Initiatives for Organisation’s Business Continuity Plan (BCP)

**************************************************************************************** ACKNOWLEDGEMENT

This article was published in the New Straits Times on September 27, 2003

Reproduced here with permission from the author (Dr.) Josef Eby Ruin
****************************************************************************************

1.0 Business Continuity Plan (BCP) deliverables

Typically, a BCP is prepared to document the following deliverables:

• Identifying tasks to be undertaken, and the responsibilities of various personnel in the disaster management team or committee (DMT)
• Stating the job of a BCP coordinator
• Identifying the contact numbers and addresses for DMT members and support resources required; and
• The communication matrix or template required to notify stakeholders, the public, and the media

The plan in the BCP defines the business resumption procedures that encompass the critical business processes of an organisation. It details the key resources to be used and the various action plans to be initiated so as to recover these resources for the business continuity. Key areas to be documented in the BCP would be:

• Formalising the recovery team's set-up, and availing them the mandates and power
• The recovery team's roles
• Minimum and necessary support staff needed
• Location of the organisation's control command centre (CCC) and mission-ciitical facilities required
• Protection and location of critical information
• Identification and testing of the business recovery site for the critical functions to continue
• Telecommunication requirements of the business operations of the organisation
• Personnel requirements (the "red-label" staff) to deliver the agreed level of minimum services; and
• The location and stand-by roles of "green" and "yellow-labelled" staff

2.0 What determines a BCP's success?

As BCP is the heart/brain of any organisation's continuity management strategy, its success depends on the following:

• Effective implementation and testing of the documented BCP procedures, and getting them understood across the entire organisation
• The hands-on application exercise for staff who are directly involved in the execution of the plan
• Awareness programme to ensure enterprise-wide adoption of the plan

3.0 The continuity culture and awareness

All proposals identified in the BCP should be implemented as a matter of commitment, otherwise the effort, time and investment made in its preparation will be wasted, redundant or at best become superfluous. The same goes for awareness that have to be embarked upon so as to provide the assurance that the entire organisation is competent and confident with the plan’s success and effectiveness.

All parties must appreciate the importance of BCP to the organisation's survival and their roles in the process. This awareness should extend to external stakeholders and third parties whom the organisation depends on in both normal and crisis operations.

By implementing the BCP in this manner, all those involved in the invocation of the BCP can have full confidence in the organisation's ability to manage a crisis. With such commitment, the BCP-involved staff will have that “continuity culture” in their work habits. This kind of value shall put an organisation head-and-shoulder above the rest as far as organisational resilience is concerned.

4.0 Appointing an organisation’s BCP coordinator

A BCP coordinator is to be appointed. He is to report directly to the board member responsible for the BCP programme. A coordinator has to understand the organisation's business structures, corporate objectives and the various people who make the organisation ticks. Ideally, he is seen as a good programme manager with superior communication and interpersonal skills. He is a good leader and has a good understanding of the cost and budget dynamics as the setting up of business recovery sites (hot, warm, cold sites) are not cheap to initiate and maintain.

5.0 The relevance of awareness, dryruns and training

A BCP has to be practical and implementable. BCP is a live strategy, hence it needs periodical updates with revisions for applicability, suitability, and efficacy for maximum value-impact. If the BCP document is merely printed, then distributed and turned into a “showcase or decorative file”, then that organisation’s BCP initiatives have failed and the whole exercise is futile.

If an emergency is declared and the organisation is obliged to invoke its BCP, it would fail since no one (or not all the critical staff) have any idea as to its contents and without knowing the moves to initiate. Thus, there is the dire need to underscore the importance of getting the BCP awareness and testing for the staff, especially the red-labelled staff who will become the main initiators when a crisis attacks.

An organisation's BCP cannot be considered “fool-proof” until it is tested and proven workable. Testing or BCP-exercising can take various forms – from communications plan test to partial systems test to partial system and business simulated test to full-system and business live test. The frequency of exercise may be at a minimum of once a year.

6.0 Knowing the organisation’s stakeholders’ expectations

When a crisis occurs, there is the need to recognise the various stakeholders. The list may vary, depending on the nature of the crisis. Typically, an organisation's stakeholders whose expectations need to be served would include one or many of the following:

• Adversarial groups, brokers, distributors, dealers
• Vendors, suppliers, business groups
• Community leaders, competitors, customers/clients
• Employees, investors, law enforcement officials
• Regulatory authorities/officials
• News media organisations, plaintiff attorneys, politicians
• Security analysts, ratings agencies, insurance companies
• Stockholders, union officials, shareholders; and
• Any entities, individuals, groups that have interest in the beleaguered organisation that is facing the crisis

7.0 Inherent features of a credible BCP

A credible BCP needs to have a mechanism set up to establish easy maintenance and update an organisation's BCP. A roadmap for the unexpected can be one such mechanism. Such roadmap must define responsibfiities to:

• Differentiate between business recovery and disaster relief-rescue teams
• Identify tasks to be undertaken by various teams
• Identify and list key contacts, suppliers and resources
• Provide the framework for crisis communication and how to inform stakeholders and handle the media

A credible BCP should define the business continuity procedures clearly. The procedures are to cover mission critical processes and must highlight what are the key resources to be used, and what processes are to be followed, to recover these resources that are affected by the crisis. A credible BCP should also integrate itself with other key strategies in the organisations like perhaps the policy for:

• Crisis communication and public relations
• Safety and emergency guide
• IT and communications recovery procedures
• Security framework
• Departmental operating outlines
• Supply chain logistics policy; and
• Operational risk management manual

8.0 Contents of a BCP document

There is no hard and fast rule as to what constitutes a complete BCP document. However, six fundamentals should be present.

