Perhaps, one of the facts which creates the highest expectations among those of us who manage the second or third defense line is risk materialization. That is to say, for a risk to become an event and generate some kind of impact. And from there on, the possibility of verifying the effectiveness of the controls designed, the residual risk and feeding back the matrix. In any case, the problem would arise if the materialized risk is not identified and thus there would be no idea on how to face its effects. Frankly, I believe that this has happened to many of us when facing coronavirus: a risk of very low likelihood with an extremely high impact.
Day after day we learn of new impacts of the pandemic which are really astonishing. What started as health issue is now turning into social, political and economic problems, putting business sustainability, the way in which we relate to each other and even our job stability at stake.
Much of the action taken is due to improvisation. Learning as we move along the way.
Going forward, in an attempt to thrive and be sustainable. As we can see, each country has decided to apply different recipes, with a greater or lower impact on the economy and the society.
What should be avoided, along this learning path, is going through a similar crisis and making the same mistakes.
In corporate terms, this planning for high-impact uncertain events is embodied in Business Continuity Plans. The Business Continuity Plan reflects the necessary actions in advance so as to respond to a disaster or large scale event such as a pandemic, allowing for the critical functions to continue with their operation according to a well planned and organized schedule. As every good plan, it should be assessed, agreed, tested, approved and communicated. Its purpose is to avoid improvisation and act in a organized way in crisis scenarios.
The business continuity plan is developed by the risk committee or any second defense line management, which is in charge of supporting the operation in terms of the design and implementation of risk management, control and compliance frameworks. The existence or not of a specific area will be justified by the size of the company. Beyond this, the current experience against the effects of this scenario shows the importance of developing this protocol.
We could build a business continuity plan in the following stages:
- Risk and Threat Analysis: events with critical or disastrous characteristics which might pose a risk to business continuity: a quarantine, a weather disaster like a flood, a war-like conflict, a closure of essential resources imports, etc.
- Business Impact Analysis: the impact of these events on our ecosystem: sharp invoicing decrease, substantial customer portfolio loss, impossibility to replace a critical resource, cold-chain interruption, payment-chain interruption, etc.
- Critical Resources Analysis: the critical resources of our company may be extremely varied depending on the activity: key personnel from each area both in customer oriented services and in support services, mobile phones and computer stock, management applications and tools, power generators, servers with storage capacity, identification of critical and sensitive data or documents, gas, oxygen, face masks, bleach, etc.
- Design of the Business Continuity Protocol: here, the expectations of each area will be clearly stated in case of any event which may risk the continuity. The expectations on how each job will be organized, how the resources will be rationalized, who will be in charge of overseeing and casting the decisive vote, how long it will take to respond to each action, which the replacement critical point will be, which the pessimistic scenario on sale forecasts would be, including other actions that, despite being unusual in normal conditions, should be planned for chaos situations.
- Emergency Response Design: it will detail what each area or associate should do in case such an event occurs: work in shifts, monitor the cold storage facility temperature, backup the information, work behind close doors, have any means of transport available for the employees among other actions taken with the person responsible for their execution, in order to avoid improvisation.
- Communication and Awareness: every plan should be agreed among the people with the highest responsibilities, aided by the support areas, and then the existence of this protocol should be informed. In times of crisis, lack of communication brings uncertainty to people and this distress may be translated into actions which put workmates or key corporate resources at risk. Informing about the plan and communicating more frequently as usual is vital.
- Monitoring: finally, as this is a plan we expect not to use and a drill will perhaps never be necessary, it is essential to monitor the effectiveness of all response actions. Each action leads to a reaction and it will be necessary to recalculate and modify the plan.
Finally, and also vital for plan success, is to assign responsibilities for each identified task or action . A business continuity or contingency plan is a mere paper, but it is carried out by people. As with this present crisis, we must all direct our actions towards the common benefit.