Planning for disaster: understanding the need and benefits of a business continuity programme
By Stefan Lia
To a Maltese audience, hurricanes Harvey, Irma and Maria are major natural disasters bringing sweeping damage and destruction to another part of the world. Yet, apart from showing empathy towards the loss suffered by those impacted, consideration should be given to the impact a similar disaster would have on the Maltese Islands.
The same applies when news of hacking and data breaches hit the headlines; now almost a daily occurrence. It is possible that the focus of business continuity and disaster recovery has mainly been on IT – so, for many, the natural reaction is to think that the obvious targets are big businesses and therefore most Maltese companies would not be targeted.
However, following any such catastrophic event, a business continuity and disaster recovery plan could be a life-saver for any business when it comes to picking up the pieces and continuing to operate. A properly designed plan could help an organisation reassign its resources, communicate effectively, both internally and externally and ensure minimal impact on its products or services offerings. The aim of such a plan would be to develop and enhance overall organisational resilience.
That said, events affecting continuity need not be as devastating or dramatic as those described above. Technology related incidents might include network or communication failure. Given our dependence on IT and its supporting infrastructure, many businesses would be unable to operate effectively in the event of even a minor failure in this area. It would not take much to disrupt daily business operations - power cuts, problems with internet services and even malicious e-mail can all result in a negative impact on businesses.
Developing a business continuity plan is nothing extraordinary in concept, yet having the right technical support and experience could prove to be of value.
A methodological approach to business continuity could start by identifying the functions which are critical to the organisation. For example, these might represent the revenue generating activity and supporting services without which a business would grind to a halt. The aim should be to understand the threats posed to these key areas and identify the risks to which they are exposed. This Business Impact Assessment (BIA) would provide a clear picture of what could happen and how a business would be affected.
Looking at past incidents and understanding how these have been handled might also be a valuable exercise. Incident reporting is a useful way of learning from past incidents and mistakes. It allows a business to understand the challenges posed, what went wrong and to develop plans and processes to prevent reoccurring situations.
Analysing such impacts could also help keep continuity plans up to date. If a plan looks the same as it did 10 years ago, then it probably wouldn’t actually meet current requirements. Organisations engaged in business continuity management should be actively learning and developing their plans to ensure they meet their current business needs.
Another important element in the developing of a plan is staff input and communication. Staff involvement is also a crucial aspect of developing a plan. Apart from getting practical feedback from the front lines, this process can boost their confidence in the company’s ability to maintain business as usual, in the aftermath of an unfortunate event. In addition, effective communication is one of the key elements when developing the plan during a crisis, as well as when business is back to normal. Ineffective or non-existent communication can exacerbate the impact and duration of a crisis.
Unless staff are involved in the development and are aware of what is expected in the event that the plan is brought into action, the recovery effort is probably doomed to fail. A continuity plan needs to be supported by active testing, awareness sessions and training. This would ensure that everyone is aware of their role and responsibilities during a crisis and whom they need to speak or get permissions from in order to act. A business continuity plan should not be hidden away in a dusty cabinet.
During a crisis, communication becomes even more important. With 24/7 news, social media and instant messaging being ingrained in our society, it is important that a company keeps as much control as possible over what is being said about an incident. Unfortunately, media outlets may report on corporate incidents based on unofficial information, which may be obtained from employees or other third party sources and even by-standers.
It is therefore critical for organisations to maintain proper communication channels throughout a crisis and to inform its employees to refrain from making any media statements. Ongoing communication is also key to ensure that both clients and suppliers are kept informed. Apart from providing them with assurance on the company’s ability to continue operating, it shows a certain element of resilience and strength by the organisation. This also instils confidence in major stakeholders which will be key when rebuilding after any crisis.
An organisation’s ability to anticipate and respond effectively to disruptive events is key to building organisational resilience and stakeholder confidence. Yet organisations are facing increasingly bigger risks which may be beyond their control. For example, increasing complexity and data volumes continue to stretch recovery capabilities - even major companies are finding their response to major incidents is not up to standards.
Furthermore, privacy and consumer data leakages have taken another dimension with the forthcoming General Data Protection Regulation (GDPR) which comes into force in May 2018. The potential impact of a disruptive event related to privacy and data leakage can be challenging even for organisations which are well prepared. There are other operational areas where organisation are also facing increased risks such as managing supply chains and employee safety, especially when operating in foreign countries.
Having an adequate business continuity plan is no longer an optional extra. Due to the risks we face and the interdependency of organisations, effective business continuity and contingency planning is a necessary activity for organisations of all sizes.