I. General introduction
a. Objectives
b. Responsibihties
c. Exercising
d. Maintenance

II. Plan invocation
a. Disaster declaration
b. Damage assessment
c. Continuity actions
d. Team organisation and responsibilities
d. Red-label, yellow-label, and green-label staff
e. Emergency operations centre

III. Communications
a. Parties that need to be informed
b. Contacts
c. Key messages and common templates to use

IV. Suppliers
a. List of recovery suppliers
b. Details of contract provisions

V. Awareness and training
a. Approach and concept to cascade or disperse the BCP among staff
b. Mock runs and testing for credibility and practicality

VI. Custodian, evolvement and Changes
a. List of all BCP holders
b. Distribution and change process

9.0 FAQs regarding BCP initiatives

Whatever, and despite all sorts of BCP materials that can be read to gain insights into what it is all about, there will still be lots of unanswered questions for management practitioners. Knowing some simple answers that an organisation should answer for some of the frequently asked questions (FAQS) on BCP issues (like those stated below) would make an organisation’s management understand BCP better as well as facilitate the organisation’s team to develop credible and elective BCP.

FAQ 1: System for management notification
i) What kind of management notification system does your organisation have in place if a crisis occurs during non-business hours?
ii) How long will it take to reach everyone (from board to senior management decision- making body)?
iii) What needs to be done if a disaster happens at 4.45pm?

FAQ 2: Organisational emergency response
i) When was your organisation's BCP documents last reviewed?
ii) Has it ever been tested to see if it worked?
iii) How well does this BCP gel with the response plans of other subsidiaries within your organisation?

FAQ 3: Vulnerabilities and internal problems
i) What are other identified internal problems that your organisation has which could damage its business if the “bad” or negative news leaked out to the public?
ii) What will the public’s reaction be, if say, one of such "bad" news is disclosed by a disgruntled staff
iii) How will your management explain and justify the situation so that such news will have insignificant financial impact on your organisation?
iv) What is being done by your management to reduce the chances of such whammy from occuring now or in the future?

FAQ 4: Official spokesperson
i) Who is your organisations spokesperson in a crisis environment?
ii) Who is the alternate spokesperson if the principal spokesperson is not available, or not appropriate/relevant for that kind of crisis event?
iii) How good are they in handling tough questions from reporters?
iv) How much confidence does your organisation has that the spokesperson is convincing and credible?
v) How are disclosures handled in your organisation when a crisis occurred in a branch, region or isolated location outside your head office? Who is the designated spokesperson in such a situation?

FAQ 5: Accuracy of information
i) How much information your organisation would divulge if there is a crisis in your organisation?
ii) Who is to ascertain what to say?
iii) What are your organisation's approval process?
iv) How long will such approval process take?

FAQ 6: Disseminating news to stakeholders and employees
i) How does your organisation contact the board, management, and employees so they would hear first before learning about the crisis from the news media?
ii) How about your customers, suppliers, other key audiences and stakeholders? How long would that take?

FAQ 7: Similar crisis in other organisations
i) What similar crisis situations have other organisations experienced in the past year that went “public”?
ii) How well would your own organisation have handled those similar crises?
iii) How much of their management time have those other organisations taken?
iv) How much have those crises cost them in expenses, ill-publicity?
v) Would there be lawsuits, and regulatory or government investigations?
vi) How long might they be, before those organisations get the problem behind them?
vii) What would your organisation have initiated if it happened to your organisation?
viii) What are the “lessons learnt” from their experiences?
ix) Have you made any changes in the way your organisation do business as a result of what happened to those organisations?

Written by (Dr.) Joseph Eby Ruin, FCCA (UK), CA (Malaysia), Hon. DBA - Management Philosophy (Kursk State Technical University). (Dr.) Joseph completed his ACCA (UK) in 1976. He became Fellow in 1984. He has also been a member of the Malaysian Institute of Accountants since 1983. For his many management books, articles, and conference, seminar and workshop papers, he was conferred the honorary degree of Doctor of Business Administration (Management Philosophy) by the Kursk State Technical University, Russia in 2006. He was elected Regional Director of The Professional Risk Managers' International Association (PRMIA) Malaysia Chapter in November 2007. He can be reached at RiskFirst Consultancy & Training Services, Tel: +603 - 22735506.

Chen Ming-fa’s note:

Also see Managing Business After Disaster http://biz.thestar.com.my/news/story.asp?file=/2009/1/12/business/2955533&sec=business

The field of Business Continuity Management (BCM) is gaining prominence. In Malaysia, the Malaysian central bank i.e. Bank Negara, has issued business continuity guidelines as part of the corporate governance for all financial and insurance institutions. To become a professionally certified BCM guru, visit the Business Continuity Institute http://www.thebci.org/ to find out more.