Business Continuity and Business Resiliency

Disruptive events are a nearly inevitable consequence of operating in a complex environment, and being properly prepared is key to an efficient restoration of normal business operations.

Many leaders may feel that adequate preparations are in place for any type of emergency, including having submitted a continuity plan several years back. They may also be operating under the illusion that Central Administration will provide a complete backstop for any deficiencies experienced, such as technical expertise, system availability, human resources, and budget assistance. However, the responsibility for planning for a significant interruption and preparing how to resume normal business activities, especially the financial consequences of such, falls to department leadership, who can, and should, be engaging with Central Administration in their planning process. 

Many organizations have significant weaknesses in their business continuity planning, the most common being (1):

  • There is no systematic collection of planning information. This includes such aspects as risk, vulnerability, threat, and hazard analysis; organizational information; regulatory guidance; policies and procedures; and location-specific data.
  • There is no systematic dissemination of planning information. Information that has been assembled but not shared with the affected population - especially those responsible for implementing any plan - is of very limited use.
  • There is a failure to identify and establish an incident command structure - a particularly common pitfall within a University setting, as many planners try to fit their organizations into a standard incident-command system not designed around their particular needs.
  • There is minimal or no coordination with affected internal and external entities. Poor communication with the community/neighbors, local government and regulatory officials, important suppliers and customers, and identified support entities (fire, police, hospitals, etc.) can lead to confusion and chaos during an incident. Lack of an answer to a simple question, such as "Who is the primary contact for off-site agencies during an incident?" can lead to major disruption.
  • Organizational responsibilities are either lacking or poorly defined. Failure to provide clear, concise procedures defining individuals' functions, duties, and tasks on assuming incident-response roles can lead to finger pointing and key tasks falling through the cracks 
  • Once developed, the program is not, or is at best poorly, maintained. Your program was developed to meet a requirement at a set point in time, but there is no provision for continued evaluation and periodic update of the material, with changing business objectives, personnel, physical space requirements, etc. Information subject to frequent change, such as important contact information, should not be buried in various paragraphs throughout the plan.
  • The material developed is not user-friendly or readily accessible, regardless of physical location. If the user, especially one not part of the plan development process, can't figure out their role in the plan's implementation, you risk failure of the plan in it's entirety. Be sure to provide simple, easy-to-use supplemental materials that can be used as a quick reference guide during an event. Worse yet is if you didn't train everyone on the plan and their roles in its implementation.
  • You did not disseminate the plan to the proper authorities. Failure to include appropriate parties on the distribution list most often leads to failure on their part to respond in the manner for which you had hoped. This includes any resources you hope/expect to receive post-incident from Central Administration.


Here are some basic questions department heads should ask themselves to self-assess their business resiliency preparedness (2):

Understanding threats

  • What are the organization’s top ten risks and, relative to these, what are the top five “black swan” threats that could destabilize the organization?
  • For each black-swan threat, how might the crisis evolve, including second-order effects by stakeholders and assessments of maximum exposure?

Organization and leadership

  • What will the crisis organization look like for each threat (in particular, is there a crisis-response leader with the right temperament, values, experience, and reputation), and when will that organization be activated?
  • What will be your organization’s governing values and guiding principles if any of the black swans hit?
  • Have you defined the blueprint for a central crisis nerve center staffed by top executives, with division of roles?
  • Do you have a crisis governance structure that involves the board, drives decision making, and isolates the rest of the business?
  • Do you have a succession plan in case some of your mission-critical leaders need to step down because of the crisis?

Stakeholder stabilization

  • Have you defined key stakeholders, including competitors and influencers, and tested how they might act in a crisis?
  • Have you invested in understanding and establishing relationships with regulators and government stakeholders?
  • Do you have a plan to protect employees and reduce attrition of your most talented employees?
  • Have you established the portfolio of actions to stabilize stakeholders in the event of each scenario, beyond public relations?

Operational and technical

  • Which critical operations can keep going, and which ones may need to slow or stop?
  • Is there a blueprint for an operational or technical war room staffed with the right team and adequate peer review?
  • Have you defined ways to monitor and reduce cyber threats, including dark web scans, during a crisis?

Investigation and governance

  • How will you scope an investigation, and what level of transparency might you need to provide?
  • Do you have a set of options for large governance changes you may need to make after a crisis?

Marketing, reputation, and communications

  • Have you established a basic communications process, tools, roles, and plan to drive key messages with stakeholders?
  • Have you thought how to keep your reputation from being severely hurt during the crisis and help it recover afterward?

Financial and liquidity

  • Are there financial protocols to provide crisis funding, protect liquidity, and maintain the business? 
  • Have you defined the broad scope of root-cause investigations and how they will be governed?

Legal, third party, and other

  • Does the crisis team have a working knowledge of relevant legal provisions, case law, and protocols?
  • Have you pre-identified battle-tested third parties, such as law firms, crisis communications firms, coordination, and business decision making?
  • Do you have a sense, based on case law, what the overall legal pathways may be to resolve the black-swan event?
  • Have you identified critical suppliers and considered how existing terms and conditions will affect you adversely in a crisis?

Readiness

  • Have you rehearsed and critiqued all of your biggest crisis scenarios at least once in the past 12 months and implemented improvements to processes or other changes arising from these exercises?

For help evaluating your current business continuity planning and determining what financial options are available to you, please email us at risk-services@harvard.edu

 

(1) adapted from "What is There to Know About a Crisis", Gary W. Sikich, John Liner Review Vol 14 No. 4, Winter 2001
(2) adapted from "Are You Prepared for a Corporate Crisis" Sanjay Kalavar and Mihir Mysore, McKinsey Quarterly, April 2017