By NIGEL HEE
Fires. Pandemics. Ransomware. These are just three examples of unexpected events that may hit a business at any time. No firm big or small, listed or unlisted, is immune to unexpected events; of note is the current Covid-19 pandemic that was first recorded in Wuhan, China, that has since gone on to affect the global economy.
Many businesses in Singapore and the region, having experienced the SARS epidemic in 2002-4, should have Business Continuity Plans (BCPs) in their business strategies arsenal. These BCPs are meant to address the disruptions to business caused by unexpected events such as the current pandemic, and government guidelines on social distancing. But what constitutes a BCP? What aspects should be considered? What should you do once you have a BCP in place?
In this article, we outline why having a BCP is critical, what it constitutes, and the basic steps to creating one.
Any disruption in routine business operations may have a severe impact on multiple aspects of the business. When the Covid-19 epidemic grew to pandemic proportions, the Singapore government announced social distancing measures for workplaces, among other venues. A “circuit breaker” was put in place from April 7 to May 4 to stem the spread of the virus. This was later extended to June 1.
This simple-sounding measure of keeping a minimum distance from the next person has far-reaching implications on business operations when viewed from an operational perspective: some offices are just not physically big enough to seat employees far enough from each other. This would also mean that face-to-face discussions and meetings are no longer feasible, and even taking public transport to work becomes an exercise in risk management on a personal level.
Such disruptions can lead businesses to re-examine how they need to adapt to continue operations. Businesses that rely on physical interactions, such as restaurants and cafes, had to switch to an online delivery model quickly. Factories had to reduce the number of people on the production lines at any one time, affecting production capacity and schedules. Two potential impacts from these changes are financial and reputational losses arising from an inability to maintain expected sales and service delivery standards.
Some organisations, such as banks and public transportation companies, may face pressures from regulatory bodies to maintain certain minimum benchmarks of delivery standards, while the need to sustain customer confidence and market value are perpetually present. One may even argue that the latter two are even more critical in times of sustained and widespread disruptions.
To contend with these pressures and mitigate the risks, businesses must therefore have reliable infrastructure – physical and information technology (IT) – and processes that are able to transition seamlessly. This is where having a BCP will allow the organisation to weather the disruptions and maintain its competitiveness.
“While we don’t expect full-scale BCP to be done very frequently, a broad-based organisation-wide BCP, including the overseas units, would be very useful in most cases,” recommends Willy Leow, Partner and Head of Risk Advisory Services, BDO LLP. Mr Leow is a Chartered Accountant of Singapore, or CA (Singapore), and a member of ISCA’s Corporate Governance and Risk Management Committee.
In general, a BCP specifies how an organisation will continue its operations during an unexpected period of disruption to its normal routines.
“BCPs have always been about being prepared. Predicting the actual scenario is not the end goal. It is more about being prepared to react, whatever the situation. A good BCP has the steps in place to guide the management team navigate through the crisis,” explains Ang Fui Siong, CA (Singapore). Mr Ang is also a member of ISCA’s Corporate Governance and Risk Management Committee.
A typical BCP has the following three key components:
1) Business impact analysis
A business impact analysis identifies the impact of a sudden loss of business functions and is typically quantified into a cost. This is fundamentally a process of determining which business processes and activities are critical, and which areas are vulnerable to disruption. The next step is to uncover the resources required to support these processes and activities. Finally, the business impact analysis should also quantify the impact of disruptions on service delivery, and the time and resources required for affected operations to recover.
For example, a business impact analysis for a factory would identify its supply chain of raw materials together with its manufacturing capabilities as two of its critical functions. The logistics to transport the finished goods, manpower to run the machines and IT resources to coordinate its machines and manpower are also critical to this factory. A major disruption to its supply chain could be costed at $10,000 a day due to a lack of raw materials to produce finished goods, while having to cap manpower at 50% on its production lines could then cost another $5,000 since it would be unable to run at full capacity. Other costs, direct and indirect, should also be factored into the calculations.
“The analysis can be done across the ‘likelihood’ and ‘impact’ categories. They can be based on estimates but should include both financial and non-financial impacts. BCP managers will need to consult their internal subject matter experts and clear the business impact analysis with the organisation’s management and Board of Directors. However, it is not about having a precise financial impact number. An organisation should focus on the top few plausible disruption scenarios and not all the possible scenarios,” elaborates Mr Ang.
