The old Slovenian proverb goes:The fed crow does not believe the hungry crow. I often think of it when we talk about business continuity management or more specifically the likelihood of serious business interruptions. The possibility of events such as a large-scale earthquake, a prolonged power outage, an epidemic or pandemic across the country, a terrorist attack and the like, in normal circumstances, seem very distant, which is why the common reaction is that this simply cannot happen to us.
Whether such reaction is the result of strong optimism, or perhaps just a sign that people, in general, wish to avoid thinking about the potential complex problems that the future may bring, is a question for some other blog. This, however, is not a case with business continuity experts who in the majority of their time think about how to respond if any of the likely scenarios really do happen. Even more, on the basis of business analysis, we also outline an economically sound strategy, prepare concrete plans, regularly test them and educate the stakeholders involved.
Unfortunately, we are precisely in the midst of a time when one of the very unlikely scenarios came true. The epidemic has plagued much of the world in a relatively short period of time. It has affected people both personally and professionally, as well as the business world. For businesses, the response to the unexpected situation was, and probably still depends on preparations made in the past. Organizations that have prepared well in ‘quiet times’ are likely to find it easier to switch to crisis modes. In other words, those organizations that had a good business continuity plan in place which they also regularly updated and teste, are now probably relatively stable. Of course, things are not so simple, since the impact of the epidemic also depends on other factors such as type of industry, degree of computerization, dependence on procurement or logistics etc.
Nevertheless, we are now all in this very specific and unique situation that requires us to respond accordingly. With this blog, we want to give you some useful tips that could help you keep your business, stay on the market, meet your commitments, maintain an acceptable social level for your employees, and maintain a good image of your organization.
1) DETERMINING THE SCOPE OF THE BUSINESS
When we are struggling to re-establish our business after the outage, we usually have to decide on its reduced scale. The reasons for this are different and include everything from a reduced market, limited supply of raw materials, the need to limit costs to the reduced capacity of the reserve location, unavailability of staff or resources or limitation of customer contacts etc.
We advise you to evaluate your processes and activities against criteria that are relevant to your business. Take into account the effects of the inactivity of individual processes on the loss of market share, legal and other obligations, revenue structure, the reputation of the organization and the like. Sort the processes from priority to least priority by rating. Choose those lower priority processes without which you can continue your business. When prioritizing, keep in mind that a seemingly less important process may be essential to the operation of some high priority process. In high-priority processes, evaluate which resources are essential for their operation. Ensure your decisions are made with the latest available data.
If you are managing the critical infrastructure of the Republic of Slovenia or European critical infrastructure in the territory of the Republic of Slovenia, you should also consider your obligations under the legislation and regulations in this field when assessing the level of priority of processes.
2) MANUAL PROCEDURES
In case of partial or total unavailability of information technology assets, establish the manual implementation of emergency procedures. Keep in mind that it may be necessary to provide additional resources such as calculators, paper, blocks, forms, pens, printers, local workstations, local software versions, even additional workforce and more. Make arrangements with suppliers and be prepared to pay with cash. Provide additional logistics and temporary staff. Ensure safe storage of paper records and plan electronic data entry as soon as possible.
3) CRISIS MANAGEMENT
Establish crisis management. It differs from normal management in the way that crisis management contains several elements of operational management, decision-making and implementation in the field, accurate implementation of the crisis management plan (if it exists) and requires multi-level communication and demanding coordination of simultaneous activities. Crisis management may be carried out by existing management, but in practice, it appears to be appropriate for crisis management to have a designated team of a different composition, which is given powers only when a crisis is declared.
The qualities of a good crisis leader include, among other things, the ability to make quick and responsible decision-making, the ability to act judiciously and with a sense of risk, the ability to communicate clearly and decisively at all levels and in emergency situations, a sense of involvement of experts in various fields, a person with a high level of confidence and, last but not least, someone who is charismatic. In crisis management, we are closer to command (within the scope of powers, of course) than to executing normal business decisions.
If police, firefighters, or civil protection are involved in a given situation, give their guidance to any lawful request
In emergencies, new and less-than-usual decisions are made, so circumstances can change quickly. Decisions and accompanying information must be clear and concise and must reach the contractors as soon as possible and without distortion. Provide communication channels to enable this. If conventional channels of communication, such as telephony, e-mail or conversation applications do not work, establish alternative routes, such as couriers, radio stations, and the like.
Make a list of all the target audiences you need to address in times of crisis. These can be employees, their family members, neighbours, partners, executives, supervisors, customers, shareholders, regulators, the media, nearby residents, local communities, public authorities and the like. Determine the method and specifics of communication according to the target audience and empower a narrow circle of staff who can communicate. Post as much information as possible on your online media that can be directed to interested audiences.
Pay particular attention to communicating with the media. Identify a person or a narrow circle of people who can communicate with the media and do not allow others to freely do so. Have pre-drafted press release templates. Coordinate important statements with management, legal service or crisis management. Request authorization for all posts if possible.
If the event requires involvement with police, firefighters or civil protection, clearly provide any information they require and are authorized to access.
