The world has seemed a pretty somber place this past few weeks. And we’ve all heard the phrase, unprecedented times, more times than we can count, and to such an extent that perhaps we hope to never hear it again. The truth is, COVID-19, and the effects it has had on our individual daily lives, the companies we work for and the communities we live in is truly unprecedented. Situations and scenarios we would really only have expected to witness whilst watching a movie, not as actual events playing out before us in our lives daily… not in our lifetime.
But, as the phrase goes, “this too shall pass.” We’re in this together. Better days lie ahead. #wereinthistogether. And all the other clichés and hashtags… are true.
Some businesses may find it a challenge to ever fully recover. These are, after all, unprecedented times. However, there is always a silver lining, even in the darkest clouds.
Individuals, communities and organizations with fortitude, foresight, and resilience will likely come through this pandemic, stronger and wiser. It may take some time, but there is a road to recovery – a route still paved by the more familiar hardships, natural disasters, malicious attacks – virtual and physical, and other means of disruption that have come before.
The term business continuity is not a new one – in fact the International Standards Organization (ISO), the same organization that is the owner of the most widely used standard in the world, ISO 9001: Quality Management Systems, released a standard in 2012 called ISO 22301:2012 – Societal security – Business continuity management systems which itself is based on two British Standards (developed by my employer, the British Standards Institution); BS 25999-1 Business Continuity Management – Code of Practice (2006) and BS 25999-2 Business Continuity Management – Specification (2007).
In many ways, it was another unprecedented event that led to the development of these standards. The September 11, 2001 attacks on the Twin Towers in New York City, and on the Pentagon near Washington, D.C., resulted in the business continuity discipline coming to the forefront. Countries and organizations around the world began to look at the potential for widespread disruptions in ways that had not been experienced in previous decades. In 2003, BSI, in its capacity as the UK’s National Standards Body, developed the Publicly Available Specification (PAS) 56; the first nationally recognized framework to support all types and sizes of organizations to better understand, prepare for, and manage business disruptions. PAS 56 was the precursor to BS 25999-1 and BS 25999-2, which were themselves the precursor to ISO 22301.
Why standards, and Business Continuity, matter… always, and especially during a pandemic
Business continuity contains several components, some of which are even more relevant when dealing with pandemic risks. But, more important than the list of components is how an organization can increase its business continuity awareness and react to disruptions quickly, practically and pragmatically.
A business continuity management system provides a framework to:
- Understand organizational context: This portion provides recommendations for understanding external and internal organizational context. External context includes the political, financial, economic, technological, legal, and regulatory environments; critical supply chain relationships; and communication with stakeholders. While internal context includes the review of the organizational purpose and objectives, including the identification of key clients and the list of products and services that are critical to maintain during a disruption, and how to support the maintenance of these products and services taking into consideration the resourcing of assets, supplies, and people. A business impact analysis and risk assessment are the appropriate supporting tools used to organize and summarize the findings and to outline the organization’s continuity objectives.
- Defining business continuity strategies and solutions: This phase is needed to review possible strategies that would deliver solutions to; (1) avoid a disruption; and (2) to mitigate the impact to the business, thus increasing the organization’s resilience to disruptions. Business impact mitigation considers a bidimensional paradigm: how to reduce the impact (how deep) as well as to shorten the period of disruption (how long). An adequate review of critical resources that must be protected, which includes people, information and communication technology systems, infrastructure, equipment, transportation, logistics, finance, and how the organization interacts with clients, distributors, partners, and suppliers must be conducted.
- Developing a response structure: Often referred to as Incident Response Structure, it is basically comprised of teams with guidance plans. Competent teams, with clear roles and responsibilities, are critical to safeguard life, evaluate the disruption, assess the initial impact, define actions and priorities, monitor the implementation and effectiveness of solutions, and to communicate with stakeholders. A documented plan is essential in guiding the team’s actions. Each plan shall include the purpose, scope, and objectives, as well as actions to implement selected solutions and their interdependencies, resources, and reporting requirements. This is the phase where the business will operate in contingency and which will ultimately test its business continuity system and organizational resilience.
- Recovery from a disruption: Returning to the new "business as usual” following a disruption needs to be well planned. Dependent on the disruption type, several actions may be required to be implemented, including, but not limited to: assessing new delivery capacities and market demands; reviewing financial resources; repairing damaged assets; moving back to primary locations of business from any temporary facilities; filing insurance claims; recovering lost information; communicating with stakeholders; and auditing potential government and legal requirements.
- Learning: after a disruption, the organization should do a self-evaluation to collect and review lessons learned, and update and improve its business continuity arrangements as needed.
A magic bullet? Definitely not. But a path forward through a framework developed by a global team of experts that provides enough flexibility to fit the needs of large and small organizations and a structure that guides the way? For sure.
Remember, we will get through this together. Through famines, World Wars, pandemics, and more… we’ve always proved ourselves to be resilient and resourceful.
For a more insights and information about The Ultimate Resilience Test – Assuring Business and Communities Continuity During Pandemics and Organizational Resilience and Business Continuity, click here.