Business Continuity: From a Best Practice to a Priority Objective

Table of Contents

Enquire Now

Got questions? Let's help you find the answers.
By clicking "Submit" you agree to have read the Privacy Policy and agree to the terms. You can unsubscribe at any time by clicking the link in the footer of our emails.
Business Continuity: From a Best Practice to a Priority Objective

The COVID-19 pandemic has changed the global business environment. During various global implementation practices for managing the pandemic, we were the audience to experience various lockdown regulations, businesses who had to make difficult decisions regarding cash flow, retrenchment of staff, placing of people on furlough and in severe circumstances, the closing down of businesses, etc.
Some of the biggest and well-known brands could not survive 30 days without functional and lucrative revenue streams. Most of the global airlines asked for help from governments for financial support, most of their revenue-earning assets stranded on the tarmac at various airfields across the globe. This one industry has such a big knock-on effect on their stakeholders, and in some cases shareholders, that the industry is in business rescue.

Some of the companies that have been in existence for 50+ years could not make the 30 day mark and filed for liquidation at the beginning of the global lockdown.

Then we have the industry regulators. Regulators are the governments’ watchdogs who provide assurance regarding the state of the industry or the various industries in a state. Furthermore, regulators are dependent on the industry to generate their revenue streams. Looking at aviation, the various aviation authorities are primarily dependent on safety charges of passengers. With no international and domestic flights, there are no passengers and therefore no safety charges could be levied.

In some cases, the COVID-19 pandemic has brought about dramatic changes in business behavior and decisions. Where most businesses provided for office space, infrastructure, etc., at huge costs and landlords having 10-20 year leases, COVID-19 turned this industry on its head. Do we really need to have a central office where everyone drives to every day, where everyone sits in traffic for hours on end, where everyone has a challenge with work-life balance and where people are constantly tired, not because of work, but because of traveling? And then the impact on the environment, where fuel guzzling transport are used and all these gasses impact our global health.
The health of the earth and the oxygen we breathe.

In this article, I will address the pre, during, re-opening, and post-COVID-19 BCM strategies.

BCM pre-COVID-19

Pre COVID-19, the focus of BCM has been on anything which can disrupt or interrupt the provision of products and services. The immediate focus and objectives of BCM were mostly safety related and possibly Force Majeure (e.g., floods).

I have conducted various BCM strategies, Business Impact Analyses (BIA), and scenario tests with companies over the years, within all the diverse industries such as medical schemes, road tolling services, regulators, construction projects, mines, policing agencies, banks, operators of rail systems, etc. On all of these strategies, BIAs, and scenario tests, pandemic was addressed as a risk, but assessed to be a legacy risk over years.

On the latest board risk assessment conducted on January 2020 with a regulator, when COVID-19 already started to spread, the pandemic scenario was still assessed as insignificant.

Dependency and Interdependency

Stakeholders, vendors, contractors, and subcontractors, are part of the reliability, viability, and financial health of many companies. Businesses must conduct a vendor and stakeholder analysis to identify the dependencies and interdependencies of their supply chain universe. This universe can also be called the Business Eco System (BES).

This BES can only operate when each part of the BES is doing its critical function for the next part to seamlessly take over and push the process to deliver products and services as expected, and:

  • Within the specific time frames
  • Within the costs
  • With an effective value chain to deliver when and where needed

The critical mass of the BES is when everything works in support of the other.

With the COVID-19 pandemic and the ongoing uncertainty, the BES was hugely affected and damaged. In a pandemic, the first objective is for a company to survive; thus, all the critical processes, systems, vendors, contractors, and subcontractors need to be identified and agreements must be put in place to make arrangements for these products and services to continue to be delivered. All of the above have a huge impact on the relationship between the entity and their vendors, subcontractors, and stakeholders.

Business Impact Analysis (BIA)

A Business Impact Analysis (BIA) is a critical process to determine and take stock of the following:

  • What resources do you have in your total service and product delivery?
  • What is the particular and specific need for each of these resources?
  • Where do you have single points of failure (SPF)?
  • What is the recovery time objective (RTO) of each service?
  • What is the recovery point objective (RPO) for each critical service?
  • What is the maximum data loss (MDL) acceptable within the legal universe the company operates within?
  • What is the minimum business continuity objective (MBCO)?
  • What is the maximum acceptable outage (MAO)?
  • What is the maximum tolerable period of disruption (MTPoD or MTPD)?

All of the above are easy to determine and to allocate a time frame to each. But not in a pandemic. We have seen many pandemics over the years, from SARS (2003), Swine Flu (2009), MERS (2012), West Africa Ebola (2014), and the Zika Virus (2015). And now we are living in the most deadly virus since the Spanish Flu (1918), called COVID-19.

