In times of economic disruption, business continuity planning can provide organizations with the resources and framework needed to mitigate the negative impacts of disruptions to normal operations—while continuing to fulfill key objectives.
At its core, business continuity planning is about building resilient revenue streams and operations. It’s a core component of contingency planning and represents an ongoing process of analyzing your organization, understanding what threats might negatively impact operations, identifying solutions, and finding more opportunities to be resilient.
Effective continuity planning and risk mitigation efforts are especially important given the far-reaching impacts of the COVID-19 pandemic. Regardless of your organization’s size or scope, all organizations should have a business continuity plan that focuses on understanding your core business processes and functions, identifying the dependencies that support them, and strategies to help combat the impacts that result from an emergency.
Business continuity planning is one area of contingency planning that complements and builds upon other emergency management activities, such as IT disaster recovery, crisis management, and emergency response programs.
Business continuity planning should result in you and your leadership team being able to answer the question, “How will we be able to continue to operate?” under a broad range of circumstances. The output should equip you with decision-making resources that have documented organizational priorities tied to the risks and potential impact of disruptions.
Your operations should also have documented business continuity plans with actionable steps to support essential functions, including financial processes like payroll, procurement, and revenue or accounts receivable.
Below, we’ll cover three steps your organization can take towards strengthening your organization’s business continuity planning.
1. Identify, Prioritize Essential Functions
The COVID-19 pandemic has forced organizations of all kinds to examine and define which core functions and services are truly essential. Local governments across the country have defined various types of essential workers in terms of who’s allowed, or even required, to keep working while the rest of society is ordered to shelter-in-place.
For your organization, the goal should be to similarly identify and analyze the primary business processes and functions that must remain operational to endure uncertainty.
While many functions are important in day-to-day operations, not every activity is connected to the delivery of your organization’s core services or keeping the doors open. Essential functions are the most important, critical activities that are crucial to perform for the organization to function.
Essential functions should be identified both enterprise-wide as well as within each major department.
Key Questions for Understanding Essential Process
Every effective business continuity plan should be rooted in a business impact analysis and risk assessment.
While these phases can be conducted at many different levels of detail, your leadership team can begin this process by asking each other the following questions:
- What are our primary services and functions that support our mission, vision, and goals?
- Which essential business processes need to occur to deliver those services and functions?
- What resources, systems, vendors, equipment, team members, and other processes do we rely on to carry out those processes?
- What are the potential impacts on other processes if any of these functions are disrupted?
- How will our key stakeholders be most impacted by a disruption to our operations?
- What are our legal compliance obligations, and how must they be incorporated into our contingency planning?
- What are the resources and processes with the highest potential impact, and how are we mitigating those risks?
After answering these questions, your leadership team can better understand your organization’s operational requirements and interdependencies.
Once your essential functions are identified and understood, identify where key elements of your revenue and operations are most at risk by conducting a risk assessment focused on the impact of disruptions.
Instead of trying to identify every single possible threat scenario, focus on the impact of unavailable resources so that you can determine where the impact would be most severe if resources were unavailable for an extended period of time. Quantify the impact as possible, both in terms of financial impact and time.
Next, go through the exercise of assigning prioritization levels to core functions based on the risk assessment, and begin to identify your continuity and recovery strategies and options.
Ask your department leaders to collect the answers to these questions as well. The combination of the results will help document the operational landscape of the organization.
Remember to document your planning exercises along the way, creating its response plan that documents the results. An effective plan should include action steps or flexible alternatives based on different emergency scenarios.
2. Consider Areas of Impact
Business continuity events typically impact three major areas for most organizations: property, operations, and people. All of these can have significant financial implications, both directly and indirectly, and should be assessed in terms of highest areas of risk exposure and severity of impact.
When considering the impact on each of these areas, leadership can identify risks within each category and determine how to mitigate them. During this process, it’s important to remember that many of these areas aren’t isolated—there's typically overlap within an organization’s framework.
Property impacts can range from physical destruction—such as damage sustained from a fire or a flood—to the less tangible impacts, such as those many businesses are experiencing from COVID-19.
Consider what the needs may be if utilities are disrupted and assess if a backup generator may mitigate the risks associated with power loss and offset the initial investment. Identify key supply chain dependencies for critical equipment and supplies and investigate if there are ways to diversify your sources in the event a vendor is disrupted. Now is the time to review your insurance coverage and determine if you have the appropriate coverage for your greatest areas of risk.
As a result of the pandemic, many companies have needed to quickly equip remote workers with laptops, network access, and other equipment while also creating new ways to secure access to critical systems, such as establishing virtual private networks (VPN).
Paying for these new resources, while maintaining physical office space that isn’t being used, can have a huge financial impact. Changing how we use facilities to accommodate for physical distancing requirements and increased cleaning can have significant impacts to organizations.
