Roadmap of Business Continuity Planning – Part I: Risk management strategy

Friday, 24 April 2020 00:00 -     - {{hitsCtrl.values.hits}}

The COVID-19 epidemic has put businesses off footing and under enormous pressure as a single virus-infected person in an employee group can trigger 

the quarantine process for all employees who had any contact with that 

particular employee. The risk management strategy must outline the 

organisational approach in achieving each objective area – compliance, 

quantity and quality – Pic by Shehan Gunasekara

The media is inundated with the articles on COVID-19. I have no intention to add another. My attempt is to explain what such a global event does to an organisation and how an organisation could survive from the adverse impacts. 

As many do, I do work from home. My employer had a Business Continuity Plan (BCP) in place well in advance and it was implemented when the Australian Government enforced public movement restrictions, social distancing rules and ‘work from home’ for all who can. As this was an unprecedented event, the BCP had to be tweaked to suit the situation, but it was a seamless transition from the developed to the implemented.

I supervise my team remotely. I set up a team plan and each of my team members has a weekly plan. Their daily works are aimed at achieving the weekly plan. When they stick to weekly plans, my team plan items are achieved automatically. All activities are to be recorded electronically and saved in a network drive for which I have access. Audio visual meetings are being held via Microsoft Team application. Service provider invoices are being paid electronically. The list goes on.

It is not a perfect working set-up to replicate office set-up. However, by only concentrating on essential duties, my team is allowed to spend time on continuous improvement activities such as updating and developing work processes and procedures. I also use this opportunity to inspire them to critically think about both employer and community expectations and to suggest me better ways to fulfil those expectations. Shutting an office and inform public that delivery of services has been suspended indefinitely, is not the correct response during this kind of disruptive situation.

On 18 August 2017, Daily FT published one of my articles on Risk Management. (http://www.ft.lk/columns/Risk-management-Everyone-s-business/4-636001). I was amazed by the overwhelming response from the professionals on the subject matter. Notably, I got a request from a senior management officer attached to a Sri Lankan Government-owned aviation regulatory authority, inquiring about the possibility of conducting a risk management workshop for the senior staff. I straightaway expressed my willingness to conduct it free of charge. However, I had to request her to facilitate my travel as I had just been to Sri Lanka, a few weeks before. I could not afford a repeated visit within such a short period of time. Unfortunately, she could not proceed with this arrangement due to the strict bureaucratic rules and regulations in the organisation on staff training.

Within a year, I was compelled to write again on the same subject, that time, due to an industrial accident happened in Horana, resulting in five tragic deaths. (Ref: http://www.ft.lk/columns/Playing-with-ammonia/4-655062) On that occasion, I touched on the suite of operational documents produced in organisations to manage safety of employees. I do not know whether any Sri Lankan employer drew due attention to produce the best practice employee safety and health documentation I explained.

Here I am, after more than two years, still regretting that I could not educate the aviation authority staff on practical risk management processes. I could have helped them to develop an Enterprise Risk Management Plan (ERMP) which is an essential pre-requisite to develop a Business Continuity Plan (BCP) which could have been handy to face the organisational risks emerged due to the COVID-19 pandemic and for them to continue with core business activities. However, what I don’t know is whether they proceeded with developing an ERMP and a BCP without my knowledge. If they did, I am more than happy because such an action was my intended result of writing the aforementioned article.

Renewed focus

The scope of this article is to explain the development of a Business Continuity Plan for an organisation which is the last step of a stepped process and also to emphasise such a plan is essential for a business/service entity for getting ready with alternative business processes to tackle business disruptions. However, a comprehensive BCP cannot be developed without developing an ERMP. 

I am aware that major private sector organisations do develop ERMPs and BCPs as an integral part of their business management systems. However, I doubt that same is practised in the Sri Lankan public sector service organisations and in the Government-owned business entities. This article is for them and for the students who is planning to serve government sector, in future.

ISO 31000 – Risk Management

This international standard provides the basis on the design, implementation, maintenance and improvement of risk management processes, considering organisational-wide whole management system. My previous article provides adequate information to understand this process and the steps. 

Besides, I need to reiterate the definition of risk. Risk is defined in ISO 31000 as “the effect of uncertainty on objectives”. This effect can be positive or negative. It is easy to understand the negative effect as the universal understanding of the risks leans towards losses and disruption. However, the understanding of positive effects needs one to think laterally. 

The COVID-19 epidemic has put businesses off footing and under enormous pressure as a single virus-infected person in an employee group can trigger the quarantine process for all employees who had any contact with that particular employee. 

Due to the extreme consumer behaviours during this event, some of the products became high in demand. This was a short-term demand. High demand for a product is a positive risk generated from the event for a producer. The producer could take two options under this circumstance. If a producer is unethical and interested only about short-term gains, a company can increase production quantities with available resources and also they could increase the wholesale selling price of the product same time. In the consumer’s eyes, this response is a socially irresponsible and unethical, but the fact is that there will be enough consumers to buy the product at exorbitant prices. 

The other option is to acquire more short-term resources, increase the production and also slightly reduce the wholesale price of the product. This action must be coupled with a good advertising campaign, displaying the company’s socially responsible behaviour during the social crisis. Not only this option would result higher production, more sales and also the consumers would become ardent customers. 

