In 2016, Tesco managers conducted a “doomsday” exercise. It was imagined that all access to their Hertfordshire HQ was blocked. Some described it at the time as appearing a bit ridiculous. In 2020 the exercise paid dividends as the company grappled with the imminent impact of the coronavirus.
Many organisations delegate the assessment of risk to the depths and ignore it. Some Business Continuity and Disaster Recovery (BCDR) plans I have seen have been of shocking quality. A plan will be called upon at time of great stress and had better be good.
Business continuity measures can be costly. A rational organisation will think of both the resources to be spent in advance and the risk being managed. Some will be worth it, others will not. One of the hardest judgements with the most imperfect data is in the area of probability. When it comes to disaster recovery costs; they are almost irrelevant. If there is a cost to keep the organisation or people alive, spend first and count later. If the bank is empty, the organisation goes out of business. This is why some think about business continuity before hand. Others are now very worried.
Not Just IT
Many organisations that have looked at BCDR confine their scope to outsourced services. Whilst it is important to ensure that IT data backups and cyber security are appropriately managed, these are not enough.
The regulated industries have long taken a stronger approach. Regulators adopt a role akin to that of a public guardian. They seek to safeguard citizens who like to sleep at night. The Risk Coalition published its guidance for risk committees and functions in the UK Financial Services sector in December 2019. I declare an interest having participated in the preceding consultation. The Office for Nuclear Regulation sets a high standard from which others may usefully draw.
Every organisation should consider business continuity and rehearse recovery from disaster. There is no point in bolting the door on the virus that we hope is now passing. If this crisis is to serve a purpose it will be used to build resilience. After developing it, review your plan annually and update it when there is a major change to your business.
An organisation can have a finely developed plan. If the leaders have not lived it in advance of the time of need and acted, it benefits them little. Public reaction can be harsh when the truth emerges.
Observe, Orient, Decide, Act
Seconds count when disaster strikes. Those using one of the well-developed approaches can act rapidly when needed. The military and emergency services lead. The country has them to deal with such situations for us. They spend much of their time practising. If events strike without your having a plan and nobody in your organisation has thought about what they would do, the position can be sticky indeed. People who have mastered their role react with an almost surreal calm. Focus descends, not their trousers.
Approach
ISO 22301 provides a good approach. It starts with the definition of a policy. This is where senior executive input is initially needed. The policy addresses what it is that is to be protected. This may include aspects of corporate reputation, critical activities, staff, customers and others. Focus implies the sacrifice of less important elements. It is best to rehearse these choices. Leaders must first listen before making priorities clear. The time for debate may be seconds.
Practitioners differentiate between “business continuity” and “disaster recovery”. They reluctantly accept that most will combine the two. Business Continuity refers to preventive measures that can be taken to keep the wheels on. Disaster Recovery is the managed reaction when something goes wrong. They are complements, not substitutes.
You may decide that for business continuity, you are going to build a facility that provides a hot stand-by trading desk for your organisation. This is expensive but may be justified. Part of your disaster recovery plan is to test the hand-over of activity from the normal facility in time of emergency.
Develop
Start with an assessment of risk. You cannot imagine all, but there is value in thorough review. Do this by drawing on a diverse community. Financial people tend to see mostly financial risks. An effective workshop will stimulate people to think laterally. They can then think beyond what was seen last week.
Next assess the risk impact, prioritise it, and develop measures to manage the risk. This may include some elements that are strategic such as re-configuring the global supply-chain. Some elements will need changes in infrastructure that take time to implement. Others will be simple and short-term. Tesco saw the need to provide mobile phones and laptops so staff could work from home.
Next assemble your plan. This may have an over-arching plan for the whole organisation, supported by departmental plans. This is where the IT element would fit. Plans address the disaster response team, communications, and the provision of basic resources. They provide a home for the risk management plan. Develop a “play-book” incorporating checklists. The team can check at speed when necessary to avoid costly omissions. A basic resource that one client implemented was to have a “grab-bag” under the desk in reception. The disaster coordinator could grasp it whilst flying out the door. Not all useful measures are difficult or expensive.
Rehearse
There is a world of difference between planning and doing. When you have your plan, practice using it. For a little spice, include a mock-interview of the CEO on the morning’s radio news. Rehearsal requires a scenario. The important element is not the specific situation but the development of personal and team capability.
After a rehearsal, take the opportunity to learn. Play the CEO the recording of her interview. Update the plan. Add a small but vital tool to the provisions. Substitute the person who disrupted the team. The disaster response group must operate as a team. Teams practice to win. Their power comes from interaction. Team-members learn their own part in role-play and see their effect on others. Use feedback and review to help your people improve. If you do not keep score, you are only playing.
Systemic Risk
Systems combine parts, collectively to perform a useful function. Interactions can be unclear.[1] Events which are individually trivial may have large effects when they combine. Because of the number of such factors, the probability of adverse combination occurring at some stage is high. Do not bother trying to predict precisely which combination will be seen.
A useful approach is to examine the resilience of the system and to improve it. The lock-down in India has affected many organisations. Their suppliers’ ability to sustain service levels was undermined. Those relying on Chinese manufacturers have also suffered. Many, having first issued Force Majeure notices, are reviewing their supply chains.
Events bring opportunity. Supermarkets that had built capabilities for on-line ordering captured market-share during the pandemic. Those that relied upon in-store labour built to scale more rapidly than those who used robots within warehouses. Such decisions should be taken primarily to support the business model, secondarily to manage risk. Some opportunities may be short-term. Others will endure. Good decisions require a well-formed business model.
Optimism bias
Researchers are aware of bias in people’s assessment of risk. This has been noted in project estimation, economics and many other fields. In the context of the virus, someone may know that there are many who are infectious whilst believing themselves to be immune. This can be dangerous.
People have a staggering ability to ignore the impact of bad news. I heard the news from China in December and did not sell my investments. Have you seen the forecast for the effects on sea-level resulting from climate change? If you have not yet sold your low-lying property, now may be the time to act. Its value is unlikely to be raised by the lapping of waves on the doorstep.
The last global pandemic was the Spanish Flu of 1918. We may expect such an event one year in a hundred. The premium my insurance company charges would indicate pandemic is more likely than that my house should be destroyed by fire this year.
Conclusion
There are few issues of higher priority than survival. An awareness of the risks to business continuity and action to manage those risks improves resilience. Strength is also increased through rehearsing scenarios so that you can recover when disaster strikes. Building resilience is easier than recovering from failure. First act to secure the present, then repair any weaknesses in your preparation that have been exposed. Use the crisis well.
William Hooper is a member of the SCL, consultant in IT and outsourcing and acts as an expert witness in IT disputes. His company is Oareborough Consulting.
________________________________________
[1] The Black Swan, Nassim Nicholas Taleb, Penguin Books 2007, 2010