It may also make sense to look back over the last 12 to 18 months at what maintenance or planning activities have been deferred during the pandemic and identify them as a source of potential upcoming failures or crises.
Take into account the likelihood of failure of property and equipment if maintenance is deferred and the additional cost of getting an emergency service engineer on-site to do the work to prevent a HVAC system from going down.
Every area of operations can be impacted by an emergency, from productivity to core financial transactions.
Analyze Financial Position
Conduct an analysis of the organization’s financial position—in terms of liquidity, revenue forecasts, investments, and availability of financing—to quantify the minimum cash requirements needed to sustain operations for a defined period.
Determine the priorities for cash and payments—who needs to be paid to keep the lights on? Also, consider the financial transactions that may be necessary in unusual circumstances. For example, purchasing is often heavily impacted by emergencies, affecting both who needs to make purchases and what needs to be procured. Advance preparation around emergency procurement policies and procedures can allow employees to purchase critical goods, while still protecting the internal controls over cash and purchasing cards.
Organizations might also experience operational issues when it comes to accessing physical records during an emergency—especially if they don’t have a human resources (HR) system in place. If a company isn’t designed to operate remotely, it may need to send people into the office to access personal records, which isn’t ideal during a pandemic and isn’t possible in the wake of a fire or flood.
Additionally, payroll is often overlooked in business continuity planning. Don’t assume that your employees will continue to work without pay during or after a disaster. Instead, it’s important to understand what your payroll process depends upon and document backup procedures in the event a system goes down.
Establishing clear strategies and procedures for controlling costs, reporting information to appropriate groups, and budgeting for and tracking what is spent during a large-scale disruption can have a significant impact on the likelihood of the organization emerging on a positive track.
There’s a common misconception that employees will know what to do in the event of an emergency; but in a crisis, there is no business as usual. An emergency’s impact on staff, board members, and leadership can be far-reaching and unpredictable.
For example, during the California wildfires, many individuals were displaced from their homes—resulting in some employees needing to suddenly leave their job or relocate to different branches. A natural disaster can also impact employees’ ability to be paid, which can have significant long-term effects for individuals and their families.
Employee attendance will almost inevitably be affected because of health and safety concerns during a disaster. Employees who are willing and able to work through a crisis may simply not be able to get to their work location. Public transportation systems may be disrupted, as even smaller-scale disruptions such as blizzards can have a significant impact an employee’s ability to get to work.
There are also impacts on employee safety, wellbeing, and mental health during and following an emergency. While not all employees may be directly affected by a disaster, they may need to miss work to look after the health and safety of family members who are affected. The COVID-19 pandemic has changed how, where, and when employees work—especially those who care for relatives or are navigating their children’s remote learning.
3. Integrate Resiliency Planning
Continuity planning should be an iterative, multidiscipline process that engages everyone in the organization. In conjunction with other emergency management programs—such as IT disaster recovery and crisis communications—continuity planning supports your organization’s ability to foresee, prevent, respond, and manage adverse risk and events. Develop recovery strategies, and document plans that are understandable, actionable, and maintained on a regular schedule. Responsibility resides with the highest level of management to demonstrate a commitment to continuity planning efforts.
There are a few ways to approach contingency planning that aligns with your organization’s size, structure, and resources:
- Strategic preparedness planning—driven by policy, a board, or leadership establishing the priorities for preparedness
- Operational planning—driven by managers through assigning roles and responsibilities, identifying activities, and taking steps to work collaboratively
- Tactical planning—pre-identifies the requirements for responding to a task and provides the opportunity to identify gaps, developed by business units and individual contributors
Another way to look at preparedness planning is a cycle that begins with prevention activities and concludes with restoration.
- Prevention activities take place on an ongoing basis and decrease the likelihood of an incident occurring. These should include strategies for safeguarding buildings, records, and equipment; identifying essential roles; and documenting what is required to perform essential roles.
- Mitigation activities decrease the impact of a negative event on your organization by identifying and reducing risks. These will vary based on your operations and specific vulnerabilities.
- Response planning identifies the appropriate steps your organization should take to respond to a given event, such as contacting emergency services, notifying customers and vendors, employee communications, and building evacuation procedures.
- Recovery activities are the steps your organization needs to take to restore its core operations. This might include bringing buildings and equipment back online or essential staff returning to the office.
- Restoration includes how the organization returns to its optimal activity level and starts the cycle over again, preparing its response for potential future situations.
To learn more about which planning approach best aligns with your organization’s needs, visit our Disaster Recovery and Business Continuity Planning webpage for more resources, or watch our webcast.
We’re Here to Help
To be prepared for the next disruptive event, your organization should assess and strengthen its business continuity and preparedness planning on an ongoing basis. To learn more about how to get started with this process or next steps, contact your Moss Adams professional.
For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: