Stress-Test Your Business Continuity Management

The spread of a severe pneumonia now known to be COVID-19 through China and into other countries offers a timely reminder of the difficulty of planning for pandemic events and natural disasters. Businesses always need robust and current continuity plans that stipulate exactly how business operations will respond to and resume after a disruption — whether it is a natural disaster or an operational disruption, such as a broken contract.

In the 2018 Gartner State of the ERM Function Survey, 78% of respondents reported having a defined response plan for a cyberrelated incident, and 76% had plans to deal with the effects of a fire or explosion

More than 40% of businesses will never reopen after a major natural disaster.

Even just a few moments of downtime can be costly, so it is essential that firms implement sound business continuity procedures. In fact, more than 40% of businesses will never reopen after a major natural disaster.

The number of incidents that organizations face continues to rise. In a 2016 survey, 22% of organizations reported 11 or more disruptions over the prior 12 months, a 15% increase from the year before. The costs of such incidents are also rising. Natural catastrophes in 2018 cost companies roughly $20 million more than the average of the 30 years prior, underscoring the need for business continuity management (BCM) plans.

Components of a BCM program

A BCM program should reduce the impact of internal and external volatility, enabling the organization to reliably and consistently meet its strategic objectives despite disruption. A comprehensive BCM program covers the response and resilience of IT operations, the supply chain, the workforce and more.

Successful BCM programs have four components:

1. Business recovery and continuity — The recovery of essential business processes, including business resumption planning, work area recovery and building workforce resilience.
2. IT disaster recovery and service continuity management — Limits the impact of downtime specifically for IT services and systems, whether from scheduled outages (e.g., infrastructure maintenance) or unscheduled incidents (e.g., cyberattacks, technical failures).
3. Supplier risk and contingency management — Addresses the risks associated with using external parties as part of the delivery of an organization’s products or services. It also plans for how the business process would continue if the supplier had a business disruption of its own.
4. Crisis and emergency management — Establishes authority, control, communication and coordination in an emergency event, including internal and external communication, to limit damage and reduce fear, uncertainty and doubt.

Test your plan

Without formal processes and guidelines, ad hoc responses will likely extend downtime and business loss. Plans must be tested to ensure they will enable the organization to weather disruption.

Tabletop exercises for BCM test the effectiveness of procedures and safeguards in place to respond to — and recover from — specific continuity incidents. These exercises are an effective way to gauge organizational preparedness and awareness, but also to uncover flaws or gaps in recovery plan design.

First define the threats and risks specific to your organization. Consider that a risk reported in the global news cycle doesn’t automatically make that a risk for every organization.

Prioritize relevant scenarios by considering regulatory obligations, response plan maturity, criticality to business operations and response plan complexity. From there, leaders can draft relevant and comprehensive scenarios.

Assign clear roles and responsibilities for participants and facilitators in tabletop exercises, including:

• Scribes: Individuals who document the key actions taken, issues and findings from the exercise. 
• Evaluators: Employees with functional expertise who evaluate the feasibility and efficacy of players’ responses against the established objectives.
• Recovery team communications: For larger exercises, separate players into smaller teams to represent specific business functions/units. Select one player from each team to act as a liaison with other teams. Only team communicators can communicate between teams. At the end of the exercise, they also communicate lessons learned to the scribes.
• Players: Exercise participants, composed of a mix of functional leaders and frontline management, actively involved in enacting the response plan or not, given the scenario. Those not enacting the response plan may use the exercise as a cross-training or awareness opportunity.
• Facilitator: The individual — an internal employee or an external party, such as a hired consultant — responsible for presenting the scenario as well as any additional elements, such as “injects” (sudden changes in conditions or demands). 
• Observers: Individuals from the organization who know the business well but aren’t directly involved in the exercise. Players consult these individuals during the exercise to learn more about certain elements of the scenario. Ideally, observers should be experts in all affected functional areas of the scenario.

The original article by Ian Beale, vice president for advisory at Gartner, is here. This article has been updated from the original, published on August 21, 2018, to reflect new events, conditions or research. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Photo credit: iStockphoto/NiseriN