With more than nine million people infected and close to 500,000 people killed by the virus, we need to have a revision of the BIA as it was, to conduct a more robust analysis, incorporating a pandemic and what needs to be done. Globally, all of us have first-hand experience of what is needed and what can be done during this devastating pandemic. These steps and actions need to be documented and incorporated into the various strategies decided upon.

BCM Strategies

In the pre-COVID-19 BCM process, must of the companies I have dealt with have focused on evacuations, e.g., a person getting sick at work, a possible shooter on-premises, hostage-taking, and incidents which could impact their systems environment (e.g., floods, fires). The last ones would be invocating the Disaster Recovery Plan (DRP).

The various strategies are graphically displayed in the diagram below.

In a pandemic, all of these are strategies are questionable. The focus has been on a DR site, which could be on this diagram strategy 6 and 9. But in a pandemic, these sites are working under the same threats as you and they are actually causing more vulnerabilities for your company.

So the only strategy that is actually working in COVID-19, is social distancing, thus Strategy 7, Working from Home (WFH).

This is where the challenge starts and the questions regarding the BIA expand. Do you have:

  • Enough laptop computers for all your staff
  • All the programs you are working on installed and updated on these huge number of laptops
  • Everyone on a Virtual Private Network (VPN)
  • Resources for employees to work from their homes (e.g., uncapped internet, vast speeds (10-20 Mbps))

This is where the BIA and the strategies listed evaporate.

During COVID-19

When the World Health Organization (WHO) declared COVID-19 a global pandemic in March 2020, the world changed. China closed, Italy closed, Spain, France, and I can go on, closed. And with “closed” I mean going into a hard, deliberate, and intentional lockdown of everything and every moving part of all the businesses.

How did governments, corporates, businesses, hospitals, etc., prepare to deal with the pandemic?

  • On a government level, the following happened:
  • Denial, “this could not happen to us” syndrome
  • Poor leadership and decision-making
  • Poor communication
  • Poor availability of scientific information to drive decision-making
  • Poor advise to the population regarding preventative measures
  • Lack of accountability and blaming of others
  • Lack of strategic resources to manage this pandemic
  • Lack of supply chain, prior to the pandemic, to have diversified their procurement strategy

All of these impacted gravely in every part of the population and economy to follow.

Risk-bearing Capacity (RBC)

In each BIA, one needs to look at the Risk-bearing Capacity (RBC). This is a specialized field of determining the resilience of a company. RBC is defined as “Risk-bearing ability is directly related to financial measures such as liquidity, solvency, profitability, repayment capacity, and financial efficiency.”

The question is, how much provision has been made for three to six months, and in COVID-19, possibly longer, pertaining to:

  • Finances to pay for personnel, resources, systems, technology, etc.
  • What are the resilience factors you have built into your equations pertaining to all of the above?

RBC is a critical process to follow and to be incorporated into the BCM and ERM processes. The RBC calculation is not a simple one, as one needs to be looking at:

  • Stock levels to produce the critical products and services
  • Within the stock levels, the critical spares one needs to be looking at
  • Within these critical spare levels, the changes which would affect the delivery of these critical spares, such as transport (rail, road, marine, aviation, etc.)
  • The lead time analysis per critical spares item and what the critical ordering levels

All of these need to be revised as they have a financial and solvency impact on the business.

90 Days to Bankruptcy

Without a proper RBC in place, every company and individual has a window of 90 days before they start to be in distress. Because of the uncertainty of the pandemic, nobody knows how long it would take to get the pandemic under control, how long it will take to restart the local economies, and when the global economy will open up.

All of this comes with changes in the external environment where you as a business owner, corporate CEO, or a president of a country, have no control. We could see the distress of global communities on day 30, day 60, and day 90. Workers are getting retrenched, companies are filing for liquidation, and critical resources become scarce and expensive. Resources are getting less and less and governments are starting to be more and more dependent on philanthropic donations and cash injections to stimulate the critical services and products of countries. None of these were prepared for during the BIA, nor the BCM strategies.

Business Resilience Changes

I love this word, Resilience. This means the ability of an organization to absorb and adapt in a changing environment (ISO 22316:2017: 3.4).

COVID-19 has provided the global economy with the opportunity to reset and to determine how they will be doing business to survive, not only during COVID-19 but to rethink their business strategies. We have to look at the biggest winners to see where the world has been heading over the past 90 days.

Biggest winners: Everything online (food, clothes, etc.); Everything digital which can enhance the business (cloud services, digital platforms to enhance business without having personal contact, etc.)

