Since the start of the COVID-19 pandemic I have had numerous conversations surrounding business continuity plans (BCPs). What became evident were apparent deficiencies surrounding scenarios other than cyber attacks and natural disasters.
It is critically important to distinguish between BCPs and disaster recovery plans. A BCP is simply a strategic management process aimed at minimising the social and economic fall-out in a company due to disruptions in normal business activities. On the other hand, a disaster recovery plan is one singular aspect of a BCP that primarily involves restoring essential systems and processes following a disaster.
If your company has no business continuity plan, or one that has not been recently updated, here are some key aspects needed to produce and implement a viable one.
Team roles and responsibilities
Identify key staff at every level of your company. Unfortunately, it is too optimistic to imagine that during a crisis your firm can sustain all employees. However, plan based on pivotal roles and responsibilities. Your BCP team should include representatives from your company's executive leadership, human resources, finance, information technology, legal, business and/product lines and regulatory required positions. Ensure that team leads are identified, and are aware of the responsibilities for themselves and their teams. These teams should be involved in ongoing planning.
Risk Assessments (RA) and Business Impact Analysis (BIA)
Pinpoint risks that are both inherent (automatic) and residual (after mitigating controls are implemented), then amplify them. Forbes senior contributor, Chloe Demrovsky, in a recent article wrote: "You should think about how you can continue to operate if 35-40 percent of your workforce is out sick." I must add that a BCP without both an RA and BIA is ultimately planning to fail during a crisis. A company should simulate various threats to their business, such as man-made disasters; utility failures; cyber security attacks; natural disasters; intentional sabotage; and pandemics. This allows you to identify deficiencies in both risk mitigation strategies and core business functions, enabling you to design the most logical and realistic plan while keeping in mind the associated risks.
Identify objectives and set goals
This may seem like a no-brainer, but identifying objectives and goal-setting without adequate components could be the deciding factor in whether your company pivots or perishes during a crisis. One important component of this area is your BCP budget, and how long it can be sustained. Also, what are the milestones of your plan and how are they going to be tracked?
This aspect of a BCP is often taken for granted, but I would argue that it is equally as important as any other element of your plan. Your plan must have messages that are tailored to your various audiences, such as regulators, internal customers, external customers, news media, suppliers, survivors impacted by the crisis, their families and others. Pre-scripted information should be used based on information gathered during your risk assessments and business impact analysis. Communications skills will be paramount in identifying key persons internally or externally to lead a communication and information centre or team.
Plan implementation and testing
After you have already set your goals, assessed risks and business impact, selected your key team members and developed your communications plan, you must implement prevention strategies, response strategies and recovery strategies. The creation of a BCP will not suffice unless it is tested.
Appreciating these fundamentally crucial steps will ensure your enterprise is prepared for a crisis. In crisis, your leadership - together with the company's management, communication and planning - will set the tone for employee loyalty, customer satisfaction, regulators and other authorities' confidence in your firm and, inevitably, its survival through and after COVID-19 and other crises.
NB: Derek Smith Jr is the compliance officer at a law firm in The Bahamas, and is a former assistant vice-president, compliance and money laundering reporting officer (MLRO) at an international private bank. His professional career started at a 'Big Four' accounting firm and has spanned over 15 years, including business risk management, compliance, internal audit, external audit and other accounting services. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS).