Following the recent Asia haze crisis, Dave Dickinson, Principal at Aon Global Risk Consulting, considers how risk managers should tackle business continuity plans
Recent rains may have helped to ease south-east Asia’s air-pollution crisis, but businesses will be dealing with its impact for some time to come.
We have an inherent expectation that a crisis will not happen to us or to our organisation and that the organisation that we left on a Friday will be there as expected on Monday. But what will our response be if it isn’t?
We are all resilient until we are faced with a crisis and then we are tested. If you have not planned your response or approach to a crisis then the road to recovery will be longer, harder and more damaging. Customers, damaged by your failure, will seek new suppliers.
It’s becoming more important to understand your organisation in terms of how it functions, its potential failure points, and its upstream and downstream dependencies.
What and who do you rely on to complete your critical business functions, and what could cause a potential loss or failure?
Understanding reliance and potential points of failure of critical functions prior to a business-interruption event will result in faster recovery and increased resilience. But how is this achieved?
Business continuity management (BCM), if applied correctly, is the internal discipline that enables forward-thinking organisations to achieve improved resilience and competitive advantage.
It is not a process to be placed on the shelf until a time of crisis. It is an enabling process that provides your organisation with an internal discipline to analyse critical functions, and to identify potential failure points and design them out before a crisis. The objective is increased resilience.
It could be argued that some organisations have invested in BCM, yet they still fail. It is common to find that business-continuity investment is a means to another end, such as accreditation or compliance, or for an audit, or just because it is seen to be ‘the right thing to do’.
If the driver for the BCM investment is not purely for embedding business continuity as an internal discipline for the benefits that it can offer, then it will invariably result in one or more of the following negative outcomes:
• Plans not managed and/or maintained;
• Irregular or no testing, leading to lack of competence and capability;
• Lack of commitment at all levels;
• Complex plans with meaningless data;
• Inconsistency of application;
• Lack of approach at the site level;
• Lack of visibility at the corporate level;
• Failure points not being addressed;
• Failure to respond to a crisis;
• Damage to image and reputation.
Many business-continuity plans fail because they are over-engineered and over-complex; they are not maintained, they are not current, staff are not trained and they are not tested. Moreover, the plans fail to provide the team with the guidance on how to respond. As a consequence, damage and losses are exacerbated.
To bring this into focus, consider this hypothetical scenario: You are advised in the early hours of Monday morning that a major fire has occurred and that your head office is destroyed.
• How will your organisation respond?
• Who will contact whom?
• Where will they meet?
• Do they have access to the business-continuity plan?
• What is their approach?
• Who will advise your insurer?
This scenario will raise a multitude of questions, some of which may be answered with assumptions. If you are to build resilience and maintain your business-continuity investment, then you must ensure that you have the answers and the assumptions are tested.
The fundamental key is to test your plan (loss-recovery strategies) and your approach (your response).
Dave Dickinson, Principal at Aon Global Risk Consulting