Business entities are typically set up with the expectation that the business operations will continue into the foreseeable future. However, we operate in a continuously tumultuous and volatile environment that is uncertain, complex, and ambiguous. This may lead us to face various disruptions or crises. In the year 2020, the Covid-19 pandemic disrupted organisations in every industry globally. No one anticipated how pervasive the outbreak would be and many organisations were not well prepared to face the crisis.

When incidences such as a major fire outbreak, pandemic, cyberattack, financial scandal, etc. happen in your organisation, can your organisation withstand the impact? Would your organisation be able to bounce back to business as usual within the shortest time possible?

What is Business Continuity Management (BCM)?

So, what is business continuity? Business continuity means maintaining the uninterrupted availability of all key business resources required to support essential business activities.

The Role of ISO22301:2019 in Business Continuity

ISO22301:2019 is an international standard that provides guidelines for managing business continuity within an organisation. It provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). The guideline will help organisations put in place a robust, effective and fit-for-purpose Business Continuity Plan.  The guideline applies to all organisations regardless of the type, size and nature of the business.

Disruptions and Impacts

Disruptions or any form of calamities may result in the loss of lives and livelihoods. Businesses may even be impacted by loss of key suppliers or customers, loss or damage of specialist equipment or machinery, loss of essential information/data, disruption in the supply chain, etc. The negative impact is not limited to the losses only but may in turn result in loss of trust by stakeholders, financial disasters and poor company reputation.

In March 2021, there was a massive fire outbreak at Indonesia’s Oil Refinery, Pertamina in West Jawa. The fire resulted in not only loss and damage to their assets (premises and specialist equipment) but also the company had to face 3rd party liability claims as there were villages near the refinery that were affected by the fire outbreak.

In another scenario, We Work, a US workspace-sharing firm is currently facing a risk of closing down due to business risk. We Work is involved in office building lease, unfortunately, after the pandemic, the concept of work from home (WFH) became very popular and this impacted the demand for office spaces and the company’s revenue declined to the brink of bankruptcy.

The political unrest between Russia and Ukraine has led to breakdowns in the supply chain. Additionally, the US-China trade war, with various tariffs and trade barriers imposed on products from China has added to this disruption. If you were a manufacturer and there was disruption to your supplies for your production input, how would your business be impacted?

Further, China’s zero COVID policy up to early this year also stalled global supply chains. One of their victims was Toyota, a well-known automobile manufacturer who relied on China for the chips for their keyless technology. Toyota had to slow down its production due to the chip shortages at that juncture. This resulted in slower production and longer waiting times for delivery of the cars to their customers. As part of their plan to mitigate the risk of supply chain disruption, in 2022, Toyota decided to join forces with 7 Japanese firms to manufacture their next-gen chips to ensure minimal disruption to their production line.

As more companies are accelerating towards digital adoption, there will be an expected rise in scams, data breaches, cyberattacks, ransomware, etc. If such an incident were to happen to your organisation, are you able to withstand the impact? Loss of essential information and data, lack of customer trust in your organisation and a smeared reputation are some of the consequences that can be expected.

In the recent news from the Phnom Penh Post, the National Committee for Disaster Management warned of heavy rainfalls in Cambodia that may cause floods. Floods can cause devastating impacts and damage, e.g., rice fields may be damaged, and road networks may break down. If you are a rice retailer or involved in businesses that require the supply of rice, the flood could result in a shortage of supply and impact your business revenue negatively. Disruption in road networks may delay the delivery of rice or other goods from one location to another leading to disruption or delay in delivering or receiving goods. As such, can we work out a plan to ensure there will be minimal disruption to ‘’Business as Usual” in the event such a crisis occurs?

Implementing A Business Continuity Plan

Considering the devastating aftermath of a disruption based on the scenarios above, we should consider developing a Business Continuity Plan for our organisation. A Business Continuity Plan would help us to respond quickly, efficiently and effectively in a premeditated way. Immediate interventions will help to reduce damages and minimise the costs of recovery. Recovering quickly enables us to get back to business as usual in the shortest time, therefore minimising any negative financial impact. These would further restore our various stakeholders’ confidence and maintain the reputation of our brand and organisation. Most importantly, our business remains resilient.