2) Identifying critical functions
The next step in crafting a BCP is to identify critical business functions and the dependencies across these areas. To achieve this, a Business Continuity Manager should first be appointed, with the primary role to ensure that the BCP is executed and adhered to.
This individual would monitor the situation and work with management to disseminate information and instructions to employees. The Business Continuity Manager may also be a point of contact for external stakeholders such as any regulatory or licensing bodies or concerned clients and vendors.
Typical critical business functions within any organisation include human resource management, vendor and customer management and communications. Human resource management will begin with the Business Continuity Manager working with senior management to develop a detailed plan for the continuity of leadership and decision-making. For rank-and-file staff, provisions in the BCP such as remote working, scaling down of work events and staggering of work hours will have to be communicated to them. It will also be vital to inform all staff of any additional assistance available to them during the disruption.
Managing vendors and clients is also an essential part of the BCP. The organisation must attempt to diversify their vendors to ensure a constant supply of resources, and work with them to establish alternative delivery modes. Essential customers should be identified, and their needs factored into the BCP, such as catering for alternative service delivery modes. For example, farmers in Malaysia did not have any means to transport their produce because of a Movement Control Order and thus had to throw away much of their produce. This is a direct contrast to shortages seen in supermarkets across the world.
Communications is of paramount importance in the BCP. No amount of planning would be sufficient if the lines of communications are non-existent or constantly clogged. As part of an efficient BCP, organisations should appoint a Communications Manager – separate from the Business Continuity Manager – whose responsibility is to ensure that staff understand the lines of communications in the BCP. For certain events where the personal safety of staff may be threatened or if staff need to be isolated, the Communications Manager must set up a channel for staff to report their status or to make relevant enquiries. Key messages for stakeholders such as vendors and clients should also be communicated as soon as it is practical to do so.
3) Maintaining operations and recovery strategies
Thus far, the BCP discussion has been focusing on coping with the disruption. We now move to the next section of the BCP which centres on plotting out various recovery strategies. The goal of these recovery strategies is to restore business operations to a minimum acceptable level, factoring in the time and resources identified in the business impact analysis.
Recovery strategies must include people, equipment, IT resources and facilities. Take the same factory example mentioned earlier. The recovery strategy should identify how much time it would need to re-establish its supply chain and reallocate its manpower and other resources to run at full capacity. This step should also include identifying and obtaining other resources required to support each process. In the case of the Covid-19 pandemic, this may mean obtaining personal protective equipment, ensuring that staff are sufficiently distanced from one another and that cleaning supplies required to disinfect the surfaces are available.
It is important to remember that these steps are not aimed to achieve full capacity but to attain a minimum acceptable level of productivity while adhering to the safety and social distancing requirements. However, certain activities may have to be scaled down or stopped temporarily to provide resources for other processes. For example, if it is vital that staff be physically segregated, then remote working options and automated technologies must come into play. These recovery strategies can also take the form of entering into partnerships or contracting with third parties.
Once these have been included in the BCP, the BCP should be tested in a controlled environment. This can be in the form of a tabletop exercise, a structured walkthrough of the processes in the BCP, or an all-out simulation. “It is important for frequent tests or drills to be carried out for key areas such as data backup or alternate data storage sites,” emphasises Mr Leow.
No matter the format, scenarios should be plausible and attempt to, in a sense, “break” the BCP. During testing, objectives should be measurable, and the organisation should be honest with itself. Acknowledge where the weak spots are while spotting the strengths in the plan. It is also a good idea to test the plan a few times a year. Each test should include new staff members with “fresh eyes”, to spot the gaps or any lapses that experienced staff may have overlooked. The BCP should then be refreshed to plug these gaps.
“Businesses should look into details of their insurance coverage, particularly for key assets. Escalation processes, especially for overseas units, should also be built into the BCP,” suggests Mr Leow.
Designing, implementing and successfully testing the BCP is not the be-all and end-all of it. It is imperative that buy-in is obtained from alllevels of staff – from the C-suite and senior partners to the junior executives. All levels have to be represented at every stage of the BCP to capture every single concern, no matter how small. This also helps to build staff awareness of the BCP and most importantly, when to trigger it.
It is critical to remember that a BCP is, in a sense, never complete. It is a task that needs to be re-examined at regular intervals by senior management and other stakeholders. Being ready for disruption requires constant vigilance.
Nigel Hee is Manager, Insights and Publications, Institute of Singapore Chartered Accountants.
This article was first published in the ISCA Journal. Read the original article here.