All of the above come with risks. Every time one goes online, you are opening up yourself for the chance that your identity or your Personally Identifiable Information (PII) could be accessed. You are submitting many kind of PII during this process, from your name, bank details, address, etc., and all of these are opening the gap for identify theft.

Cloud services have been coming for a long time, and are here to stay. Most of us are working on Onedrive, DropBox, Google Drive, and many other systems. So the question is, where are the rest of the companies, are they still loyal and stuck to their own hardware with people WFH?

These are the questions asked during the BCM, RBC, and RBC-BIA-based BCM analyses. With less people working from traditional offices, would this still be the best approach? Most companies, whether they know it or not, are using hybrid systems. Coming back to Resilience. How will your company change to be resilient and who will drive this?

Leadership

Leadership and tone at the top during these challenging times is critical. Some leaders can instill calmness, direction, strategy, and a new vision for everyone to follow. Other leaders can do just the opposite. This is the time for leaders on all levels of the organization to stand up and demonstrate their leadership qualities. This is the time for new and innovative thinkers and for leaders to be open minded to see the new future.

Leaders will ensure resilience for the company. Now is the time to stand up and be counted.

Post-COVID-19: Opening of Economies

This is the current challenge the world is facing. How to open the economies in the midst of a pandemic, with no cure present. How do global leaders make this decision and make provision for the pandemic to get another grip on everyone, from the vulnerable to the healthy?

Start-up Funding

Funding is a critical factor in restarting the economy, whether it is aviation, mines, banking, restaurants, etc. In every sector you need funding. And if this funding has been used to survive the 90 days, then you are sitting with huge challenges. One needs funds to restart and if there were no revenue streams for 90 days and longer, this is where we get back to our RBC & Risk, RBC & BCM, and RBC & BIA. Are you conducting business as pre-COVID-19, or did you re-think your strategies?

During COVID-19, we have seen many of our customers transmitting their help signal in how to lead, how to manage this pandemic, and how to fund their businesses. This was the initial start of the pandemic. The longer the pandemic persists and the longer economies are closed down, the more the tone of these businesses changed. From managing the pandemic to the point of business rescue, retrenchments, closing down business units, etc.

In conclusion to this article, the following are recommended:

  • If you did not adopt ISO 22301 as your Business Continuity Resilience Partner yet, do it immediately. There are huge benefits in this approach and bigger financial ones if you can prove to your clients that you are BCM-ready and resilient company.
  • Revise your BCM strategies, not only from a survival point of view but with innovative and creative thinking driving your BCM strategy.
  • Conduct or revise your BIA to be an RBC-based BIA. This is critical in resilience.
  • If you did not conduct a Risk-bearing Capacity (RBC) analysis yet, make a decision and get this done as soon as possible.

This article is exclusively produced by Crest Advisory Africa (Pty) Ltd,
a PECB Authorized Platinum Partner.

Comments

Leave a Reply

More Quality Articles

Unlocking Success: How Internal Audit Strengthens Risk Management for Strategic Goals

Internal Audit verifies and enhances Risk Management's role in achieving strategic objectives.

Conducting Internal Context Analysis: A Guide to ISO/IEC 27001 and ISO 31000 Integration

Internal context analysis is crucial for effective risk management and information security in organizations.

Top 10 Mistakes in Implementing ISO/IEC 27001:2022

Nico Snyman discusses common mistakes in implementing ISO/IEC 27001.

Celebrating a Milestone: Our First Executive MBA Graduate from PECB University

Crest Advisory Africa celebrates its first student earning an Executive MBA through partnership with PECB University.

A Decade of Excellence: Crest Advisory Africa Celebrates 10 Years of Empowering African Businesses

Crest Advisory Africa celebrates a decade of risk management excellence.

Crest Advisory Africa: A Trusted Partner for MSECB and PECB Services

Crest Advisory Africa partners with MSECB and PECB for comprehensive services.

Managing Disruption: The Importance of Business Continuity Management (BCM)

Business Continuity Management (BCM) is a proactive approach to managing disruption, helping businesses prepare for, respond to, and recover from disruptive events.

Crest Advisory Africa Attains PECB Platinum Level Partnership: A Milestone in Providing Exceptional Information Security and Risk Management Services

Crest Advisory Africa (Pty) Ltd attains PECB Platinum Level as an Authorised Partner, offering clients access to top information & services in information security & risk management. Get in touch to learn how Crest Advisory Africa can help improve your business. #PECBPlatinumLevel
Receive our latest news

Subscribe To Our Newsletter

Get notified about GRC-A training, advisory, auditing and software.