In recent history, the COVID-19 pandemic is so far the biggest global disruptive event. The pandemic has exposed myriad of procedure inadequacies and lack of strategy and good governance in organizations. While the strategies of some companies to sustain their operations went quite smooth, others were unfortunate, realizing that their procedures were incapable to adapt to the “new normal” caused by the pandemic.
In the new normal setup, many businesses have quickly shift to remote work when the COVID-19 pandemic struck, forcing the officer workers to stay at home and learn how to manage digital systems and conduct video conferences. In the case of many companies in Asia, the recent unforeseen crises have bared the shortfall of business continuity plans. Even for companies with existing management plan and strategy, their resilience during an operational and financial strain was tested as the lockdowns, restrictions, and supply chain interruptions left many companies in struggle to recover.
In this very unstable environment, a good leadership has been crucial. Even though the world emerges into a new reality after the pandemic, business continuity has become more challenging. The companies must now shift their efforts to the challenges of the recovery phase. Thus, there is a need for them to improve their governance, strategy, risk management, and crisis management to ensure their continued growth and sustainability.
Concept of Business Continuity Planning
Generally, business continuity plan is a document outlining the procedure how a company will continue functioning during and after a disruptive event. It involves a business-level, coordinated initiatives to protect corporate equities such as critical infrastructure and data from natural and man-made threats. It is considered effective if it allows an organization or company to continue providing services and delivering products amidst of a disruptive incident. Moreover, it is usually perceived as a section of the risk management of an organization. It is a subtheme centralizing on interruptions of business-critical roles through rapid events. It also usually includes crisis management components.
There is no business that is too simple or small for implementing a business continuity plan. The pandemic has showed that there is a need for all organizations to have a robust and updated business continuity plan. There are three main pillars of business resiliency ⸻ crisis management, emergency response, and business recovery. A robust business continuity plan shall address all of these areas.
The crisis management area should ensure that the business is equipped to respond to events that may cause reputation damage, company loss and/or damage, and operational outage. The emergency response area should include site-based concerns such as keeping the employees safe during emergency events. The business recovery area should cover the reestablishment of activities and processes to bring back a business into operations after a disruptive incident.
Risk areas introduced by the pandemic
Most companies around the world felt the impacts of the pandemic. Without their usual income flows, companies put on hold their investments in workforce, technology, and capital expenditures. Flexible work setup has also been implemented as counteractive measures and alternative coping mechanism such as reduced working hours and days, forced leave implementation, and rotation of workers. And these arrangements have introduced various new risk areas.
- Mental health risks- The COVID-19 pandemic has deeply changed the social life and working environment. The restrictions, lockdowns, isolation, uneasiness of getting sick, work suspension, and loss of income have jointly affected the mental health of people. The company should assess and strategize how to minimize mental stress of their workers.
- Outdated technology- The increase in use of technology has led technology companies to upgrade and develop more useful technology. Outdated technology in businesses can cause bigger risks than frustration. They can be more vulnerable to security risks and financial impacts. Thus, the company should invest in upgrading their use of technology.
- New or higher risks in cyber security– The increase in implementation of remote working setup has contributed to a new or higher risks in cyber security. The company should assess the readiness of their workers, evaluate current rules and protocols, and give recommendations in their IT support, access and communication, and remote access.
- Reduced cyber awareness- During the pandemic, the cyber criminals have taken advantage of attacking vulnerable people online. Since the workers had just shifted to online setup during the pandemic, some of them were not aware of the dangers online.
- Privacy and data protection- Since technology has greatly advanced and working remotely has given freedom to the workers, there is a possibility for unauthorized or stealing confidential data from the company. The company should revisit their policies on data breach.
- Fraud- As primary processes are affected by the changes caused by the pandemic, there is an increase potential for fraud. The company can exhaust the use of their data analytics to identify indicators and examine in real time.
Moreover, there are various reasons why companies have a hard time coping with short- and long-term interruptions to their operations, resources, and income gain. These companies usually consider their standard operating procedure and strategy and plan for emergency response as their business continuity plan. Thus, they are not correctly employing the procedures to avoid and adapt to disruptive incidents.
Companies with inadequate business continuity plans were caught off-guard during the COVID-19 pandemic and had a hard time recovering. For example, many companies were unprepared in coping with the vast increase in the demand on IT systems for remote work setup. On the other hand, the companies with robust business continuity plan have advantage in responding to risks, crises, and unforeseen challenges.
Characteristics and Priorities of a robust business continuity plan
An effective business continuity plan should be in harmony with the company strategy and attain the following objectives:
- Minimize costs and loss of income,
- Protect the employees and other assets,
- Prioritize the stability and recovery of crucial functions and supply chain systems,
- Minimize recovery duration,
- Ensure the active participation of employees,
- Provide cyber trainings; and
- Promote good physical and mental health.
Generally, it is important to identify what component is crucial and how the loss of such component will impact the business. The following should be identified when making a business continuity plan:
- Critical procedures, operations, and tasks
- Main internal and external dependencies (things, people, or business relied on)
- Roles and responsibilities
- Escalation and communication
- Other factors that can affect the business
A robust business continuity plan also prioritizes the following factors:
- People – Pinpoint and train back-up personnel for critical functions including the management.
- Equipment – Ensure that equipment is available and meets the needs of a company.
- Asset availability – Ensure that amenities, utilities, computers, tools, or internal systems meet the company’s needs.
- Accounting – Ensure that the company continues its finances, payroll, etc.
- Business obligations – Explore legal outcomes for level of service arrangements such as late delivery and non-performance.
- Information providers and partners- Ensure that the company maintains its good relationship with information providers.
- Business processes- Ensure that the systems and processes the company relies on can continue to function without disruption.
- Legal and regulatory requirements- Ensure that the company is aware of the laws and regulations requiring them to establish business continuity plan.
With years of experiences from management systems implementation to re-engineering business processes, ECCI helps organizations and companies to establish processes, resources, and guidelines based on the requirements of Business Continuity Management System (ISO 22301) to ensure the availability of critical functions and services to customers during any disaster situation and preparing them to achieve the certification. The main areas that ECCI focuses during the implementation are Current State Assessment, Business Impact Analysis, Risk Assessment, Development of Business Continuity Plan, Implementation of ISO 22301 standard requirements, and Development of Disaster Recovery (DR) Strategies. The experts in ECCI has also supported big organizations in the Philippines with an effective business continuity plan.
To ensure the readiness of your organization for the next disruption, visit BCMS Assessment (apexgloballearning.com) and take a business continuity management maturity assessment for free.