Minimising the risk to employees is a clear priority for any company, be it planning a response to a health crisis or a natural disaster. But from a business continuity point of view, companies also need to look at the bigger business impact once staff have been protected.
What should not be forgotten, however, is the impact on the company’s supply chain. Today’s supply chains are long and complex: companies are sourcing products and services from far afield, and they are looking for new markets. All of this means that their vulnerability to pandemic-related risks is greater.
In this instance, although a company and its people might not be likely to be directly affected by the outbreak, it could be that a supplier or a supplier to a supplier has a manufacturing plant in Liberia, or is reliant on raw materials from Sierra Leone. Companies need to understand the knock-on effects if a member of the supply chain is unable to meet its commitments.
The overall message from the Ebola outbreak is clear: Do not let unexpected disasters take you by surprise. Make sure you have a comprehensive plans in place so you are prepared!
Read our Press Release Here.
Monitor the Ebola pandemic (and any others) and get useful information from the National Institute for Communicable Diseases.]]>
The death toll continues to mount—at the time of writing it was 650 and rising—and health ministers from the Southern African Development Community have announced a strategic plan to prevent the spread of the virus into our region, and to treat any people who are infected.
Of course, it’s a humanitarian disaster first and foremost, but the implications for business are profound, both generally and in this specific case.
As an immediate action, companies should take a look at their business continuity, crisis management and associated plans (pandemic). Obviously, Ebola is top-of-mind so it is worthwhile adapting a general strategy to the current crisis—just in case. This would be particularly relevant for companies that have business links with the West African region, or whose people visit it, or whose people are particularly at risk. Freight or courier companies and health care professionals are two examples that spring to mind.
Tracey Linnell, General Manager: Advisory Services at ContinuitySA says that companies could do well to dust off their plans for an outbreak of the SARS virus/pandemic and use them as a starting point for an Ebola-related plan of action.
A key element of the strategy is communication with employees, and that should begin now. Education is key to preventing infection, and to getting treatment quickly in the case of infection. It’s also a way to prevent any sense of panic in companies whose employees are likely to be brought into direct contact with people from the West African region.
In out next blog, we’ll look at some of the broader implications of pandemics.
Read our Press Release Here.
Monitor the Ebola pandemic (and any others) and get useful information from the National Institute for Communicable Diseases.]]>
When an emergency strikes, companies often find themselves on the back foot. The first thing to understand is that when a crisis breaks is not the time to be deciding what to do and how to do it! The protocols and procedures for managing a crisis must be decided and understood before it strikes, and should form part of Business Continuity planning.
One of the most important parts of any crisis management plan is communications. In fact, I would argue that a good crisis communications plan is the primary tool for limiting the damage to the company’s reputation, and for mobilising support for the recovery effort.
We live in a Digital Age in which, almost without exception, everybody has access to the Internet via computers or, increasingly, mobile devices like smartphones and tablets. This always-on connected world is characterised by a surge in the number of social media platforms: Facebook, LinkedIn, Google Plus, Twitter, WordPress and Tumblrare some of the most common. These platforms host communities of users, and are characterised by content sharing and real-time communication.
They are thus ready-made communication channels through which the company can reach stakeholder groups in a crisis situation. This is crucial when rapid communication in real time is a priority. They also offer a company a useful listening post through which to gauge how fast a crisis is spreading, and what people are saying.
The first thing to do is investigate which social media platforms are most suitable for your company, and where its communities are already posting information. As a rule of thumb, Twitter, Facebook, Instagram and YouTube are most often used in crisis situations.
A final point: set up the company profile on all platforms, even if you don’t use them, so that they are ready to be used in the event of a crisis.
Next time, a look at the importance of planning.]]>
When it comes to embedding BCM into the corporate culture, it’s important to recognise that there is no “one size fits all” for this activity. It has to be tailored to the company, its people and the business in which it’s involved. At each phase in the BCM life cycle, there are opportunities to create and enhance a BCM culture. Many of these opportunities are created not by the experts but by ordinary employees. This type of initiative should be encouraged because it shows that BCM is taking root.
There’s also a view that BCM should be implemented in controlled, well-tested phases rather than a concerted, company-wide initiative. Such an approach allows for the process to be constantly adjusted by taking into account feedback from each phase. (The five steps for implementing BCM are outlined in an earlier blog.)
