By Ross Ladley, Avalution Consulting
Originally posted on Avalution Consulting’s Business Continuity Blog
Business continuity is an often talked about risk management practice, especially with what appears to be an ever increasing number of serious disasters, including Superstorm Sandy, the California wildfires, and the Japanese Tsunami – and that’s only natural disasters! Disruptive incidents can stem from major events such as these, but they can also originate from events that are far less visible and widespread, including sprinkler malfunctions, power outages, supply shortages, and an IT disruption.
This perspective discusses why organizations make the decision – or should make the decision – to invest in business continuity planning.
Before we get into the details of why business continuity is important for any organization, let’s introduce a few misconceptions.
- It is common for people to confuse business continuity planning with other types of preparedness efforts, with one being emergency management. Emergency management is commonly defined as a process that delivers health and safety protections, for example accountability, evacuation, or shelter-in-place. Although emergency management delivers organizational value and is an important prerequisite to business continuity, it is not focused on recovering resources affected by a disruptive incident. Specifically, business continuity planning focuses on designing, implementing, and maintaining strategies that minimize the likelihood of a disruptive incident affecting the organization, and enables an efficient response and recovery of all affected resources in order to minimize impact if a disruptive incident does occur.
- Some organizations are under the impression they do not need to maintain a business continuity program because they have adequate insurance policies in place to protect against catastrophic loss. Although an insurance policy can protect the organization from large-scale financial impacts, insurance does nothing to help the business resume operations, meet customer expectations, mitigate reputational impairment, or protect market share.
- Business continuity is often considered a project with a distinct start and end date. Proper business continuity is a life-cycle that becomes engrained within the culture of your organization. Business continuity strategies and plans should be regularly reviewed, updated, and tested to allow the program to stay in sync with organizational strategy and continually improve and change as the organization does. The harsh truth… If you’re approaching business continuity with the mindset of “set it and forget it”, then you are simply wasting your time.
Business Continuity Drivers
So what drives organizations to invest time and resources in business continuity planning? Although there are many different reasons, most organizations cite three primary drivers:
- For many organizations, regulatory requirements drive business continuity planning. In the United States, healthcare organizations must comply with HIPAA requirements, financial institutions are subject to FFIEC regulations, and public utilities are bound by requirements set by FERC and NERC, to name a few.
- In addition, many business continuity programs are driven or influenced by customer demands that require specific planning processes (i.e., annual tests) and/or proof that business continuity capabilities are in place (e.g., business process X can be recovered in 24 hours).
- Still other organizations might begin pursuing business continuity due to an audit finding or a management directive due to the recognition of its “duty of care” to protect resources and minimize loss caused by disruptive incidents.
The 2011 Japanese earthquake and tsunami serves as an example of Driver #2 above, and remains an often-cited example of missed customer expectations. In recent years, automakers and technology manufacturers have moved towards just-in-time manufacturing and single-source suppliers to secure favorable pricing and drive down production cost; however, these practices expose companies to major levels of risk. Infrastructure damage and rolling blackouts resulting from the 2011 tsunami took manufacturing plants offline across Japan, causing major disruptions to the automotive and technology supply chains. The event interrupted manufacturing plants for days to months in some cases, while others never recovered. Toyota’s production was severely limited for nearly six months after the event—even shutting down plants in the United States due to supplier outages in north-central Japan. As supply chain processes mature and adapt from these disruptions, expect customers to require business continuity planning and proof of recovery capabilities, especially from critical and single source suppliers.
Additional Resource: The Top Five Questions to Ask Your Critical Suppliers
No matter what the organization’s specific reason is for performing business continuity planning, the benefits of planning will be felt throughout the entire organization when faced with a catastrophic situation.
The Value of Planning
The business continuity planning process and its outcomes provide tremendous value – certainly following the onset of a disruptive incident, but beforehand as well. Here are a few examples:
- Financial Benefits – investing time and money in business continuity planning will save the organization far more in the long run by decreasing financial impact associated with a disruptive incident, including lost revenue, fines, penalties, and other opportunity costs. Additionally, when marketed appropriately, strong business continuity programs can become a competitive differentiator or may aid in controlling insurance premiums.
- Improved Performance – business continuity planning can bring to light many opportunities for operational and organization improvement that not only improve preparedness, but can also highlight opportunities for improved efficiency or other forms of process improvement.
- Knowledge Management – the business continuity planning process will inventory and establish relationships between activities and resources, including facilities, equipment, people, IT assets, and third-parties, as well as understand legal, regulatory, and contractual obligations associated with the organization’s key products and services.
- Understanding of Risk – the business impact analysis and risk assessment process will enable the organization to truly understand and assess threats, vulnerabilities, controls, and risk mitigation opportunities.
Superstorm Sandy provides one of the most salient examples in recent history of the frailty of both individual organizations and critical infrastructure supporting them. This historic weather event caused serious impacts throughout the northeastern part of the United States – affecting transportation, utilities, and telecommunications. Additionally, interruptions to the fuel supply throughout the region crippled transportation and knocked out backup power generators. The storm also affected prominent websites including Huffington Post, Buzzfeed, and Gawker Media, caused by a power outage affecting their common hosting provider, Datagram. The fuel pumps that powered Datagram’s generators were located in the basement, which was severely flooded by the storm.
In a now infamous text sent from a Datagram official to Buzzfeed: “Basement flooded, fuel pump off line – we got people working on it now. 5 feet of water now”. Despite the magnitude of the storm itself, that’s not the way you want to find out the backup power for your sole source supplier has failed.
So, how would a business continuity program have helped in this situation? A proper business impact analysis (BIA) would have resulted in formal business continuity requirements. Additionally, the BIA would have led to the identification of a reliance on a sole source supplier supporting a critical service, in this case hosting THE service. Additionally, a risk assessment at Datagram would have identified the key piece of infrastructure for backup power residing in an area with potential for flooding. And lastly, business continuity planning would have led to the identification of an alternate hosting facility consistent with recovery requirements.
Business continuity planning provides clear value to any organization by developing the capability to respond and recover from a disruptive incident. What’s more, business continuity practices can allow an organization to meet regulatory or audit requirements, deliver a competitive advantage in the marketplace, and allow management to more clearly understand its resources and risks. Many experts debate the frequency of major natural disasters and communicate the frailty of today’s supply chains. Even if you challenge these points and think “it will never happen to me”, is it really worth taking that risk? Business continuity planning doesn’t have to be a time-consuming, exhaustive process; rather, it needs to align preparedness to the strategic needs of the organization, as well as its obligations.
Connect with Us
Business continuity planning is a core element of an organization’s risk management program. Proper planning allows your organization to understand its risk associated with disruptive incidents, develop strategies to protect its ability to deliver critical products and services, and plan for the recovery of operations in the event that an interruption does occur.
Business continuity and IT disaster recovery planning is all that we do. If you’re trying to initiate business continuity planning in your organization, or looking to improve certain elements of the business continuity planning process, we can help!
Let’s connect and get started today.
Our consulting team regularly publishes perspectives (shorter, independent articles) that touch on the trends currently affecting our profession and the strategic issues facing our clients. This is one of our most recent posts, but the full catalog of our perspectives – over 100 published since 2005 – can be accessed via our blog.