Key Steps in Developing A Business Continuity Plan

Firstly, to develop a Business Continuity Plan, we should have the Senior Management’s support to develop a Business Continuity Management policy. Obtaining support from top management is seen as one of the main obstacles in developing a Business Continuity Plan. Thereafter, we come up with a Business Continuity Management strategy which should take into consideration the people, processes, supporting technologies, resources, stakeholders, etc. of the organisation. The scope of our Business Continuity Management should include the following considerations:

  1. Risk appetite of the organisation
  2. Size and complexity of the organisation’s operations
  3. Type of activities, industry sector
  4. Stakeholder needs
  5. Environment and location of operations
  6. Organisation’s business objective
  7. Laws and regulations

The second step would be to select the team members and identify their responsibilities. Who should do what? Who should confirm that there is a disruption? Who will be responsible for triggering the response plan? Who should communicate with your various stakeholders? We should have a Business Continuity structure that clearly identifies roles and responsibilities. There must be adequate resources to deliver the Business Continuity Plan either in terms of financial or human resources.

Next, a vulnerability assessment needs to be done for your organisation. You need to identify the various strategic, financial, operational and hazard risks that your organisation is exposed to. After identifying the various risks, analyse the risk to understand the risk consequences and the likelihood of occurrence. Thereafter, a risk evaluation needs to be done to prioritise which risk needs intervention. If your organisation has adopted an Enterprise-Wide Risk Management approach, then referring to your risk register and risk matrix would reveal your vulnerability areas. While there may be many risks an organisation faces, operational risk would be the focus of a Business Continuity Plan. This is to ensure that our day-to-day operations are not disrupted in the event of any incident.

Once we have completed the vulnerability assessment, our next step would be to conduct a Business Impact Analysis (BIA). Business Impact Analysis identifies, quantifies and qualifies the business impact of a disruption of business processes. By conducting a Business Impact Analysis, we can identify critical activities and measure the maximum tolerable disruption downtime and impact. This identification will help us in assigning recovery objectives. There are 3 areas of Business Impact Analysis as described in the table below:

Conducting A Business Impact Analysis

3 Areas of Business Impact Analysis

Business Impact Analysis Category Description
Strategic Product and Services Identify and prioritise products and services and determine the organisation’s business continuity requirements at the strategic level.
Tactical Processes Determine the processes required for the delivery of the organisation’s prioritised products and services.
Operational Activity Identify and prioritise the activities that deliver the most urgent products and services and determine the resources required for the continuity of these activities.

Mitigation Strategies for Business Continuity

Subsequently, we will develop a mitigation strategy i.e., back-up plan or response plan. The measurements from the Business Impact Analysis will provide us the information on resource requirements for a response plan within the agreed timescale. A successful business continuity plan should be comprehensive to ensure that the plan can facilitate a complete resumption of normal business operations. It must also be cost-effective and proportionate to the risk exposure. The plan must be practical and easily understood by those who are involved in the execution of the plan. A plan that is effective will recognize the urgency of certain business components or functions and identify responsibilities for ensuring the timely resumption of business as usual.

The Importance of Testing Your Business Continuity Plan

The final step would be training, drills, continuous maintenance & refinements. All plans developed should be tested for acceptance. Tests can be done via simulations, walk-throughs, and tabletop exercises. Any weakness identified during the test must entail improvements to the plan. Nothing stays the same, there are always changes happening i.e., regulations and laws, changing customer preferences, technology, economic conditions, etc. Hence, all plans should be reviewed half-yearly or at least every year to ensure that the plans remain relevant. Training on the Business Continuity Plan should be conducted for all relevant employees and the business continuity teams.

Benefits of Having a Business Continuity Plan for Your Organisation

There are immense benefits to having a Business Continuity Plan in your organisation. A Business Continuity Plan enables you to identify and manage current and future threats to your business. It can help keep critical functions up and running during times of crises and minimise downtime during incidences. This would help in maintaining the continuation of operations and service delivery which would enhance our competitive advantage. Having a Business Continuity Plan in our organisation gives our stakeholders confidence that we are capable of managing disruptive events and remain resilient. Our brand value and company reputation will be preserved. With such significant benefits, developing a Business Continuity Plan would enhance your organisation’s resilience in the event of a disruption.

“By failing to prepare, you are preparing to fail.” Benjamin Franklin

Do you have a Business Continuity Plan for your organisation? Would you like to learn how to develop a Business Continuity Plan? Contact us by sending a message here, sending an email to results@thecapacityspecialists.com, or calling 087 484 808 or 061 722 233.

Shantini Paul is a Risk Management Specialist from Malaysia, with more than 12 years of experience.