Whether due to weather or some other type of disaster, any occurrence that incapacitates a business will interrupt normal operations and impact the bottom line. Risk of business interruption (BI) can be physical, virtual, reputational or financial – and whatever the risk, it can and should be planned for.
A business continuity plan (BCP) isn’t just about writing one and putting it on the shelf; it’s about testing and tweaking it to make it truly effective when disaster strikes. that’s where business continuity management comes into play.
In the event of a disaster such as Hurricane Harvey, which has been called a “once-in-a-thousand-year” event due to unprecedented flooding, interruption of normal business activities would have been significant for any company.
“In the case of Harvey, it could take six months or more to get back to normal levels for many businesses depending on how bad the flooding was at that location, how long it took to order replacement equipment and how long it took to restore the property itself to operational levels,” says Steven Kennedy, AGCS Regional Head of Property, Engineering and Energy Claims, North America.
“It’s important to remember, in the case of extreme weather, that the premises could be unavailable to operations for a period from a few days to many months,” adds Jean-Philippe Monnez, Property Account Engineer, Allianz Risk Consulting (ARC), AGCS France. “A good BCP will enable the business to quickly implement measures after the disaster to restart production as quickly as possible and to limit BI losses.”
Interruptions due to weather can include structural damage to buildings, machinery and equipment damages, power outages, damage to infrastructure, injury to employees, and excessive wind or water damage. “In the event of a hurricane or flood, these events are usually forecast in advance and preventive measures can be taken before the storm arrives,” says Lisbeth Ippolito, Senior Account Engineer, ARC, AGCS North America.
“There should be a windstorm/flood emergency plan to mitigate the exposures, in addition to a formal BCP,” she adds. The plan would include assigning roles and responsibilities to the response team, assembling emergency supplies in a safe location, planning for salvage and recovery operations and maintaining a list of key vendors, contractors and suppliers, and relocating equipment, stock, records and other valuable operational pieces to safe locations and sand-bagging doors and vulnerable building openings.
“A BCP focuses on critical and important functions within a predetermined time after a disaster,” says Thomas Varney, Regional Manager Americas, ARC, AGCS. It identifies the business recovery priorities and the acceptable recovery times established by senior management. Based on these priorities, a recovery plan for each functional area is developed, identifying critical operations and vulnerabilities that might impede recovery efforts.
Vulnerabilities could include the facility itself, unique equipment, bottlenecks, logistics, warehousing and inventory needs, manufacturing capabilities and capacities, purchasing restrictions, contractual obligations, supplier shortages, and IT system failure, among many other things, Varney adds. These would be spelled out in the overall BCP, which includes several individual plans governing different sub-areas within the organization.
“The BCP should be issued by a certified contractor with the support of onsite management and the buy-in of the business’ top management if it is to be effective”, says Monnez.
Regardless of the final plan that is drawn-up and agreed-to, a final table-top exercise preferably administered by an outside entity needs to be held to test it.
Whether or not the BCP is viable depends on if its mitigation measures are well thought-out and practiced. In the case of an extreme weather event, there are two scenarios which could be anticipated: on the one hand, the premises could be unavailable for routine operations, therefore interrupting business; or, on the other hand, employees and other human resources could be unavailable. Each scenario should be thoroughly studied in order to create applicable prevention measures should that scenario become real. The key to a good plan is scenario testing – usually best carried out by a robust table-top exercise.
An ideal table-top exercise, used to stress-test the BCP, can consist of anything from a roundtable discussion with key stakeholders – e.g. leadership, communications, IT, human resources, etc. – to a recovery planning exercise implementing a bar chart or other graphical illustration that helps plan, coordinate and timeline functional recovery tasks.
The most effective exercises are prepared well in advance and are designed to test location specific vulnerabilities. Assumptions are clearly defined and communicated to all participants before the exercise begins. Rules should be drawn up beforehand and agreed-to by all participants. In short, the test should be presented as a learning exercise that allows for problem-solving and team-building.
The disaster scenario usually is designed to be realistic and may be based on regional NatCat loss data for the area or historic industry losses. Each functional area will have a copy of their recovery tasks to review and update as the exercise proceeds.
“It’s important that the scenario is as believable as possible and is taken seriously,” says Ippolito. “Impactful photographs and detailed descriptions of the disaster are included in the scenario. The most successful exercises create a sense of discovery for the participants as they work through the recovery processes for their team.”
Table-top exercises can include any type of natural catastrophe loss, fire and explosion, a contractor’s negligence, an angry employee, a cyber-attack, injury or death of a key employee, loss of a critical supplier, or something as innocuous as a ruptured water pipe that floods a manufacturing facility.
“The objectives of the exercise are to validate the BCP’s viability by testing the recovery objectives and timelines, train the recovery team members and managers, demonstrate the ability of the site to recover, minimize decision-making during a disaster event, and update and improve the plan,” says Varney.
“A good exercise,” says Maarten van der Zwaag, Global Head of Property Risk Consulting, ARC, AGCS, “is defined by the third-party contractor who will issue the BCP in accordance to the customer’s wishes and is one that tests the highest exposure of the site, be it weather-related or tied to something like IT failure or unprepared suppliers.”
Disaster recovery is the process of getting all important IT infrastructure and operations up and running following the disruption1. In today’s business environment, nearly every functional area of the business relies at least in part on the IT infrastructure, data storage, analysis, applications and other vital components that fuel the operational processes of the business.
“This can be thought of as the emergency procedures to be implemented in the first 48 hours after the event and before the application of the full-fledged BCP,” says Monnez. “This is the simple answer, although there are lots of steps to an efficient disaster recovery, such as an emergency response plan, a disaster recovery plan, and so on.”
Business continuity, on the other hand, is the process of getting the entire business back to full operation after a crisis and involves retaining critical functionalities such as site management, human resources, engineering, facilities, production, finance, environmental, health and safety, quality assurance, supply chain, sales and marketing and other operational cogs of the business wheel2.
The entire business continuity process should be driven by executive leaders who are committed to the notion of continuity management. In the end, recovery is a management exercise in which functional teams are led to revive the company and sustain the financial and operational bottom-line.
“Management has to recognize the potential financial and operational losses associated with a BI and the importance of having viable emergency response and business continuity strategies in place,” says Varney. “The business will not do it on its own.”
”The goal for the organization is to be able to recover and be resilient in light of increasing natural catastrophe risk, but it all begins and ends with buy-in from the top.”
1. DISYS, The difference between disaster recovery and business continuity - and why IT matters for both, 2017
2. DISYS, The difference between disaster recovery and business continuity - and why IT matters for both, 2017