Many companies go for the option one as they are not strategically aligned to adopt option two. Only companies who have pre-planned to face business risks could adopt this best option. This is where the ERMP and BCP serve the purpose. 

Risk management strategy

Public sector corporations and departments provide a range of services to public and these entities must have clear, established operational and strategic objectives. All public sector organisations must acknowledge that an element of risk exists when striving hard to achieve operational and strategic objectives. This is why things can go wrong. Hence, each public sector organisation must develop a risk management strategy. This is a written commitment expressed by the senior management that they take risk management as a serious affair and how risks are managed.

The vision of this strategy is to embed risk management culture into all aspects of the public services planning and delivery so that the stated organisational and strategic objectives could be achieved as planned. Any strategy must have listed objectives.

Compliance objective: The main compliance tool within the risk management strategy is the Enterprise Risk Management Framework (ERMF). Hence, the strategy must aim at compliance with ERMF.

Quantitative objective: Risks are everywhere. The public service providers must identify all potential risks. Associated risks must be identified from the point an employee stepped out of home until he or she retuned back home, performing official duties. Risks associated with service design, planning and delivery by the employees must be identified considering all external and internal customers and influences on the decision-making. This is the quantitative objective of the risk management strategy.

Qualitative objective: One cannot run a business without taking risks. This does not mean that businesses are to be operated blindly. This is about the organisation’s risk appetite and tolerance. This is the qualitative objective area of the risk management strategy. Some medicines are bitter in taste. Although a patient prefers a tasty medicine, there is no other option except swallowing a bitter pill if it is the only option to cure from the ailment.  This is about organisations accepting certain risks. It must be emphasised that the risk appetite and tolerance levels are to be pre-established. The risk absorptions are to be closely analysed and monitored as it could become a financial burden.

The risk management strategy must outline the organisational approach in achieving each objective area – compliance, quantity and quality. 

There are ‘focus’ elements in a strategy. Risks affect all internal and external stakeholders associated with the business. This includes the customers who buy or receive products and services. So the basic premise is that all stakeholders must be aware of own risks they may face and must be willing to contribute with their feedback to the service provider to include potential risks into the Risks Register. 

Hence, one focus element would be the stakeholder consultation. This is more than just ‘communication’. In a hierarchical Sri Lankan public sector organisation, this is a very difficult exercise. Typically, the senior management just communicates the information and instructions, not necessarily allowing all stakeholders to provide input prior to such distribution. Therefore, the senior management often does not get desired the results. Especially, the stakeholders understand better the risks relevant to their personal behaviours and also operational level risks. Hence, only during consultation process, all would get to know each other’s concerns.

In the Sri Lankan public sector, being a hierarchical system, it is easy to identify the leaders. In this set-up, each employee looks up to the behaviour of his/her leader. In the risk management domain, if a leader does not demonstrate visible commitment to the enterprise risk management elements, the leader cannot expect reciprocal commitment from the employee. Hence, the top down demonstrable leadership is an essential target element in the risk management strategy.

Any organisation can develop plans, but the successful implementation is dependent on the organisational capability. It is the employees in an organisation who possess the capability. Just having a top-notch senior management is not enough. The right people of right attitude must be in the right positions at the right time. Only a visionary leadership of an organisation can make this happen. Having made this happen, the management can confidently declare that the organisation can incorporate an enterprise risk management plan into its operations to achieve organisational objectives.

How does an organisation know that risk management objectives have been achieved? This needs a measuring mechanism which is an integral part of a risk management strategy. How does the senior management of a public sector organisation know that the employees are complying with the enterprise risk management plan when making operational decisions? This can only be done by setting benchmarks for each operational areas and forcing upward reporting on achievement/non-achievement of benchmarks. This must be supplemented with audit programs. ERM status reporting at the manager and the director levels would be of strategic nature and it could even trigger updating and revising of ERM framework. 

Every public sector organisation must develop risk profiles at project, program, operational and strategic levels. Risk profiling would identify risks associated with the activities performed at each level. These risks must be assessed following the procedure outlined in ISO 31000. Identified risks must be linked with the organisation’s divisional or unit plans. As a Key Performance Indicator, how many risk profiles have been reviewed each year must be recorded. The identified risks are to be fed into the Business Continuity Plan. Hence, it is important to test the Business Continuity Plan at divisional level to verify the identified risks represent the testing scenario.

How does the senior management make sure that all identified risks are being managed by staff in accordance with the organisation’s risk appetite and tolerance? This can only be done by keen observation of risk management records and also by reviewing incidents occurred. It is essential to provide necessary resources and tools for comprehensive risk assessments. Provision of software applications, forms, templates and giving necessary training to use these is paramount to declare employees are working towards achieving risk management strategy objectives. 

Having a risk management strategy developed, the organisation is now ready to swim in unchartered water. Development of a comprehensive enterprise risk management plan is an essential ingredient of a sound Business Continuity Plan.

Hence, part II of this article will describe the development of the enterprise risk management plan and the Business Continuity Plan.

(Eng. Janaka Seneviratne is a Chartered Professional Engineer, a Fellow and an International Professional Engineer of both the Institution of Engineers, Sri Lanka and Australia. He holds two Masters Degrees in Local Government Engineering and in Engineering Management and at present, works for the Australian NSW Local Government Sector. His mission is to share his 32 years of local and overseas experience to inspire Sri Lankan professionals. He is contactable via [email protected].)

Recent columns

COMMENTS