COVID-19 was a global event and an organisation may not have the ability to control it. However, an organisation should have the ability to deal with impacts and protect the business
– Pic by Shehan Gunasekara
Road map of Business Continuity Planning – Part II
Enterprise Risk Management Plan
Enterprise Risk Management Plan establishes a systematic process to manage risks which would otherwise prevent an organisation achieving strategic, operational, program and project objectives and also to fulfil statutory and community obligations. ERMP directs staff to proactively search for the sources of risks and respond to risks with necessary remedial measures at an early stage.
Public sector organisations should approach this logically by defining a few analytical layers. Establishment of ERM Framework is important at the outset. This framework has information on strategies, policies, procedures, tools, forms and templates, management systems and reporting requirements. When developing this framework, the senior management would realise how resourceful the organisation is to tackle this challenge and if required concurrent projects should be implemented to bridge the resources gaps.
ERMP directs leaders to contribute to develop risk profiles for each of the divisions for which they give leadership. To establish consistency and comprehensiveness of the approach, ERMP will have broader pre-determined risk categories. This list could vary from organisation to organisation but having Financial, People, Reputational, Business, Environmental and Statutory Compliance would be a good start.
Under each of this category, there should be a list of objectives that are aimed to be achieved by managing risks. ERMP does not stop there. It outlines a list of generic risk descriptors. One descriptor could be ‘Inadequate Planning’. Another could be ‘Systems Breakdown’. Hence, for an example, under the ‘Financial’ risk category, the leaders of each unit are directed to investigate on inadequate financial planning risks and so on.
The quality of ERMP heavily depends on the quality of risk categorisation and risk descriptors. Hence, the services of an expert enterprise risk manager is recommended and he/she consults key staff members of each division and asks a series of probing questions to understand what each division is responsible for and does, what challenges they face, the degree of control they have to deal with these challenges, current controls in place, future actions required. This kind of consultation sessions would lead to develop a Unit/Division Risk Profile.
This Divisional Risk Profile will contain individual Action Plans to address the identified future actions. The leader of the division is responsible for implementing the action plan. The ERMP specifies the leaders to keep a History Log for each action plan so the Enterprise Risk Managers in the organisation can track the progress. After achieving the intended results, the Unit Risk Profile can be updated.
Any business activity contains inherent risks. A leader should not just look at the risk only. The leader must try to manage it by enhancing overall quality of good decision making. Hence, a good ERMP must specify good decision-making tools. There are many proven decision-making methods available but sticking to one method would not be a good idea. The popular methods such as Rational Method, Intuitive Model, The Recognition Primed Model may have own pros and cons. One good method which could be applied to many situations is Cynefin Framework developed by Dave Snowden in 1999 when he worked for IBM Global Services.
ERMP should outline the Risk Assessment Procedure that should be applied when managing risks. If one needs to comply with international best practice, ERM process specified in ISO 31000-2018 must be followed. As I have explained this process at length in my Daily FT article, ‘Risk Management: Everyone’s business’, I will not repeat it here. However, I need to remind the readers about the intention of the risk assessment. The level of risk is determined by combining the likelihood of an event occurring and the consequence if it occurs.
Treating the risk means to take appropriate actions to reduce either likelihood or the consequences or both. This will reduce the level of risk. The question is to what level the risk should be reduced. One should remember that managing risks is a costly exercise as it needs resources. Hence a good ERMP specifies acceptable risk threshold levels for a particular organisation. This is called ‘Risk Appetite and Tolerance’.
Risk Appetite is the comfort zone of the organisation and it is the level of risk the organisation is prepared to accept. It is important to note here that the acceptance of this level risks still costs the organisation, but the organisation is ready with resources to deal with such levels of risks. For each category of risks, the risk appetite is recorded in ERMP with a clear description. As an example, regarding ‘People’, risk appetite of an organisation may be at the lowest and staff may be advised to averse any risks involving people by considering all risk management options.
Risk tolerance is the highest level of risk an organisation can take. It is just below the break point of the organisation. In the ‘Level of Risk’ matrix (Likelihood vs. Consequence), a stepped line is marked to indicate the organisation’s tolerance level. If a risk level of an identified risk is placed above the tolerance line, the particular risk needs to be treated to make the residual risk level below the tolerance level.
Inputs and outcomes; Aforementioned details are listed in the core of ERMP. However, organisations are operated within a complex local, regional, national and global environment. Public Sector Organisations’ decision makings are being influenced by the Government, other regulatory authorities, legislation and regulation, public expectations, service standards and national and global economy. These are the inputs for the ERMP model, and the outcomes would be the organisational Vision, Mission, Values and Objectives.
