Live News

[Blog] Managing Business Continuity For Security And Resilience During Pandemics

Dr. Chris Bungshy is the Director, Trainer and Lead Auditor/Assessor of Global Systems Conformity Ltd

Our world transformed into the so-boasted virtual village resultant of globalisation due to the unclamped Knowledge and/or Dream or Experience economy got freely propelled by Digital economy leading us to where we forget the ‘Law of Complacency’ which forbids us to think of and simulate disasters with disruptions and how to wisely and articulately prepare the defensive and recovery scenarios in the fight to save our loving people.

Man and his unthinkable occurrences

We, humans, are very territorial, that is, when we go to a new place, either we like the place or not, we get acquainted very soon and this behaviour is called ‘being complacent’. For example, if we experience any undesired incident in our life or workplace and somehow manage to get over it, we become complacent rapidly and do not get anxious about the idea, if an another similar or more disastrous incident in future re-occurs until we find ourselves to be in a situation where getting out would be as tedious as quickly getting entrapped in a moving-sand like ambush or apocalypse.

Developers of international standards have catered for undesired situations, if  there are or would be major disruptions, ISO 22301 Business Continuity Management system can be used as the model for preventing or reducing adverse impacts of all types of disasters whether natural or man-made.

Benefits of a Business Continuity Management System

Although most people or organisation are not fond of change(s), the Business Continuity Model based on ISO 22301 standard is an implementable model irrespective of size, nature and type of organisation to ensure proper solutions/ideas are developed to address specific risks and impacts with adequate flexibility and understanding.

Furthermore, it has a streamlined documentation structure which allows, one to manage the service continuity during and after disruptive incidents.

The approach of ISO 22301 can become a useful tool, whether you are in private, public or any organisation, helping to achieve continuity of services whilst complying with customer, legal, as well as societal requirements.

What BCM and BCP do?

business

Who to blame when a disruptive incident occurs?

Imagine you go to work and arriving at the workplace doorstep or your worksite, a cross sign placed on the door says ‘closed’. Where do you go from here? This will of course be the fundamental question that everyone could or will ask. You will be left with no alternative than to get back home where, shockingly enough, elderly people, children, banks, suppliers of higher purchases, landlords - just to name a few - awaiting for your financial support to ensure their liveability and growth. 

Who is responsible? I believe the employers and corporate of organisations who, at the end of the year who do not pay serious heed needed to be clear of their future. How alert we are about disruptive incidents that can wipe you off and time for thinking and reacting would always be after the incident.  Hence, BCMS is a well thought and planned decision for Top Management to prepare for the worst case scenario.

BCMS and Business Continuity Plan, emphasise the importance of:

  • the needs and expectations to put in place a Business Continuity policies and objectives.
  • the need to have operating and maintaining processes, capabilities and response structures for ensuring the survival of disruptions.
  • monitoring & evaluating for robustness of the system ongoing.

Recipients and Beneficiaries of BCM and BCP

business

What in fact is Business Continuity (BC)?

According to International Organisation for Standardisation (ISO), BC is described as a ‘holistic management process’ that identifies potential threats to an organisation and the impacts to business but has the capability to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.

But then what is Business Continuity Plan (BCP)?

From the source BCP is documented information that guides an organisation to respond to a disruption and resume, recover and restore the delivery of products and services consistent with its business continuity objectives.

Business Impact Analysis (BIA)?

BIA is the process of analysing the impact over time of a disruption on the organisation.

What is Disruptions?

An incident whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organisation’s objectives.

There are three elements of threats and vulnerabilities namely:

business

Impact (outcome of a disruption) categories: 

-    Premises People Suppliers IT Utilities Finance

business

How to plan the BCM/BCP, implement it, exercise / test it and improve upon it?

A)    Plan a BCM and BCP

  • At National Level, Leadership and Commitment must be demonstrated through establishment of National Business Continuity Policy and Business Continuity Objectives and ensure the rooting of its gravity under an enforced Regulatory framework.
  • The National Business Continuity Policy (NBCP) should cut across the Government body spearheaded by the Ministry of Civil Service Administrative and Institutional Reform (MCSAIR) down to private organisations, NGOs, SMEs through effective consultation and communication the soonest possible.
  • A National Business Continuity Management Unit (NBCMU) must be seen as the edifice erected to address security and resilience that meets the needs and expectation of societal and citizens health, safety and security. Under a patron, nobody else than the Prime Minister himself to begin with.
  • The NBCMU will be tasked to determine risks and opportunities related to disruptions, their causes and the prevention or reduction of undesired effects.
  • Use the results of the assessment to set Business Continuity objectives to bring about the necessary changes and their potential consequences.
  • Build capacity and monitor performance of the steering unit having responsibility and authority to maintain an effective BCM and BCP through ongoing consultation and communication cross-sector organisations.

B)    Development of the BCM & BCP

An effective Business Impact Analysis and Risk Assessment must be performed to determine the risks of disruptions by :

  • Impact types and relevant organisation’s criteria
  • timeframe within which the impacts of not resuming activities would become unacceptable to the organisation. The time frame can be referred to as the “Maximum Tolerable Period of Disruption (MTPD)” 
  • timeframe for resuming disrupted activities at a specified minimum acceptable capacity referred as “Recovery Time Objective (RTO)” see chart : 
business
  • Identify prioritised activities, resources needed and determine dependencies and interdependencies.
  • Identify strategies and solutions that:
  1. Meet the requirements to continue & recover prioritised activities within time frame and agreed capacity
  2. Reduce likelihood of disruption and shorten the period of disruption as well as limiting the impact of disruption on an organisation products and services.

c) Design and Development of a BCP and relevant documented information

  • Each BCP, for example, for a communicable disease that can cause disaster and ends up disrupting

A BCP focuses on creating a business plan for infectious diseases such as SARS or a pandemic flu and it requires health care, non-health care as well as first response agencies, e.g, police, emergency, first aid, ambulance, clamp-down laws, violators arrest procedures, infection control measures and workforce plans.

