Impacts from business disruptions can be avoided or minimised

By Nalin Wijetilleke

The threats around us are growing at an alarming rate. This is a well-known fact. This growth has been phenomenal over the past decade in its scale and sophistication. These threats arise from various corners, may it be technological, people-related, infrastructure, supplies, natural disasters, disease and pandemics, cyber-attacks, and so on. Organisations encounter massive financial losses and public embarrassment due to manifestations of these threats and often they are irrecoverable.

It is seen across the world, the organisations take preparedness against such threats, very seriously. Conscious effort is taken to develop strategies and plans to be able to face unexpected disruptions or disasters bravely. Possibly due to lack of proper understanding and the non-availability of skill sets to build response and recovery plans, some organisations fall into the trap of ‘false sense of preparedness’, though no one deliberately create unusable business continuity plans.

Businesses need to prepare and protect their key activities, which can be called ‘mission critical’. Any disruption to these activities has damaging impacts to the business. Their risk exposures and vulnerabilities need to be understood and build defences around them. Unless building such defences are approached systematically, one could get lost in the myriad of activities and process within the business. They often fail to see the wood for the trees.

Sri Lanka is on an ambitious strategy for improved trade and economic growth. Organisations both in the private and public sectors have a major role to play. They are the cogs in the wheels that move the economy. They need to deliver their products and services on time consistently, conforming to quality standards or specifications. Non adherence to those expectations have cascading impacts across many organisations, creating huge losses and damage. Hence, all organisations, whether it is a small business catering to the local market or the large business houses dealing with large number of customers both locally and foreign, have to be ready and not affected by unforeseen disruptions. They need to have effective policies and strategies to weather the storms, which may come unannounced. The solution is having robust business continuity management systems. It promotes organisational resilience to shocks of the unexpected, social and economic well-being.

Is it a cost or an investment?

The traditional view of considering business continuity management as a cost centre is changing. The recent events of power disruptions, floods, landslides, industrial actions etc. had its own story of loss of productivity and serious consumer impacts. Apart from those, some of the common disruptions Sri Lankan organisations face are technology system outages, cyber-attacks, supply chain disruptions, machine breakdowns, denial of access to premises and sites, or people related issues. As result, businesses are impacted, customers and end-users severely affected, there is loss of revenue and for some it may be drop in share value. Even minor disruptions, when taken as a cumulative over time, amounts to a significant amount of loss of productivity.

Moreover, the other negative impacts are loss of customer confidence, loss of market share, and organisational reputation. It is imperative that such disruptions are also a huge burden to the society and to the economy in general. When organisations fail to deliver the products and services as anticipated by the consumer, often it is also a humiliation to the leadership. The sum total of these impacts cannot be quantified in rupees and cents. Most often, the benefit gained far outweigh the investment in incident preparedness and business continuity management. Those who have proven incident response and recovery strategies are the winners! They save on the loss of production time. They have a happier workforce. They may pay less on insurance. They pay no penalties for breach of service contracts. The list goes on!

However, the investments on business continuity has to be prudent and effective. Unfortunately, due to lack of proper understanding and the availability of skill-sets, some organisations tend spend unwisely and the results are not impressive. They need to up-skill their staff in effective ways of designing, developing, implementing and maintenance of business continuity programmes. Then the effort and investment will have its benefits and contribute toward its profits.

Disciplined approach

There is lot of research done in understanding how disruptions to business activity can be minimised if not prevented. Over the years, the art and science of protecting organisations as well as communities, have emerged as a discipline across the world. Preparing for the unexpected however is not a novel idea for Sri Lankans.

From the times of the kings who ruled ancient Sri Lanka, people were protected against drought and starvation, by building large tanks and reservoirs. Irrigation was considered a top priority. By deeper understanding of their approach and methodologies and combining them with the modern knowledge and strategies in continuity and disaster management, Sri Lanka organisations could immensely benefit.

As a discipline, business continuity has well proven frameworks. Business continuity policies need to be established. Knowing and understudying those activities that are very important to protect and how to apply the most effective strategies and plans when needed ensures resilience in communities or organisations. The strategies and plans have to be validated to ensure they work when needed. People have to be trained. They need to have arrangements if worse happens and crisis is declared.

It is an ongoing programme and not a one-off project. Maintaining the readiness to respond has to be the intent and need to be continually improved, Business Continuity Management is not a ‘tick-box’ compliance requirement. At high-level it may look ok but plans have to work seamlessly when needed.

Incident readiness is everyone’s responsibility

Although the accountability to ensure the organisation has robust well tested strategies and plans is with the top management and authority is delegated to a senior manager to develop and implement business continuity management in the organisation, every individual has some role to play.

The functional and operational staff get involved in plan development and maintenance. They will know how to respond and when to respond.

They will know how to recovery when things go wrong and to restore to return to normal.

Business continuity as a governance requirement

Corporates are effectively aligning corporate governance practices, and risk management processes with business continuity, heightening the levels of assurance through risk focussed approaches. Organisations have begun to accept the benefits of business continuity management as an integrated part of product or service delivery. To ensure common understanding of implementation methods, various countries have developed their own business continuity management standards. The common ones are the British Standard, BS 25999, the Singapore Standard SS 540, Australia/New Zealand Standard AS/NZS 5050-2010. However, ISO 22301:2012 now has become the global standard and organisations in most countries are being aligned to it.

For financial service institutions the availability business continuity arrangements are mandatory. The principle 10, in the BASEL ii – ‘Principles of Sound Management of Operational risks’, categorically states, that ‘Banks should have business resiliency and continuity plans in place to ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption’

Conclusion

Business continuity management is not a glamorous activity to display organisational might, but a holistic risk mitigation discipline vital for survival. All organisations, irrespective of size or shape, should not be blindsided. The general temptation for businesses is to focus only on the upside of building revenue, building customer portfolios, launching new products or services or even carry on happily with their daily routine. This blindsided approach is dangerous and there is a huge risk of business failure. As discussed unforeseen events could come at any time form any direction. Organisations have to be prepared to mitigate those risks.

By gaining the right skill sets and awareness, organisations could start developing ‘fit-for-purpose’ cost effective business continuity strategies and plans. It is more than just having insurance plans, it ensures resilience and a continued future.

(The writer, MBA, CISA, CGEIT, MBCI, CBCP, PMP, CMC, ISO 22301 Lead Auditor, ISO 27001 Lead Implementer, is Director and Principal Consultant, ContinuityNZ Ltd, New Zealand.)