Business Continuity Planning
An organisation which is ready with Enterprise Risk Management Plan could commence developing a Business Continuity Plan.
Any business or a public sector service provider is engaged with carrying out business processes. When a ‘business disruption’ occurs, the organisation must respond with actions to minimise or if possible, completely avoid the impact and continue with the critical business activities. Hence, the business continuity plan must outline necessary structural change options, protocols, processes and contingency resources, to deal with such an event.
It is important to mention that the Business Continuity Plan is only activated in an event of a very low probability, very high consequence event. Other business disruptions must be addressed through normal business processes and such risks should already have been anticipated in the Enterprise Risk Management Plan with built-in controls in place.
BCP does not pay any attention to the cause of the disruption and it is about managing impacts. BCP is a live document and it should always reflect current status of the business. Also, it outlines ‘what to do’ in an event of a business disruption. It should not specify ‘how to do’ because the characteristics of the disruptive event is unknown until the business faces it. The Executive Leadership must know what the critical business activities are and to continue with those activities, what operational conditions must be established. The management has the flexibility on ‘how to do it’ or the method they must adopt to establish these operational conditions.
BCP must specify responsibilities of all key staff in the organisation during a business disruption scenario. This may mean, some of the existing staff require special training to carry out certain one-off activities. Therefore, BCP is a living document which prompts certain on-going activities during peace time. The executive leadership must envisage regional or international situations which they don’t have any control at all. COVID-19 is a classic example of such a situation. Here, the business should plan for a total shutdown including execution of critical activities and there should be a plan to ensure the business can be revived at the end of crisis.
For that, there should be a plan to use the staff for an alternative business which could be started in a short period of time. To do this, the staff should have pre-training as well. It is noted here that this is done only for survival. Therefore, some businesses diversify their businesses. The public sector can reallocate staff to different organisations short-term to get service output rather than paying their salaries without getting any service.
The steps followed by the management to develop a BCP differs organisation to organisation. However, the basic principles remain same. All organisations must have a vision, a mission and objectives. Then, they must have resources to achieve objectives. In this endeavour, an organisation performs critical functions and non-critical functions.
It is easy to identify critical functions. The acid test is that if a staff member fails to perform a critical function, the organisation should fail to achieve an objective which is characterised by stated quality and quantity. Non-critical functions which can be termed as ‘capable to do’ and ‘nice to do’ to achieve competitive advantage among others, can be put on hold for a limited period without any significant impact to the organisational objectives. However, such functions can become critical if they are kept on hold for a long period. So, the first step would be to list all critical activities in the organisation. The intention is to have all key resources available to support critical activities.
As a preparation of BCP, senior management must do a business impact analysis. This analysis identifies the impacts of function loss on the organisation, when critical activities are disrupted by an event. This will lead to prepare a Critical Activity Plan. Most of the risk management information recorded in the Enterprise Risk Management Plan are transferred into the Critical Activity Plan. BCP accommodate risks affecting critical activities only. BCP is the course of action taken to manage functional loss as a response and recovery from the disruptive event.
During a disruptive event progressing, non-critical activities will also be affected but they are ignored. However, a good BCP must have a Non-Critical Activity Plan as well. The BCP has a nominated Business Continuity Team (BCT) and a list of Key Staff Members to support the BCT on the implementation of BCP. It should outline each nominated employee’s role and responsibilities, personal contact details, resources availability for them and the authority given. Also, in the BCP, there should be maximum time limits the organisation can tolerates the loss of critical and non-critical activities to survive as a business. This space does not allow me to give all detailed steps and information that should be included into a BCP. However, my attempt is to give the leadership an overview of a BCP.
All organisations including Public Sector Organisations must develop a Risk Management Strategy and an Enterprise Risk Management Plan first before developing a Business Continuity Plan. These plans must be continually updated and should represent current status of the organisation. COVID-19 was a global event and an organisation may not have the ability to control it. However, an organisation should have the ability to deal with impacts and protect the business and the employees until the disruptive event is managed by others.
By the way, I believe that many private and public sector leaders including key staff members may well be ‘working from home’ to practise social distancing. This is a perfect opportunity for them to think about developing a Risk Management Strategy, Enterprise Risk Management Plan and a Business Continuity Plan for their organisations. I can vouch you that it will be a worthy effort as disasters never cease to emerge.
(Eng. Janaka Seneviratne is a Chartered Professional Engineer, a Fellow and an International Professional Engineer of both the Institution of Engineers, Sri Lanka and Australia. He holds two Masters Degrees in Local Government Engineering and in Engineering Management and at present, works for the Australian NSW Local Government Sector. His mission is to share his 32 years of local and overseas experience to inspire Sri Lankan professionals. He is contactable via [email protected].)