Expecting the unexpected: A business viewpoint
The Easter day bombings in Sri Lanka created a sense of deep fear among the citizens; it still prevails even one month after the incidents. Even in the business sector, these acts of terror have served to create uncertainty within the marketplace. Most analysts believe, if the trend continues for another few weeks, it can lead to investor apprehension and many other adverse financial consequences.
The Sri Lankan business community therefore now has to be vigilant and make arrangements to deal with the impact of this type of incidents in future. By remaining alert but not alarmed, they can reduce the impact of any future threats. The business community cannot be complacent hoping that there wouldn’t be any more attacks.
Business continuity planning
It is in this respect that the concept of business continuity planning (BCP) plays an important role in today’s business, whether they are small or big. Let us see what it really means.
If we are to take the phrase ‘business continuity’ for its surface value, the most obvious meaning would be the ability of the business or enterprise to continue operating as a going concern for a very long time. But the term actually means more than what the words literally mean.
The International Organisation for Standardisation, in ISO 22300, defined business continuity as the capability of an organisation to continue the delivery of its products or services, at acceptable pre-defined levels, following a disruptive incident. It implies the responsibility of the business owners and management for the business in ensuring that it stays afloat and ‘on course’ despite any obstacles or stumbling blocks it encounters along the way.
These ‘disruptions’ may constitute any major crisis from a terrorist attack to natural disasters such as flooding or fire. It can even include the pull-out of the main customer with 35 percent of the customer base and your marketing manager.
In fact, business continuity is to be about building and improving resilience in the business. Organisational resilience means that the business can weather any storm and withstand any hits and still remain operational, productive and profitable.
Preplanning: The preplanning refers to the arrangements, measures, tactics and policies designed to ensure continuity of business operations, so that critical products and services are still delivered to customers.
Resources: The second component refers to the resources or assets that are necessary for recovery measures, thereby supporting business continuity. These resources often include manpower or personnel, information, facilities, machinery and equipment, physical security tools, legal support and funding.
Steps in developing a BCP
1: Identify cost.
Prepare a tentative budget taking into consideration the expenses that may be incurred in the process of developing the plan. These include costs of research, trainings and seminars and other services sought in the process of moving the plan along.
2: Form BCP team.
Choose the people who will be assigned the task of planning for the continuity of the business. Identify their key roles and responsibilities. Define the lines of authority and accountability, as well as management succession. The leader can be a senior manager. There can be a programme coordinator, information officer, representatives from all business units, etc.
A team could have only five people on board or it could have as much as 20 or even 30 members.
3: Conduct a Business Impact Analysis
Conduct a Business Impact Analysis (BIA). A BIA includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimising risk. The result is a business impact analysis report, which describes the potential risks specific to the organisation studied. It will also aid the team in gathering information that will be helpful when it comes to developing strategies that can be adopted by the company for its recovery from the crisis.
A typical BIA may include key business areas, critical functions of the business, resources required to ensure the continuity of these key areas and tolerable downtimes for each critical process or function.
4: Strategise and plan
Based on the results of BIA, identify response and recovery strategies and plans to address the effects of the disruption and present them in detail. It is in this phase where the team will provide details on the arrangements and measures that the company will undertake in order to mitigate threats. Cost estimates should also be included. That is how detailed this phase should be.
Write the Business Continuity Plan. First do the draft. Make adjustments. Retest and if satisfied, finalise. The plan must be tested frequently and updated when necessary.
6. Training and testing
The training programme or curriculum needs to be followed by the members of the business continuity team and the other members of the organisation.
Another important element of a business continuity plan is that it needs to be a solid working document where every aspect is constantly reviewed and updated in response to organisational changes in circumstances. To keep pace with issues as they arise, the plan must be formally owned by a member of staff who can take on the responsibility for overseeing arrangements and who possesses the authority to co-ordinate actions.
Whoever manages the plan will need to take full interest in almost every aspect of the business. From recruitment to IT policies, from outsourced services to new building and renovation work – there are security implications to almost every major decision.
The entrepreneur should also decide what should be protected and what their priorities are. The general categories are as follows:
(a) People – staff, visitors, contractors, customers; (b) Physical assets – buildings, contents, equipment and sensitive materials; (c) Information – IT systems, online transaction systems, electronic and paper data; (d) Processes – supply chains, critical procedures, production cycle.
The organisations need a clear consensus about those assets, which they regard as valuable and those they regard as essential. For example, (a) those assets which the organisation has a duty to protect – staff, client services, production systems, etc. (b) high-value assets that are worth additional or specific security investment, (c) unique assets which, though not necessarily of a high monetary value, would be difficult to replace.
How a business defends itself against a terrorist attack depends on individual circumstances. For most organisations the response will involve a mix of good housekeeping alongside appropriate investments in CCTV, intruder alarms and lighting that can deter as well as detect. In fact, many recommended counter-terrorism measures will help to protect against other criminal acts such as theft and vandalism.
Certain situations, however, may require more specialist equipment (parcel and mail scanning technology, for example) and organisations should seek professional advice for an assessment of their requirements and options before taking any major decisions.
If an attack by a vehicle bomb is a concern, the priority should be to ensure all unauthorised and/or unscreened vehicles are kept at a safe distance, ideally keeping cars at least 30 metres from the buildings and larger vans and lorries at least 90 metres away.
Access routes, car parks and surrounding open areas should also be assessed. Suitable traffic calming measures such as bends and chicanes and tested vehicle security barriers should be installed to create and enforce the appropriate blast stand-off distances.
The guidance about safe use of email at work is essential. The members of staff should be aware that their work email account should be used predominantly for work-related correspondence and private email accounts are not used to contact clients or forward/receive confidential information.
However, no single security response or level of investment will provide ‘total’ protection. Nor is it practical for a business to invest in every solution available on the market. However, an up-to-date business continuity plan and security plan can help to protect against the worst possible consequences.