As I write this I am waiting at an airport for a plane from Point A to arrive at Point B and to continue, with me on board, to Point C, too late for me to make my connecting flight to my destination.
At first glance, this is something over which I have no control. I certainly can’t control the weather, the air traffic controllers, or even the airline.
For all that, I am expected to be at my destination for an early morning meeting.
As a professional business continuity planner, I should be expected to "plan ahead" and be prepared for all contingencies.
Translation: If I miss the meeting it’s my fault. Blaming the airline or the weather won’t impress the people I am to meet.
Things happen. Business continuity planners are expected to anticipate things that normally occur. Delayed flights fall into that category.
What has that to do with business continuity?
We work to protect our organizations from risks which can impact the organization. Weather, technology, human error.
Rarely do we look beyond the well-manicured lawn of our organization’s facility.
That’s a mistake.
Planners need to look at things beyond their control, at potential risks to any organization that could impact their organization’s operation.
For example, the next door neighbor.
What organizations are nearby? What do those organizations do? Do they manufacturer a product, provide a service?
Is the product or service controversial? Does it use parts from a controversial supplier or sell to a controversial customer? Does it require animals for tests?
Even if the neighbor has a bland product – insurance, for example – consider the personnel staffing the organization. One insurance company I know has very tight security because it employs a large number of retired military, and the company feels there are those who have a "problem" with retired military personnel.
Is the neighbor’s company unionized? What type relationship does management have with the unions? A work action at the neighbors may not lead to a work action at your organization, but it could disrupt traffic and possibly scare away both your employees and potential visitors – read "customers" and "financial backers."
While considering work actions, what is the situation with the municipality which provides police and fire protection? Most government employees are prohibited from striking, but everyone has heard about "Blue Flu." Do police and fire personnel have a history of work actions to make their labor points? If they do, consider lack of protection a risk that, while beyond your control, is well within your area of responsibility.
If you are thinking about private guards and double-checking the building’s fire suppression system, you’re heading in the right direction.
Most of us realize vendors can be a risk.
Many of us write it up as a risk and stop there. What can we, as planners, do to reduce the risk that something will prevent a critical vendor from meeting its service level agreement (SLA).
It’s not in our control.
Yes. And no.
I once worked for an 800-pound gorilla in the financial industry. This household name organization jobbed out much of its work to vendors scattered across the lower 48 (states), so much so that if a critical vendor failed to meet its SLA, the company would have a serious image and possibly an equally serious financial problem.
I recommended the gorilla review each critical vendor’s business continuity plans. Actually, I recommended it request plans from each vendor and I would review (perform a "gap analysis") each plan. It requested, and I reviewed.
The bottom line was that the gorilla knew which vendors had reasonable plans and which needed help and encouragement to improve. The vendors received a free plan critique, and this planner learned some more about planning in various industries.
Seeing a win-win situation, the gorilla made plan review a part of its contract requirements.
(How much does a vendor need to share with a potential client? DRJ has published articles on this subject in the past.)
One vendor concern frequently overlooked is the vendor’s vendors.
If the vendor supplies a product or service, that product or service must be delivered to your organization or to your organization’s client on your behalf (i.e. a drop ship).
Electricity is a good example. It is delivered to your facility via wires. The wires (potential failures) stretch from the generating plant (potential failure) to a sub-station (potential failure) to a transformer (potential failure) to your facility. Somewhere along the way, your vendor probably is connected to a multi-state power grid and, following some massive failures in the northeastern U.S., we know the grid is a point of potential failure.
As a smart planner, you are prepared for power failures, with a generator sitting outside the info-tech area, fueled and ready to keep the servers serving.
The nagging question? Is the generator really ready (is it tested regularly) and will it support the profit centers?
Moving goods and people (to provide services) is similar. Many organizations are international in scope: raw materials are shipped from the Far East to North America, processed and shipped on to Europe and Africa. Getting the goods from point of origin to destination requires multi-modal transportation and tons of paperwork.
A hiccup at any point can cost the organization money and image, and the potential for a hiccup along the way is great.
Are those hiccups within the planner’s purview? Since we know they can happen, the only answer is, "Yes." U.S. courts ruled twice in 2005 that failure to avoid or mitigate predictable threats are actionable.
Planners normally "round up the usual suspects" when they think about "critical vendors." Who provides the raw materials? Who handles communications? What internal team provides computer services, and who is responsible for facilities? Often, however, we overlook vendors who seem less than critical – until their product or service is needed.
If the organization depends on pre-printed forms from a local printer, and if the organization has been ordering the forms and receiving them in 15 days since Hector was a pup, the printer hardly would be considered a critical vendor. But let a fire destroy the facility and everything in it, and the printer may suddenly become, if not "critical," at least "important." While this may not suggest having a back-up forms supplier, it should suggest having off-site storage for important forms, at least in a quantity to last until new forms are printed and delivered.
A more important vendor is the financial backer. Consider this lender as a "money vendor."
While a few organizations are big enough to fund their own activities, most depend at some point on lenders or lending consortiums.
As much as the lenders want to assure their financiers that your organization is financially sound, your organization needs to be assured that projects it starts with "money vendor" funds will be completed with sufficient external capital at an agreeable interest. If the lender fails in mid-project, your organization could be left holding the proverbial "bag."
Admittedly, a planner usually is not in a position to do more than advise management of the many pitfalls facing the organization.
Despite that, it is the planner’s obligation to point out the risks the organization faces. As with all risks, the planner needs to carefully consider ways to avoid or mitigate the discovered risks.
In most cases, risks beyond the planner’s control still can be avoided or mitigated, sometimes with a response as simple as scheduling a little more delivery lead time. Sometimes, the mitigation recommendation may be to contract for alternate suppliers or to assist a favored vendor to improve its business continuity plan.
All risks may not be within the planner’s "area of authority," but the planner is remiss if he or she fails to anticipate them and recommend appropriate measures.
That’s our job.
John Glenn, MBCI, has been helping organizations of all types avoid or mitigate risks to their operations since 1994. Comments about this article, or others can be made at http://johnglenncrp.0catch.com/ or e-mailed to JGlennCRP@yahoo.com.
"Appeared in DRJ's Winter 2007 Issue"