Business Continuity Planning

Catastrophes, financial turmoil, supply chain issues, reputational risks, death of principal stakeholders—all of these (and many more issues) can impact your client’s business practice.

At the 60th Annual Risk and Insurance Management Society (RIMS) Conference, risk managers and insurance brokers were given some basic but essential advice from Global Risk Consulting at Aon, on what to consider when establishing (or helping a client establish) a business continuity plan. 

What are the most important things to keep in mind when establishing a business continuity plan?
The most important thing to keep in mind is that the plan needs to be in place before a disaster strikes. When a disaster occurs, businesses can struggle to continue operations and return things to normal. That is why having a business continuity plan in place even before catastrophe strikes is so important. For most executives and operations managers, business continuity means finding any available options to reduce the interruption’s impact on the organization and maintain services or sales to customers.

How should a business continuity plan be communicated, and to whom? e.g. employees, senior management, business partners, customers?
The risk manager and the chief operating officer should review the organization’s business continuity plan together to ensure that it addresses all risks to the organization. It is imperative that operations be included in the crafting of the plan and that it be communicated to them during the development process and that their input be incorporated. When operations and risk management understand and discuss the risks to the organization, they can collectively determine what measures are needed to mitigate the risks and assess whether insurance should be a part of the solution. This highlights the importance of coordination between operations and risk management in the drafting and execution of the business continuity plan. Such coordination will help the organization physically, operationally and financially recover from a loss in much more timely fashion. Senior management and employees should all receive copies of the plan and be made aware of their respective roles.

How can risk managers overcome the challenge of creating—and managing—a business continuity plan for multinational operations?
Organizations with multinational operations should review and update their current policies and procedures dealing with business continuity processes, including crisis plans, disaster recovery, denial of access, loss of production, alternative management options (virtual, offshore, maintaining a reserve), communication strategies, and travel policies. There are many issues to consider when planning. Some of the key issues multinational businesses should consider when developing a continuity plan include:

  • Identify essential business activities (and the core people and skills to keep them running), and ensuring that these are backed up with alternative arrangements, where possible.
  • Identify the infrastructure and resources required for the organization to continue operating at the minimum acceptable level.
  • Develop mitigation strategies for business disruptions, including possible shortages of supplies, and developing contingency plans for continued operation—including where a whole city or country effectively “shuts down.”
  • Develop a strategy to address situations where employees on business trips or short-term assignments become “stuck” because of restrictions on travel.
  • Ensure that relevant employees, customers, and suppliers are aware of the contingency arrangements, and that the arrangements will work.

How often should a continuity plan be reviewed and practiced?Management expectations, test objectives, the maturity of the planning process and system/process criticality are all factors when deciding how often to test. The majority of organizations test business continuity processes one or two times a year; however, this can be increased by such factors as:

  • Changes in business processes;
  • Changes in technology;
  • Change in BCM team membership;
  • Anticipated events which may result in a potential business interruption.

Organizations also may choose to conduct more tests or exercises if operations are decentralized across multiple locations. Additionally, some business continuity coordinators choose to conduct testing in stages given the size of their IT infrastructure, the size of the business or their relative inexperience with BCM testing. Others want to rotate as many people as possible through the training experience, given the valuable benefits. Regulatory requirements also may influence the number of tests performed annually.

Regardless of how many tests are conducted each year, they should be scheduled in advance to ensure maximum participation. A progressive, incremental schedule that includes a timetable of events should be developed.

What are some important external resources brokers can give their clients on business continuity?
Continuity Central: http://www.continuitycentral.com/info.htm

FEMA: http://bizsecurity.about.com/b/2009/04/02/new-business-continuity-resources-from-fema.htm

Copyright © 2017 Transcontinental Media G.P.
Transcontinental Media G.P.