From floods, fires, power failures and pandemics to terrorist attacks, computer hacking and problems at your suppliers – an unlimited number of unexpected events can bring your business to a halt if you do not plan for unknown risks. Domini Stuart provides some tips on business continuity planning.
In December 2005, a major explosion and fire at a UK oil depot effectively destroyed the head office of Northgate Information Solutions. Luckily, because the accident happened on a Sunday, there were only two people in the building, both of whom escaped unscathed. And, fortunately for the business, there was a well-practised disaster recovery (DR) and business continuity (BC) plan in place.
“Customer system backups were stored off-site and for the next few months employees were redeployed to run systems from multiple branch offices,” says Stefano Masiello, marketing director, Australia and New Zealand, at NGA Human Resources, an Australian division of Northgate Information Solutions. “The company supplies specialist software and information technology (IT) services including payroll and despite the fact that many clients were scheduled to pay their employees early in December, all of them ran on time. Whatever the crisis, you want to keep disruption to a minimum. In this case, many clients weren’t even aware there had been a catastrophe.”
Every board needs to feel confident that the company could survive an accident or natural disaster as well as deflect the reputational damage that can result from everything from a product recall to a poor return for shareholders.
“Ultimate responsibility rests with the board and senior management, so directors need to take an active interest in the preparedness of the organisation,” says Matthew Green, an associate director in the Grant Thornton (Twitter @GrantThorntonAU) operational advisory team. “This should be included within the broader risk-management purview.”
Standards and good practice guides are available to help management develop DR and BC plans, but they need to be tailored. “Having a generic plan, or using someone else’s, is worse than useless because it provides a false sense of security,” says Greg Spencer MAICD, principal consulting partner at Beyond Technology Consulting.
It can help to think in terms of impacts rather than specific incidents. If no-one can get into your office, the first responses will be the same whether the setback was caused by flood, fire, earthquake or a terrorist attack.
“These days, when you mention DR and BC, people tend to think in terms of IT,” says Masiello. “IT is important, but you also need to consider how you would survive if your staff didn’t turn up for work or you had no access to money to pay wages and bills. Major banks have gone down on more than one occasion, so your plan might include something as simple as using two banks that don’t rely on the same channels. If you have suppliers, you need to look deep into the supply chain to ensure they have their own BC plans in place. As we saw with the tsunami in Japan and floods in Thailand, many people got into trouble because their whole supply chain was based in one geographical area.”
This does not mean the plan needs to include every business process and team member. “BC plans must be focused on the people and processes that matter most in supporting the core operations of the business,” says Green.
Colin Panagakis MAICD, business development manager at ICSA Boardroom Apps (Twitter @ICSASoftware), warns against basing a plan on current capacity and demand, particularly when you are in a rapidly changing environment.
“We’ve seen retailers’ websites go down because they didn’t have a contingency plan for bursts of heavy traffic,” he says. “An event like that shakes customer confidence and can damage the company’s reputation.”
Spencer warns that while key executives and board members may not be accessible at the time of a disaster, decision criteria, such as who can declare a disaster, are frequently overlooked. An independently hosted board portal can also facilitate high-level communications.
“It can provide backup facilities for the company’s critical information and make the latest information available instantaneously,” says Al Percival, managing director at Diligent Board Services Australia.
“Some portals also enable electronic signatures for written consents and provide collaboration and communication tools so that the directors can quickly consider and approve plans that will help the CEO respond to rapidly changing events. The portal can be pre-loaded with crisis-management plans, previous board and committee minutes and governing documents such as by-laws and committee charters so that directors have everything they need to make decisions and monitor the situation wherever they are in the world.”
The plan should also include communications beyond the boardroom.
“Effective stakeholder communications during an unplanned incident are critical,” says Green. “Organisations need to ensure the right message is getting to the right audience within the right time frame. And, depending on the issue or disruption, directors may need to play a role in dealing with stakeholders or the media. Should a CEO or executive team be affected, directors may have a key role to play, stepping into the breach and guiding the company in a hands-on capacity.”
Mark Bond, principal consultant at Noel Arnold & Associates, recommends that DR and BC plans have a section dedicated to stakeholder management.
“This should include a comprehensive list of stakeholders, an outline of how each group would be affected by different kinds of events and details of how best to communicate with them,” he says.
While organisations are turning to social media communications, this can exacerbate the problem. “Regular, honest communication in a crisis can enhance a company’s reputation, but directors need to remember that rules around confidentiality and continuous disclosure always apply,” says Panagakis.
“You don’t want to respond too hastily but if information is released from another source, you could look as if you’re trying to hide something. You also need to ensure your planning has taken the new information privacy obligations into account.”
Some boards make the mistake of treating a DR and BC plan as a one-off project.
“Building awareness is also critical, as is regular training of everyone involved in the plan,” says Green. “It must be a core component of operational governance and aligned to business risk-management processes that ensure currency and relevance of the BC/DR plans through regular review and update.”
Increasingly, reviews are being conducted by independent professionals, particularly in the IT area.
“Many post-event reviews have shown the authors of DR and BC plans are not necessarily the best people to be reviewing them,” says Spencer.
“Cost will be a factor in the decision to use internal resources, specialist consultants or a combination of both,” adds Bond. “But directors need to check with management that adequate resources have been identified and allocated, not just on paper but within the budget.”
Never underestimate the importance of a solid, well-tested BC plan. “Recently, NGA’s HR and payroll centre in Sydney was subjected to a test that ran over several weeks. The scenario featured a growing number of people who were too ill to report to work and where the water supply was eventually identified as a source of contamination, so it worked on a number of levels. If NGA hadn’t been committed to creating effective DR and BC plans and testing them thoroughly and regularly, the aftermath of the UK oil depot explosion would have been very different,” says Masiello.
Twitter @Domini Stuart
Already a member?
Login to view this content