top of page

COVID-19: A wake up call that BCP is not only about IT!

When business talks about Business Continuity Planning (BCP), most people delve only in information technology (IT) side. BCP is much more than managing IT disruption (albeit the importance of IT risks). The pandemic of corona virus (COVID-19) has shown us this.


We all see the panic and banning of people coming from China, South Korea (and even Singapore) in the early stage of this pandemic. But if we see now, Italy and Iran has dramatically increase its confirmed cases at the speed of light. Last week Italy has only 4000+ confirmed cases, on 11 March 2020 they reported 10,000+ confirmed cases and in less than 24 hours it has risen to 12,000+ confirmed cases - 20% increase in less than a day!


Organisations has now take measures to deal with suspected and confirmed infection, however all were reactive and taken quite some time - months - after the virus has gone viral. Is it too late? Should we have better identification of varied risks, maybe we would have a better response plan in place. Maybe our BCP has not considered all matters that should matter.


Business Continuity Planning 101


What is a BCP? BCP or Business Continuity Planning is a documented and formal arrangements for resuming critical business operations in a timely manner following a disaster or other disruption. BCP is a function of risk management. The response plan should be timely or immediate, focus is on sustaining the business, and recovery process must be efficient and organised.


The elements of BCP are:

  1. Crisis management and communication plan

  2. IT disaster recovery plan

  3. Business resumption plan

  4. Pandemic response plan


Understanding of the operating environment, the constraints and threats that could result in a significant disruption (conduct of risk identification and assessment) is very important. Followed by identification on which parts of the organisation critical to its short and long term success and quantification on the impact of those threats to critical functions. There should be a process to ensure that information remains current and relevant to the changing risk and business environment.


Learning from past (and current) disasters, we need to bear in mind that the event may impact multiple sites simultaneously, communications may suffer extended outages, full staffing may not be available for the recovery, work in process and vital records may be destroyed, essential transportation may not be available, supply chains may break down, untested provisions may be unreliable.


Therefore when preparing our BCP program, functions and systems must be inventoried and prioritised for recovery, teams and individuals have their recovery playbook for reference, and there are designated team for recovery coordination. In designing it, we need to understand the objective of BCP which includes:

  • Identify and mitigate risks

  • Protect employees, customers, assets

  • Reduce reliance on key personnel

  • Minimise potential economic loss

  • Minimise disruptions to operations

  • Ensure organisational stability

  • Provide for an orderly response and recovery

  • Minimise decision-making during and following a disaster

  • Reduce legal liability to the organisation

  • Comply with regulatory and contractual requirements.


There are many factors that contributed to an effective and efficient BCP program.


For a BCP program to be effective, there should be tone from the top. Thus organisation need to ensure that the following exists:

  • Solid organisational commitment

  • Effective risk management

  • A thorough business impact (BIA) analysis

  • Viable recovery strategies

  • Comprehensive recovery documentation

  • Enterprise wide plan deployment

  • Persistent plan maintenance and testing.


For a BCP program to be efficient, there should be:

  • An established goals and objectives

  • Clear roles and responsibilities

  • Defined standards, methodologies, and techniques

  • Ongoing and regular collaboration

  • Useful and productive tools

  • Formal reporting and monitoring

  • Regular evaluation and constructive feedback

  • Continuous refinement


When testing your BCP, remember that here should be a summary on what is successful and what is not.


The trend now is that organisation have an enterprise-wide BCP instead of only having an IT disaster recovery plan. Considerations should also be placed on increased scrutiny and accountability from the customer, regulators, investors, and board's perspectives. In addition, it should also entail consideration of wide-spread disaster scenarios, mass absenteeism planning, and an integration with or into organisation's enterprise risk management (ERM).


What to do now?

  1. Assess your business operations, external expectation, risk postures, etc., to determine BCP requirements and objective.

  2. Revisit your Disaster Risk Assessment Register. It should include identification of natural, human, and technical threats that may disrupt your organisation's critical business operations.

  3. Evaluate your current BCP documentation, strategies, processes for alignment with your organisation's requirements and objectives, and general best practices.


Comments


bottom of page