The COVID-19 pandemic has underscored the need for a new approach to business continuity management (BCM) programs, providing a wake-up call for organizations to better prepare for the next catastrophic event by building risk resilience – whether a natural disaster, a cyber breach, a supply disruption, or another pandemic.
And while it may be obvious, the role of BCM is to plan and prepare in advance so that organizations can identify, mitigate and reduce risk impact while ensuring continuity of an organization’s critical business processes. During the pandemic, companies with a strong BCM program have fared better in managing the recovery and were able to more quickly resume business operations. Those with no BCM program scrambled to respond when they found that they had no plan to fall back on, or their plan was out-of-date, or simply didn’t work when put into practice.
Regardless of a company’s current BCM maturity, planning and preparing for the next incident is an ongoing process driven by continuous improvement – which is all the more critical at a time when organizations are vulnerable and fatigued by an ongoing COVID-19 response effort. Based on lessons learned from the pandemic, here are steps companies can implement now to help protect the business against unforeseen risks in the future.
1. Reset your risk perception.
A business continuity management plan starts with an underlying risk assessment. Aon’s 2020 Enterprise Risk Management Survey revealed that 82% of organizations did consider a pandemic to be among the top 10 risks—and yet fewer than 31% of North American organizations had a pandemic plan in place.1 Since then, many companies have added supplementary pandemic response sections to their business continuity management plans. This is a necessary first step, but companies should be regularly recalibrating their risk register in response to a rapidly changing external environment. For example, the shift toward remote work and a growing dependency on technology will likely increase the probability and impact of a cyber attack.
As first-hand experience and a growing body of research continues to inform our collective understanding of future risks and their business impact, it’s crucial that risk managers keep pace with those risks and update their BCM plans accordingly.
2. De-silo risk programs.
If there’s a silver lining to COVID-19, it’s that many companies have learned the value of a centralized, holistic BCM program. An electronic manufacturer, for example, recently recognized that its fractured, siloed approach created inconsistencies and confusion on the ground. Once the company’s six business units came together to share information and discuss what worked and what didn’t, the manufacturer was able to centralize and coordinate a BCM framework that leveraged best practices from each unit. The end result was not only a more robust, enterprise-wide BCM approach, but, just as importantly, a foundation of cross-unit communication and collaboration that serves as the core to a successful future response.
3. Update, test and test again.
Too many companies treat their business continuity management plans as static documents collecting dust on the shelf. But as information becomes outdated, plans become obsolete, which is why it’s a good practice to revisit and refresh plans on an annual basis to reflect changes in suppliers, personnel, clients, technology, and operations. Ideally, a full-time business continuity team would be responsible for keeping the plan up to date at all times.
And yet, it’s not enough to just update those plans. Scenario testing is a crucial component of BCM and a part of programs that is often overlooked. Stress testing a plan can help reveal unidentified gaps and contingencies. When companies asked their employees to work from home at the start of the pandemic, many found that workers did not have laptops or know how to connect to the company virtual private network (VPN). Addressing these potential points of failure in the testing phase can save valuable time and resources when it comes time to execute. And contrary to what some folks may think, testing doesn’t need to be a time-intensive process. Even a two-hour tabletop exercise with key decision-makers will better prepare your team to make the critical decisions necessary in the case of an emergency.
Questions to Ask When Testing Your BCM Plan
When did you last test your business continuity plan?
What is the protocol for invoking the plan?
How do you stand it down?
Are there any possible points of critical failure?
Are there clear roles and responsibilities in place?
Where are the dependencies?
How will we communicate?
What technology is required?
What skills are required?
4. Hold vendors to your own accountability standards.
As the economy grows more interconnected, supply chain disruptions have upended entire industries. In the past few months alone, automakers have been hampered by a critical shortage of microchips, and homebuilders have seen skyrocketing costs due to a scarcity of lumber. It is no longer enough to have a plan to protect your own business operations in the case of a catastrophic event. If your suppliers do not have an adequate business continuity plan, the negative effects can cascade quickly and put your company at risk.
Ensuring that vendors have a business continuity management plan in place is a good start. Forward-thinking companies, led by European OEMs, are going one step further and requiring vendors to adhere to their own rigorous business continuity requirements. This creates a virtuous cycle of risk mitigation and moves the risk upstream.2 In addition, more insurance companies are requesting to see BCM plans as part of the underwriting process, signaling the need for increased resilience against external risk.
5. Make business continuity part of your company’s DNA.
BCM goes beyond a business continuity plan. It’s a mindset and continuous improvement cycle for organizations that require sustained energy and a robust framework. Bringing that kind of DNA to an organization starts with a commitment from the CEO, but also requires empowering risk managers and other stakeholders with the mandate to implement best practices, drive BCM holistically across the organization, and ensure it doesn’t fall through the cracks. Effective communication channels are also critical to raising risk-related concerns and aligning the organization on risk prevention and response. These cultural and structural elements of BCM are equally as important as the plan itself.