Understanding effective business continuity management
Effective business continuity (BC) management in a crisis is all about preparation. The use of robust research techniques, deployed both inside the organisation and externally, helps to identify any potential threats. Internally, business impact analysis is used to identify which of the organisations products and services are most important and why, based on criteria known as strategic impact factors. These impact factors, which include, legal, regulatory, financial, reputational, contractual and future business objectives, each have threshold limits based on the organisations risk appetite. Once the company understands what may be internally at risk and defines their BC management scope, further research can be undertaken to establish what processes and activities enable the in-scope products and service to be delivered.
External threats can be identified using horizon scanning which aims to systematically explore the exterior environment to better understand challenges relevant to the organisation. Horizon Scanning has three primary objectives. One, Detecting: important economic, social, cultural, environmental, technological and political trends. Two, Identifying: potential threats for the organisation implied by the trends and carrying out risk assessment to gauge the impact and likelihood of those threats being realised to the organisation. Three, Determining: an accurate understanding of the organisations capability and capacity to deal with the threat.
Having compiled a list of tangible risks, such as potential crisis causational scenarios and BC requirements which are, the residual gap between the organisation’s aspirational resilience level, as outlined within their BC policy, and their true level, it’s time to start planning.
I have a very simplistic view of planning. Causational scenarios will stimulate contingency plans. BC requirements generate generic BC plans. BC plans focus on impact and not cause, because causes are infinite. BC plans may have to deal with very diverse incidents ranging from simple frozen pipes to the aftermath of terrorist attacks. BC plans are therefore generic and cater for the loss of the enabling components of the organisations most important products or services. These include people, workspace, utilities, equipment, consumables, IT, communications, logistics, suppliers etc.
By dealing with the loss of the enabling components, a collection of generic rich data plans can be developed that can cope with a much wider range of previously unidentified risks. I find most organisations understand contingency plans but very few truly appreciate the theory behind BC planning including many resilience managers.
Both sets of plans require skilled response teams to manage the crisis utilising the appropriate plans, and this is an area where some organisations are doomed to fail even before the crisis strikes. Without response team training and exercising at strategic, tactical and operational levels, the organisation cannot possibly recover successfully. The company might have the most gifted business minds on the planet, but crisis management is not business, it challenges people’s hard and soft skills simultaneously, at very fast pace, whilst suffering from unusual amounts of stress.
Training and exercising from crisis management experts is essential if the organisation wishes to prepare itself for when the inevitable crisis happens. I find many BC managers have little or no crisis management experience, therefore struggle to build good response teams within their organisations. The company may have amazing plans but without a dynamic fully prepared response team the chances of effective, timely recovery are limited.
Unfortunately, most organisations still think that crises are large sudden impact events and forget the ‘creepers’, as I call them. The rising tide events that start small, are managed poorly and then escalate to crisis status. One of the most recent examples of a ‘creeper’, is the Harvey Weinstein scandal (for scandal read crisis), where allegedly he had been sexually harassing company staff and film stars for decades. It is claimed that many people knew of his unacceptable behaviour but due to his power, position and Hollywood culture it went unchallenged. When it was finally exposed by the New York Times and the ‘Me Too’ movement it was all too late, and no plan was going to save The Weinstein Company. 21st century organisations all have appropriate behaviour and whistleblower polices, but how many have skeletons in their cupboards just waiting to be exposed.
Crises are by definition unpredictable and this is where an organisation wide decision model is critical for success. As Helmeth von Moltke the Elder said, ‘no plan survives first contact with the enemy’, meaning plans are created with best intentions but in a sterile environment and the real world isn’t either. Plans should be treated as a basic framework for recovery, not as the ultimate beginners guide. I use a decision model which I developed when writing UK policing’s BC plans back in 2004 and now revised as the JESIP Joint Decision Model. It is, however, critical to embed which ever model is used within the fabric of the organisation and ensure it is practiced and used regularly.
One of the most misunderstood areas of crisis management is the transition from crisis back to business as usual or the ‘new normal’ as it has become trendy to call it during the current Covid-19 crisis. Many organisations seem to think that there will be one magical moment when the crisis just stops, and everything gets back to how it was before. In reality, responders need to start thinking about the recovery phase early in the crisis timeline as the response and recover stages need to overlap and then dovetail, with the first transitioning out as the later gains momentum. If however, the crisis has caused loss of life, reputational damage, or impending legal / insurance claims the recovery phase may well morph into the aftermath phase which also needs to be careful considered and planned for.
An often neglected activity when crises are coming to an end is the debrief. Often response teams are tired and just want to stand down. But without mandatory debriefs at critical stages in the crisis to recovery and beyond stages, important intelligence will be lost forever. Quick and dirty ‘hot debriefs’ can be used at all levels of the organisation to collect vital evidence of crisis management performance using the simple three question model; ‘what did we do well’, ‘what didn't we do well’ and ‘what would we do differently next time’. This hot data can then be collated and when things have calmed down, analysed to establish what really happened during the crisis chaos. Following the analysis a report should be written capturing a summary of the feelings of the participants accompanied by an action plan including recommendations with an attempt to continually improve the organisations crisis response procedures.
In conclusion, I want to quote Steven Fink who said: ‘If crises have taught the world anything, it is that a crisis in business can occur today with little or no warning, anywhere, anytime. It can happen to any company, large or small, public or private. The safest assumption is that a crisis looms on your horizon’. So you better start preparing!
Written by James McAlister, former chairman of the Business Continuity Institute.