This article originally appeared in the May 2011 issue of Security Magazine.
As security consultants, we have the privilege of working for multiple companies and agencies around the globe, which gives us deeper insight into how businesses typically view, plan, and prepare for the unexpected. Too often, however, it seems we are brought into the security process in a remedial role, after an unforeseen and unprepared for event. In the current economy, many security consultants are encountering vulnerability within organizational supply chains, which, if disrupted, can have a substantial effect on an organization’s short and long-term ability to meet objectives.
Often, security consultants are left wondering at the shortsightedness of management groups that neglect to incorporate business continuity planning (BCP) into overall company strategy. Upon examination of the broader corporate spectrum, however, this gross operational oversight proves neither consistently isolated nor symptomatic of unengaged management. A lack of attention to continuity planning is currently prevalent throughout the business world, and is most likely a result of:
- The economy – Tight profit margins, rising costs, and an anemic recovery from the 2008-2010 recession necessitate that companies do more with less. Resources for planning are often difficult to procure.
- Short memories – Strategic planning is a forward-thinking process that often fails to include past lessons learned. As the time between significant events increases, memories fade, and so does the sense of urgency to mitigate associated risks.
- A lack of global perspective – The tendency to view the entire world based on the most familiar perspective can be a costly, albeit common, misconception. Companies must bear in mind that they do not provide the only solution or the only product, and competition will always continue to increase.
Business continuity is the strategic and tactical capability of an organization to plan for and respond to business interruption in a way that allows them to continue business operations at an acceptable, defined level. ASIS International calls it Organizational Resilience (OR). Business continuity is not something that a company undertakes when they learn a hurricane is coming. It requires a methodical and detailed analysis of both organizational and stakeholder requirements and the development of a process that includes:
- Creating and setting the standard that the plan will be measured against or held to;
- The understanding of an organization’s risk, security, preparedness, response, continuity and recovery requirements;
- Establishing a policy and objectives to manage risks;
- Implementing and operating controls to manage an organization’s risks within the context of the organization’s mission and culture;
- Monitoring and reviewing the performance and effectiveness of the OR management system; and
- Continual improvement based on objective measurements.
Large-scale points to minimize their severity. In today’s competitive market, OR is critical, and planning should include not only the core processes of the organization, but also the ancillary processes and organizations that are critical to central objectives.
Ultimately, the resulting plan, training, and awareness provide organizations with the capacity to manage extraordinary events in a manner that minimizes disruption and loss. By doing this, organizations garner the confidence of stakeholders, shareholders, staff and customers, and prepare themselves to perform in a manner that justifies that confidence, should the worst happen.
The primary objective of BCP is to assess threats, examine existing preparations, identify vulnerabilities, and determine potential points-of-failure for an organization’s facilities, processes, and business enterprises. In addition, an organization must prepare adequate plans to confront and manage extraordinary events that may endanger personnel and property, or disrupt the course and conduct of business for the organization. In other words, the BCP should include plans to provide for multiple layers of responses based upon an event and its severity.
The objectives need to be measurable and consistent with the organization’s established policies and should include:
- Risk prevention, reduction, and mitigation;
- Resilience improvement;
- Financial, operational, and business continuity requirements;
- Compliance with legal and other requirements; and
- Continued improvement.
The plan should be an individual fit for a unique organization’s corporate culture, operational requirements, and organizational structure. Even companies of similar size producing the same type of product are a different combination of culture, management style and organizational structure. Companies have different degrees of vertical integration, supply chain, and distribution interface dependency. As such, there is no universal BCP model that can be laid over a company that will fit its needs. An adequate, workable plan must be tailor-made if it is to address the challenges of a company in a real-world crisis when the survival of the enterprise is at stake.
The preparation of a custom business continuity plan is a detailed and involved process. As such, it should be designed so as to minimize any impact on the company during preparation. The process should seek to “first, do no harm.” A process that unnecessarily interferes with productivity on the part of the staff and organization becomes a cost as opposed to a benefit. The information, data, ideas and potential solutions required for a comprehensive plan are generally gathered from the management, staff and employees of the company. However, outside contractors experienced in low-impact facilitation, collation, and plan construction can ease organizational disruption and plan development costs. Outsiders also view the enterprise from a different perspective and take less for granted than those on the inside. For example, an outsider will have no loyalty or allegiances to key resource providers. Therefore, he or she will more easily – and correctly – question the long-term sustainability of having only a single provider for key resources.
The required input information is normally gathered from operating and administrative units. A company’s operating management and administrators will best be able to establish the criteria and parameters for normal operations and stages of recovery. Management within individual operating units should be responsible for analyzing the impact of disruption on various process components; the best recovery mechanisms; and the criticality of sources, resources, and production components.
The macro-strategies for the processes of replication, replacement, and resumption of production are best determined by the company’s executives and upper management. This completes the spectrum of top-to-bottom involvement in defining business and industrial processes, identifying alternate and replacement processes and materials, and planning for the orderly repair of infrastructure and the resumption of production and distribution.
Planning Parameters and Style
“If it ain’t broke, don’t fix it.” Use and adapt those things that are already developed or in place. The first part of the plan development process is to assess the current plans and identify pre-existing plans, remedies, and countermeasures that are working and available. There is no need to reinvent the wheel. It is easier to use preexisting processes than to develop and teach “new tricks” for no reason.
People within a company are by nature more familiar with culture and process than outsiders. Use their expertise and perspectives first. Modify their information and ideas as needed to conform to the specified models, standards and best practices being used to guide the project. Most solutions and remedies already exist within an organization if the right people can be interviewed and encouraged to participate. This is another area where an outside consultant experienced with the planning process and familiar with best practices and current models can contribute to the efficiency and economy of developing the plan.
Most importantly, make the product of the project work for the company. Every company has a unique culture, facility, and environment. Make sure to accommodate these individual characteristics.
Business success is based on survival of the fittest. A large part of being the “fittest” in the modern world is being prepared to take advantage of competitive options that appear suddenly and disappear just as quickly. In a large-scale catastrophe, being prepared to survive crisis and quickly resume normal operations is a distinct advantage in a market where competitors struggle to do the same. On a local scale, surviving emergencies and crises that affect your business alone can be the only thing that prevents unaffected competitors from moving in on your markets to fill the void for your customers. Being the “fittest” means being as prepared as possible to cope with and recover from catastrophe. That preparation is based on thorough planning, having a complete understanding of factors that threaten your business processes, and having a sound plan for replication, repair and contingency operations toward the ultimate objective of minimizing losses, returning to normality, and turning the situation from survival to competitive advantage.
Plan. Protect. Prosper.
Protus3 specializes in security system design, security consulting, corporate investigations and other investigative services. Partner with Protus3 and we will examine each situation to identify threats and develop solutions for your best outcome.