It must also include the following:

  • Why will people be off work?
  • During pandemic diseases, how many people will be off work?
  • Effects of a pandemic on a business
  • Which areas to examine:
  1. Personnel
  2. Equipment
  3. Availability of assets
  4. Back ups
  5. Chain of command
  6. Accounting
  7. Contact list of emergencies

Business Impact Analysis & Risk Assessment Process (BIARA)

Before developing and establishing a formal BCM and BCP it is mandatory to perform a Business Impact analysis and Risk assessment to enable reap the maximum benefit. The sequential steps to effectively and efficiently to follow when putting in place the process includes, but not limited to:

  • Establish the aims and objectives of the analysis and assessment.
  • Determine key activities - e.g maintaining law and order, etc.
  • BC team convenes to review activities-assumptions recorded.
  • Team works through BIA template-see below.
  • BIA Reviewed for adequacy.
  • Conduct risk assessment –record finding and possible treatment in Risk register
  • Identify risk of disruption
  • Risk analysed-treat risk if required and review risk action for adequacy
  • BIA issued

Example of a BIA template

Ref Risk reviewed Function owner Importance Max time restart Normal service Comments
1 Warehouse operations Planning/warehouse vital 48 hrs 7 days  
2 Health and safety -Fire Planning vital Anytime  ongoing  
3 Legionella disease HSO/Planning Critical 24 hrs 5 days  
4 Dengue HSO/planning Critical 24 hrs 7 days  
5 workforce Admin/HR/Planning Critical I day 3 days  
etc etc etc etc etc etc etc

Example of Impact for Disruption and recovery time objectives

Risk reference: 02 Health and Safety –Fire (from table above)

Impact of Disruption Impact overtime Comments Risk treatment Recovery time objective (RTO)
Staff High-24 hrs Unable to take their activities Work at home with supplied equipment and training. 12 hrs
General Public Low -24 hrs Insignificant  Communication  Same day
Warehouse operations High -48 hrs Cease without power lead to damaged unsellable stocks Use generators with regular maintenance and testing 12 hrs
Safety and security  Medium to high 24 hrs Incidents due to prolonged power loss Apply EPR regularly simulated and validated Same day
Customers  High -24 hrs Loss of customers, complaints, claims etc Established a distanced located mini-warehouse with critical stocks  12 hrs

An example of BC measures for pandemic flu or other disruptive situation:

Investigate

Area Options Yes No N/A
Flexible work options People must stay away from work and adopt the ‘work-from-home’ policy. Set up infrastructure through teleworking but continue duties via internet or telephone.    
  Responsibility    
  Essential staff    
Transportation If public transport not available and staff required to report, investigate carpooling or hire private conveyances    
  Responsibility    
  Organise alternative transportation that are affordable    

The BCP Strategy factors

Example of BC Strategy:

business

d) BCP Performance Evaluation

Plans must be exercised and validated through simulations and performance assessment. An Example:

business

Test/Maintain/Audit

  • At least twice yearly the BCP can be subject to audit either internal or external with the view to keeping the framework on its toes and delivers the intended results when disruption occurs.

To conclude, a Business Continuity Management and Business Continuity Plan is an adequate and suitable proactive initiatives and is intended to prevent or reduce undesirable impacts on people, infrastructure before or after a fire, pandemic, storm, earthquake or if there is disruptions related to utility shortage like hydro, gas, electricity etc.

A BCP, during a pandemic, comes as a defensive weapon for businesses, social organisations or schools as it may be required to take unique measures to help slowdown the spread of the disease thus limiting, cancelling social and public gatherings, put in quarantines and/or self-isolations.

By Dr T. Chris Bungshy

Certified Lead Implementer/Auditor of ISO 22301 BCMS – BSI UK

NEBOSH – IGC UK, Grad IOSH, PCQI/IRCA UK

About the author:

Dr. Chris Bungshy is the Director, Trainer and Lead Auditor/Assessor of Global Systems Conformity Ltd with over 20 years experience in the field of Management Systems including QMS, EMS,BCMS, LQMS, ISM, FSMS/HACCP, BRC/IoP, OH&SMS, etc. He has, to now, delivered consulting, training and auditing/assessment services for more than 400 organisations (Public and Private both local and overseas). As a registered trainer at the MQA, IAEA and lecturer/tutor at Open University, Greenwich University, Business Mauritius, MITD and Civil Service College, he has conducted a large amount of training and lectures including OHSAS 18001 and ISO 14001for institutions, agencies, manufacturing and service organisations in Mauritius, Seychelles, Madagascar, Kenya, South Africa, Tanzania, Mombasa, Sudan, Tunisia, Egypt and Morocco.  He is also a winner of CQI UK, International Quality Professional Award, as Notable Entry, 2017 and Finalist in 2018. 

 

Notre service WhatsApp. Vous êtes témoins d`un événement d`actualité ou d`une scène insolite? Envoyez-nous vos photos ou vidéos sur le 5 259 82 00 !