There’s a saying that if you fail to prepare, you’d best prepare to fail. Many businesses will have found this to be frighteningly true in the wake of the coronavirus pandemic.
Large businesses will generally have a business continuity plan in place that is ready to be implemented in case of an emergency. Smaller businesses generally relied on business interruption insurance, although it took a ruling by the Supreme Court before many of them were compensated.
Hiding in plain sight
Even though infectious disease has been high on the government’s National Risk Register since it was created in 2008, most business continuity plans were not developed with a global pandemic in mind.
“Business leaders have woken up to the level of resilience they need to embed into the heart of their companies,” says Felicity March, security and resiliency director at IBM Services, Europe. This is why, she says, the current market demand for IT security and resiliency services in the UK and Ireland is expected to be worth almost £2.7 billion in 2021.
If an organisation’s business continuity plan didn’t factor in the pandemic, it is in good company. More than half of companies (51 per cent) around the world had no plan in place to combat a global emergency, such as COVID-19, according to research published by Mercer in March 2020.
More worrying is the lack of confidence where a business continuity plan did exist. Around half of businesses in the UK (46 per cent) were not confident their business continuity plans were up to date, according to a 2019 report from Databarracks.
Business protection is changing
Business continuity used to be about disaster recovery. That largely refers to IT because what is required is a more connected approach, says Professor David Denyer, director of research in the school of management at Cranfield University. That approach is resiliency.
Resiliency is required because the pandemic demonstrated the connected nature of societies and technologies. As a result, these problems cannot be managed through a risk management, business continuity or crisis management approach that only looks at a single part of the system.
“Resiliency is so crucial because it encompasses more than just business continuity crises. It includes incident management, disaster recovery, risk management and all those other functions,” says Denyer.
The proof is in the risk register, he says, because many businesses have failed to translate that risk awareness into preparedness. “Resiliency shifts the thinking from the recovery of an asset to the delivery of essential service outcomes. We may find in a severe crisis that a site cannot be recovered, but we can find an alternative way of delivering the essential service to our end-user,” he adds.
New definitions
Different businesses are better at identifying what needs to be done, says Helen Molyneux, director at consultancy Cambridge Risk. A manufacturer may have considered many of the prime issues and even built contingencies, such as generators, where necessary. These are the obvious processes and protocols and differ between companies.
Often overlooked is what the board does not see, areas such as middle and back-office procedures, for instance a call centre taking orders or a fulfilment department.
“I ask the board to take a step back and consider what they actually do as an organisation,” says Molyneux. “This covers key activities such as orders, deliveries.”
She then looks at the processes beyond these functions and probes the reputational or financial impact if any of those were lost. “This sets the corporate context so you can benchmark just which processes and resources are mission critical,” she explains.
Beware the blind spots
Blind spots are a crucial avenue to examine, particularly in light of the pandemic. Many organisations found they were often ignorant of vulnerabilities within their supply chain beyond regular contacts, says James Crask, head of resilience for the UK and Ireland at insurance broker Marsh.
Last year, one of Crask’s retail clients was waiting for a shipment of Easter gifts that had failed to arrive. It was only then that the company discovered they were wholly dependent upon a series of manufacturing suppliers based in and around Wuhan, the province at the centre of the initial COVID-19 outbreak, that had been outsourced from their main supplier.
“The company had no visibility until the call came to say the shipment would not arrive. This will force organisations to think much harder about their supply chain resilience,” says Crask.
These oversights are accidents waiting to happen, says Richard Gordon, director of the disaster management centre at Bournemouth University, and are in every organisation. “They can often be avoided by speaking to employees who are closer to the coalface,” he says.
Failures may be due to a deficit in the culture or the reporting mechanism because even an intern or cleaner might identify a potential risk. “But if they do not know how to report it, or that mechanism is inefficient, the risk will not be captured,” Gordon points out.
Businesses often focus too closely on a single point of failure, yet the pandemic has demonstrated an emergency can have a global impact. “Some organisations have focused exclusively on the resilience of their site, but everything that’s around that site is equally important to their resilience,” he adds.
This is important because it is where employees live, how they travel, where the business and employees get their food, electricity, gas and water. “It’s the off-site element that is often ignored. So when things go wrong, and we spill out into the wider area, we lose control,” says Gordon. “We’ve lost the ability to continue to maintain the trust of our customers and do not have an understanding of our staff or their conditions.”
Where to start
Any business continuity plan needs to be based on a holistic assessment of the company’s potential challenges and needs, says IBM’s March. “A cross-functional team of leaders within the organisation certainly can and should be involved with the initial planning and routine assessments to ensure awareness and readiness,” she says.
Dr Lee Miles, professor of crisis and disaster management at Bournemouth University, agrees any plan needs to be holistic, but that it also needs to be operated at all levels and, more importantly, to be continually updated.
“You’re only as good as your monitoring,” says Miles. “Plans are guidelines, skeleton structures in which to give people advice about how they should do things. But it’s the people that fill in the gaps.”
In a crisis scenario, the plans are no good if they did not predict the situation the business faces. This is where “entrepreneurial elements” among employees fill in the gaps of plans. “That requires the building of trust to allow that discretion to be exercised, within remits, coupled with a flow of communication,” he says.
Crask broadly agrees: “It comes down to making sure there is a very strong function within the second line of defence that is holding management accountable.” That second line of defence sets the policies and processes, so there is consistency in planning, he says.
How to continue
However it is achieved, the process must be continual, adds Miles, because the business only understands the extent of the potential risks by exercising the plan, and most importantly, the people who will be implementing it.
Leaders may not be in charge of the resilience project, but they are absolutely crucial to the success of the project, says Denyer at Cranfield University. “Our research shows that leaders who put resilience at the heart of what they do create an alignment across all an organisation’s silos.
“It requires communication and co-ordination, but essentially building commitment to resilience and driving it through the culture of the organisation, so people feel personally responsible for resilience and dealing with problems as they emerge.”