It’s critical to ensure that the BCM programme is allowed to mould itself to the company and its people. In this way, abstract best practice becomes “how we do things here”, and that’s a very powerful way of ensuring that the plan remains current. At the same time, though, it’s also very important that the people who are ultimately responsible for the effectiveness of the BCM plan—the directors—are fully behind the rollout, and visibly support it.]]>
Six months later, headline earnings were down almost 100 percent. A company whose prospects had looked so bright soon lost its allure, and was ultimately delisted after only one year of trading on the AltX.
This spectacular fall from grace could not be attributed to anything dramatic like a terrorist attack or earthquake, but simply to a lack of effective operational risk management. The company was sunk by a combination of factors, including power outages, port congestion and poor harvesting practices—all operational risks that were, presumably, well understood within the company. Indeed, BCM planning could have ensured that there were simple and effective solutions in place, such as:
King III, the new Companies Act and the Consumer Protection Act all, in their different ways, highlight the responsibility of companies and their directors to ensure that risks are managed adequately. Despite this, BCM is often overlooked as the most effective way to identify and manage operational risks effectively. While the board retains ultimate responsibility for risk management as a whole, the executive management team is responsible for implementing the operational risk management framework approved by the board and itsdirectors. This framework should be implemented throughout the whole organisation, and all levels of staff should understand their roles and responsibilities with respect to operational risk management.
The alternative, as we have just seen, can be frightening!
Next time, to conclude this series, some thoughts on how to embed BCM into the organisation.]]>
Let’s begin by remembering how widely the effects of a disaster can be felt. If an individual company experiences a disruption, it can be devastating for the people who work it or rely on its products or dividends. But imagine large-scale disasters, like the Japanese tsunami or the bush fires in Australia,that put many businesses out of commission. If the companies cannot get back up and running quickly, the effects are multiplied because the tax base is affected and economic recovery delayed.
BCM is critical because it looks beyond dealing with the emergency itself. It takes into account what will be required to get the business up and running as soon as possible and keep it and its dependants working and contributing to the economy for the long term. The failure of BCM affects the company concerned, a number of people who will experience personal disasters when operations cease, as well as government.
One could even argue that BCM is not only a risk management process, but also as a basic human right because it provides:
BCM (or the lack of it) thus has far-reaching effects. In order to make it work, stakeholders across the business and its value chain all have to be involved: managers, process owners, strategic planners, project and procurement teams, key suppliers and directors all have to be involved in managing risk. It goes much deeper than just preparing for a major event—a flood, a terrorist attack or the like—but of preparing the business and its employees for anything. An effective BCM plan based on international best practice will generate the following six clear benefits:
Next time, a look at what BCM failure looks like.]]>
ContinuitySA recommends following the following five steps:
Next time, let’s look a little more deeply into BCM.]]>
It’s no surprise then that various disciplines have arisen to help companies manage the risks they face: IT risk, Information Security risk, Economic risk and Credit risk. But underpinning them is all is Business Continuity Management (BCM), which deals with operational risk. It’s aimed at ensuring that the business can continue to operate as normal as soon as possible after—or even during—a disruptive event. Such an event could be as dramatic as an earthquake or a revolution, or as mundane as sustained power outages or a flu epidemic.
South African businesses are fortunate in that they do not face many of the dramatic environmental risks that other parts of the world face, but we are highly susceptible to risks associated with emerging markets: industrial action, power and water shortages, service-delivery protests, inadequate infrastructure are all risks we face, and that can threaten long-term sustainability.
Whatever the risks, BCM looks at the people, processes, infrastructure and technology that the business needs to operate, and then identifies (and ranks) potential threats to each of them. It puts in place plans for responding if these threats become real, but it also establishes ways to avoid them. In so doing, it provides a framework for building organisational resilience.
In the end, by helping to ensure that the company can continue to operate, BCM protects the interests of stakeholders, and the reputation, brand and revenue-generating activities of the company.
