IERP® Team No Comments

If Anything Can Go Wrong, It Will

What works and what doesn’t will become apparent and a system of measurement will emerge…

Every business needs a contingency plan because in today’s uncertain environment, the only sure thing is that sooner or later, the organisation will come face to face with adversity. It could take the form of the coronavirus, a natural disaster like an earthquake, flood or tsunami; systems could be hacked, data stolen, or fraud committed. In any scenario, the negative impact can be mitigated and disruption to the business kept to a minimum if there is adequate business continuity management (BCM) in place, and everyone knows what to do in the event of an incident. The practice of BCM is infinitely more difficult than its theory but getting it right is worthwhile because it may mean the difference between the company’s survival and its demise.

But what is BCM? It is, essentially, the efforts of the organisation to ensure its continual operation, regardless of any event, internally or externally, which disrupts these operations. It is the anticipation of what can go wrong, before the incident actually occurs, and a scrutiny of all aspects of the organisation using the Murphy’s Law approach – which means no stone can be left unturned when developing the BCM framework. All threats internal and external, need to be identified and the organisation’s exposure risk determined.

The components of BCM – disaster recovery, business recovery, crisis management, incident management and contingency planning – are always front and centre when BCM is discussed because these must come together if the organisation is to respond effectively to its threats. More importantly, they need to be aligned, which means they should be identified, discussed, agreed upon and set in place. The magnitude of BCM can be overwhelming but a good place to start is the development of a complete understanding of the business at all levels of the organisation. This includes getting feedback, monitoring, reviewing and updating business continuity plans in parallel with business operations.

What works and what doesn’t will become apparent and a system of measurement will emerge. Improvements can then be made based on these measurements as any plan must be customised to the organisation’s individual needs. BCM is about an organisation’s resilience, and how fast it can bounce back from adversity. Most subject matter experts see it as the effective application of common sense but when disaster strikes, chaos is usually not far behind, and common sense is often the first casualty. So, with that worst-case scenario in mind, businesses need to have strategies, plans and processes in place to keep themselves running, and to have a fighting chance of survival.

At the top of the To Do List is proper documentation. This includes allocating responsibilities to various members of the organisation in anticipation of any untoward events, and extends to prioritising which systems and processes need to be recovered in what order and timeframe. Resource allocation needs to be determined as well. Resources are inevitably limited, and it is a balancing act to be able to allocate them properly. This is where proper documentation and measurement come in. What can be measured can be managed, and what can be managed, can receive commensurate resource allocations.

These will go a long way to determining not only how much mitigation will cost but the risk appetite of the organisation, i.e., how much loss it is willing to tolerate. Why should companies go to these lengths? Because they are, by and large, looking for long-term sustainability (and if that doesn’t work out, at least short-term competitiveness) that will allow them to make some semblance of a profit. Plus, they need to justify the funds invested in the company. There is a myriad of reasons to have BCM. Internally, an appropriate business continuity plan will keep an organisation operational regardless of the kind of adversity it has to weather. Externally, it presents an organised, capable, responsible establishment that prioritises its stakeholders’ best interests.

This inspires public confidence in the organisation, which is of particular importance, considering the generally low public opinion of big businesses nowadays. The public needs to see that the organisation takes its responsibilities seriously, and is circumspect about how it spends investors’ funds. In order to disseminate this information, it needs to have the necessary communication skills, and be able to channel information correctly, not just to improve the firm’s decision-making processes in times of emergency, but to ensure the integrity and transparency of that process despite the chaos which ensues.

The lengths to which an organisation must go, to set in place BCM and a viable business continuation plan, are never wasted. In fact, they should be established in the hope that they are never used! Regulators require such plans to be in place, of course, but companies should see beyond the need to just tick boxes, and make these plans a part of their overall strategy, especially when applied to identifying potential pitfalls and hot spots. BCM actually helps companies confront their worst fears that spring from being unprepared for the unanticipated, by supporting them in their efforts to imagine worst-case scenarios – and work out the best solutions for themselves.