2011, my teams and I searched for a full business continuity solution/ site. We visited all major data centers in the Netherlands and Belgium. They all had impressive security set in place and unique solutions for implementing data recovery and helping setup a 2^nd active data center for the company we represented. When it came out to the full business continuity needs, the need for example to be able to host 15-20 people in their facilities for 20-30 days, with workspace ready/ setup and waiting for them to come, including 20 telephone lines, despite all good will, almost none of these providers were ready to deliver such a solution, although some of them were open to renting us some space so that we could do whatever we wanted with it. Strangely enough, no one of their other clients had ever asked for something like that! he only exception, the only company who really understood what Business Continuity is really all about and were ready to provide such a solution it was (and still is): IBM !! And no, I am not making any profit by mentioning that.
• In another situation, the client had a generator that could provide electricity for a few hours, part of a well- thought out BCP. But it took time for them to understand the need to invest in a battery- setup solution, so that for the few seconds that it takes for the electric generator to start and provide electricity, there will be no ’electricity disruption’ at all. Also, the idea of having and actively maintain 2-3 oil vendors, felt initially to them as an overkill.
• Having a sound BCP (which also implies that you have performed an excellent BIA) helps in getting or meeting all sorts of other corporate compliances and audits: e.g. WLA, ISO27000, ISO 38500 (COBIT), etc…
• Talk/ visit other companies who have gone through the BCP development- ’pains’ – even a competitor: don’t look for a set of online best practices; it’s not that simple. Also anyone in the organization has to be involved.
• And question all advise till it is very clear for you, that you get from any BC consultant. Very few have seen a disaster or participated in a crisis situation, so don’t rely on ’paper’- advise, please.

In Conclusion
Contingency planning and crisis investment (in money, time, and resources) should be considered a sound business practice and not another cost item. While difficult to justify the BCP expense in terms of possible cost savings, business resilience does increases long-term business activity, productivity and operational recovery from crisis situations and should be always considered to be a central aspect of all corporate strategic policy and planning functions.

Again remember: “Almost a quarter of all companies are likely to declare a disaster in a five-year time period”. From: Forrester Research, Inc. “Wake-Up Call: You Aren’t Ready For A Disaster,” February 9, 2011.

The BCP should be considered a living entity / tool that requires group support and buy-in throughout the organization in order to succeed when facing a crisis situation.

Time spent on business continuity planning is rarely wasted.

Thank you,
Spiros
.
About the Author: Spiros Tsaltas, a Top-Tier Management Consultant and a former University Professor (RSM MBA, CUNY, etc), is a seasoned Technology & Operations Executive. Spiros has hands-on experience on setting up all sorts of Startups both in the US and in Europe. He is an active transformational leader and strategist with extensive experience on Boards of Advisors & Boards of Directors. He is currently assisting a couple of Ghanaian companies with the setup of their Boards.

Spiros welcomes any feedback/ comments/ remarks/ suggestions via your email message to [email protected]

© 2016 Spiros Tsaltas