Next time, the five steps to effective BCM.]]>
One of the oldest gambling strategies is the martingale. It is played on an even chance bet and consists of doubling a losing bet. In roulette, you wait for five red numbers in a row, and then you bet black. If red comes up again you double the bet on black. Black then comes up and you win. What are the chances of 10 red numbers in a row? To an un-informed person it seems like a no-brainer to make money. The problem is it is statistically floored. The so called ‘bad run’ occurs far more frequently than one thinks, and you will run out of money before the casino. Casinos make a fortune from people making this mistake. Are these so-called slight miscalculations that end up costing fortunes avoidable or predictable? The strange thing about the martingale is that people are betting on ‘change’, yet in business people ‘bet’ on ‘no change’. In both cases the assumptions are irrational.
Recently writers such as Malcolm Gladwell (David and Goliath; Blink), Dan Ariely (Predictably Irrational) and Hassim Nicolas Taleb (Black Swan; Anti-fragile) have spent a huge amount of time trying to predict success and failure. The common theme is that human beings are not rational. Decisions are made for emotional reasons and then there is an attempt to justify them after the event.
Gladwell goes to great pains to explain that a many failures occur because of a false assumption that appears to be true. ‘Authority is legitimate’, has cost countless lives by people doing what is right, enforcing the law. (David and Goliath). Taleb believes that a business should constantly be tested with small ‘shocks’ so that it can become resilient or ‘anti-fragile’. Like the martingale strategy, Taleb suggests that senior management is blissfully unaware of how many incidents actually occur on a regular basis. Management is lulled into a false statistical assumption, that since they have been around for 5, 10 or 15 years that they are infallible and they can withstand a severe disruption.
Business Continuity Management addresses many of these statistical false assumptions head on through doing an actual test. A common error is that all our staff can work from home. This is an assumption that can destroy a company if it is incorrect. In most cases it is an untested incorrect assumption. In 2001 9/11 there were 430 companies in the World Trade Centre from 28 different countries. Approximately 50 000 people worked there and 140 000 visited daily. 2 606 people died in the buildings (excluding passengers) (Statisticsbrain.com). ‘In New York City, approximately 430,000 jobs were lost and there were $2.8 billion in lost wages over the three months following the 9/11 attacks.’ ‘Approximately 18,000 small businesses were destroyed or displaced after the attacks.’ (Wikipedia). Physical infrastructure is statistically far more important than people realise. ‘The In 2007 The Department of Trade & Industry survey on disaster recovery, found that of the 60% of UK firms that had a disaster recovery plan, less than 50% had conducted live tests involving staff in the past year. The danger, say experts, is that many companies base their plans on misconceptions and false assumptions.’ (IT security: Disaster Planning and Business Continuity after 9/11. September 2007)
In the words of the lecturer, ‘To not consider a Business Continuity Plan is a statistical error that could cost you a fortune.’
For these reasons, ContinuitySA is finding that more and more companies are looking for backup solutions that are fully managed and monitored by a specialist service provider, and that do not use tape as the storage medium.
When it comes to backup technologies, ContinuitySA believes that the ideal solution should include an onsite backup and recovery vault at each major location. Because most restores are required within 48 hours (accidental deletions of files and data corruption due to software faults are the most common reason for restore requests) this facility is very convenient. As it uses the existing local-area network, backups and restores are very speedy.
The backup vault should be a purpose-built appliance that can scale easily as well as integrate with new technologies. It should be designed to check the integrity of backups, and compress and de-duplicate data.
The onsite vault should then be synchronised to an offsite recovery site. Providing the right kind of bandwidth is very important to ensure that backups can be completed as scheduled and replicated offsite quickly, with full encryption across the whole process. It’s very important that the recovery site has the necessary server infrastructure on which to perform the restore but also to provide workstations for employees in the event of a major disaster.
As an aside, bandwidth is one of the reasons why cloud restorations don’t work that well. Most companies would take weeks or even months to perform a total system restore over normal Internet connections!
There are fairly high technical specifications built into all of this, which is why so many companies are partnering with a specialist provider like ContinuitySA. Whoever the partner might be, though, it’s very important that the client be provided with user-friendly dashboards and reports to maintain oversight, and that the parties meet regularly to ensure that the backup strategy remains aligned with the overall IT and business continuity strategies.
Data is becoming a key corporate resource—it’s really time to make sure it’s protected adequately with the right backup solution.]]>