For larger-scale events, monitor the operation and decisions of crisis management and authorities at the municipality or state level. Make someone in charge to monitor this type of information, and determine how they report to management or crisis management.
Keep an eye out for any fake news that comes up in connection with the important events or/and the industry you are in, or possibly in relation to your organization. Speak out about them and deny the negative news with facts and argument.
5) WORK PERFORMANCE
Performing work at primary location
If work can continue in the primary location, depending on the situation, check what additional steps you need to take to ensure a safe and unobstructed flow of activity. In the event of a pandemic contact restriction, make sure there is adequate work space, protective masks, disinfectants, protective panels, the maximum number of people in the room, preventing physical contact or approaching, resting due to additional loads and the like.
Performing work at another location
When the primary location is not suitable for continuing the business, organize work at another location. This is a challenging task and is practically feasible only if the backup location was planned and established during normal conditions and a business shift plan is in place.
Work from home
Work from home is an alternative to those business processes where most activities take place in computerized workplaces using a PC. In doing so, staff need to be provided with laptops or agree to use their own personal computers at home. Appropriate infrastructure for work from home should be provided. This is primarily about secure internet connectivity, either via an existing home connection or through an organization-provided mobile connection. The connection must be protected by appropriate secure technology such as VPN or HTTPS. The home-based IT environment in which the work takes place must also be of a sufficiently high level of information security. Because the organization does not have much influence on this, it is necessary to educate employees in the safe use of technologies.
When working from home, agree on the method and form of compensation for using the employee’s resources for the purpose of doing business.
In circumstances where people cannot be contacted (an epidemic, for example), it is of the utmost importance to establish alternative channels of communication and collaboration. There are many software tools that make it possible to work together. If you have not used these tools before the emergency, identify the right person to evaluate the current offer and suggest a choice. Make sure you have clear requirements as to what functionality you need and what licensing model is right for you. If necessary, organize a quick training to use and adapt to the new way of working.
6) ASSESSMENT AND SYSTEMATIC RECORDING OF DAMAGES
Keep up to date documenting of any damage caused. Specify the data set that is required to maintain the damage event documentation. Evaluate financial and non-financial impacts with each damage, try to introduce a meaningful classification that will allow for detailed analysis, note the timing of events, state the actions taken, and update the data over time. The data will be very useful in assessing future risks, in enforcing insurance benefits, in potentially exercising rights under other contracts, in claiming state aid, in analyzing existing risks and measures, and in planning and improving business continuity.
If legal action is possible, identify and secure the evidence as much as possible.
7) HUMAN RESOURCES MANAGEMENT
If an emergency dictates a reduced volume of business, compile a list of full-time, part-time, shift, on-call and off-staff. Consider the additional responsibilities, priorities, and powers of staff who have roles in the business continuity plans.
It is very important to know and take into account the personal circumstances of the employees when planning. Regardless of the level of motivation and affiliation with the organization, it is expected that employees will put their loved ones, their own safety and their assets first. Work with your staff when planning your business and be aware of their personal needs and potential distress.
Be aware of labour law legislation regarding pay for increased or reduced work and non-working staff. Personnel reduction should be a last resort and carried out in accordance with the regulations and in cooperation with the affected.
If necessary, provide adequate additional security for the place where the business is conducted and for the protection of the stationary location. Take care of both physical and information security.
9) RETURN TO NORMAL BUSINESS
Plan for a return to normal business already during an emergency or situation. Review the primary location and resources for conducting the business, and evaluate the potential scope of work and costs to return to a functional state. Prepare an activity plan to prepare your primary location and procedures for setting up all activities in the usual way. Include primarily non-working staff in crisis plans and procedures.
After the announcement of the end of the emergency, determine the termination of crisis management and execute the plan and return procedures.
Prepare and initiate claims for insurance reimbursement and other reimbursements to which you are entitled.
Conduct an analysis of events, responses, harms, consequences, good practices and mistakes. Take corrective action based on this information.
Review the risk management process to determine if you have previously identified the events that caused the interruption as risks. If so, check that you have satisfactorily evaluated them and taken the appropriate action. In any case, update the risk register since you have a lot of new and concrete information.
If you have a business continuity system, review the performance of each individual component. Find and implement any enhancements. Expose good performance.
Provide emergency response and performance assessment to all employees. Praise those who have done their duties well. In the case of deficiencies, do not blame individuals, but identify ways to improve the system.
To conclude, emergency response is much easier and more effective when we are prepared for it. A business continuity system designed, set up and tested under normal circumstances will certainly make it much easier to deal with the brutal business disruption such is the current epidemic.
The Silver Bullet Risk team has extensive experience in business continuity planning in accordance with the guidelines and requirements of ISO 22301.
Do you have questions about financial and/or operational risk management, loss management or business continuity and you can’t find the right answer on your own? Sign up for an online meeting and find out if how we can help you:
Božo is an experienced consultant with a proven history of working in the fields of information technology, communication and service industry. His expertise lies in information security management, and software architecture design and development, and is successfully converted into Silver Bullet Platform.