[Blog] Managing Business Continuity For Security And Resilience During Pandemics

Our world transformed into the so-boasted virtual village resultant of globalisation due to the unclamped Knowledge and/or Dream or Experience economy got freely propelled by Digital economy leading us to where we forget the ‘Law of Complacency’ which forbids us to think of and simulate disasters with disruptions and how to wisely and articulately prepare the defensive and recovery scenarios in the fight to save our loving people.

Man and his unthinkable occurrences

We, humans, are very territorial, that is, when we go to a new place, either we like the place or not, we get acquainted very soon and this behaviour is called ‘being complacent’. For example, if we experience any undesired incident in our life or workplace and somehow manage to get over it, we become complacent rapidly and do not get anxious about the idea, if an another similar or more disastrous incident in future re-occurs until we find ourselves to be in a situation where getting out would be as tedious as quickly getting entrapped in a moving-sand like ambush or apocalypse.

Developers of international standards have catered for undesired situations, if  there are or would be major disruptions, ISO 22301 Business Continuity Management system can be used as the model for preventing or reducing adverse impacts of all types of disasters whether natural or man-made.

Benefits of a Business Continuity Management System

Although most people or organisation are not fond of change(s), the Business Continuity Model based on ISO 22301 standard is an implementable model irrespective of size, nature and type of organisation to ensure proper solutions/ideas are developed to address specific risks and impacts with adequate flexibility and understanding.

Furthermore, it has a streamlined documentation structure which allows, one to manage the service continuity during and after disruptive incidents.

The approach of ISO 22301 can become a useful tool, whether you are in private, public or any organisation, helping to achieve continuity of services whilst complying with customer, legal, as well as societal requirements.

What BCM and BCP do?

Who to blame when a disruptive incident occurs?

Imagine you go to work and arriving at the workplace doorstep or your worksite, a cross sign placed on the door says ‘closed’. Where do you go from here? This will of course be the fundamental question that everyone could or will ask. You will be left with no alternative than to get back home where, shockingly enough, elderly people, children, banks, suppliers of higher purchases, landlords - just to name a few - awaiting for your financial support to ensure their liveability and growth. 

Who is responsible? I believe the employers and corporate of organisations who, at the end of the year who do not pay serious heed needed to be clear of their future. How alert we are about disruptive incidents that can wipe you off and time for thinking and reacting would always be after the incident.  Hence, BCMS is a well thought and planned decision for Top Management to prepare for the worst case scenario.

BCMS and Business Continuity Plan, emphasise the importance of:

• the needs and expectations to put in place a Business Continuity policies and objectives.
• the need to have operating and maintaining processes, capabilities and response structures for ensuring the survival of disruptions.
• monitoring & evaluating for robustness of the system ongoing.

Recipients and Beneficiaries of BCM and BCP

What in fact is Business Continuity (BC)?

According to International Organisation for Standardisation (ISO), BC is described as a ‘holistic management process’ that identifies potential threats to an organisation and the impacts to business but has the capability to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.

But then what is Business Continuity Plan (BCP)?

From the source BCP is documented information that guides an organisation to respond to a disruption and resume, recover and restore the delivery of products and services consistent with its business continuity objectives.

Business Impact Analysis (BIA)?

BIA is the process of analysing the impact over time of a disruption on the organisation.

What is Disruptions?

An incident whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organisation’s objectives.

There are three elements of threats and vulnerabilities namely:

Impact (outcome of a disruption) categories: 

-    Premises People Suppliers IT Utilities Finance

How to plan the BCM/BCP, implement it, exercise / test it and improve upon it?

A)    Plan a BCM and BCP

• At National Level, Leadership and Commitment must be demonstrated through establishment of National Business Continuity Policy and Business Continuity Objectives and ensure the rooting of its gravity under an enforced Regulatory framework.
• The National Business Continuity Policy (NBCP) should cut across the Government body spearheaded by the Ministry of Civil Service Administrative and Institutional Reform (MCSAIR) down to private organisations, NGOs, SMEs through effective consultation and communication the soonest possible.
• A National Business Continuity Management Unit (NBCMU) must be seen as the edifice erected to address security and resilience that meets the needs and expectation of societal and citizens health, safety and security. Under a patron, nobody else than the Prime Minister himself to begin with.
• The NBCMU will be tasked to determine risks and opportunities related to disruptions, their causes and the prevention or reduction of undesired effects.
• Use the results of the assessment to set Business Continuity objectives to bring about the necessary changes and their potential consequences.
• Build capacity and monitor performance of the steering unit having responsibility and authority to maintain an effective BCM and BCP through ongoing consultation and communication cross-sector organisations.

B)    Development of the BCM & BCP

An effective Business Impact Analysis and Risk Assessment must be performed to determine the risks of disruptions by :

• Impact types and relevant organisation’s criteria
• timeframe within which the impacts of not resuming activities would become unacceptable to the organisation. The time frame can be referred to as the “Maximum Tolerable Period of Disruption (MTPD)” 
• timeframe for resuming disrupted activities at a specified minimum acceptable capacity referred as “Recovery Time Objective (RTO)” see chart : 

• Identify prioritised activities, resources needed and determine dependencies and interdependencies.
• Identify strategies and solutions that:

1. Meet the requirements to continue & recover prioritised activities within time frame and agreed capacity
2. Reduce likelihood of disruption and shorten the period of disruption as well as limiting the impact of disruption on an organisation products and services.

c) Design and Development of a BCP and relevant documented information

• Each BCP, for example, for a communicable disease that can cause disaster and ends up disrupting

A BCP focuses on creating a business plan for infectious diseases such as SARS or a pandemic flu and it requires health care, non-health care as well as first response agencies, e.g, police, emergency, first aid, ambulance, clamp-down laws, violators arrest procedures, infection control measures and workforce plans.

It must also include the following:

• Why will people be off work?
• During pandemic diseases, how many people will be off work?
• Effects of a pandemic on a business
• Which areas to examine:

1. Personnel
2. Equipment
3. Availability of assets
4. Back ups
5. Chain of command
6. Accounting
7. Contact list of emergencies

Business Impact Analysis & Risk Assessment Process (BIARA)

Before developing and establishing a formal BCM and BCP it is mandatory to perform a Business Impact analysis and Risk assessment to enable reap the maximum benefit. The sequential steps to effectively and efficiently to follow when putting in place the process includes, but not limited to:

• Establish the aims and objectives of the analysis and assessment.
• Determine key activities - e.g maintaining law and order, etc.
• BC team convenes to review activities-assumptions recorded.
• Team works through BIA template-see below.
• BIA Reviewed for adequacy.
• Conduct risk assessment –record finding and possible treatment in Risk register
• Identify risk of disruption
• Risk analysed-treat risk if required and review risk action for adequacy
• BIA issued

Example of a BIA template

Example of Impact for Disruption and recovery time objectives

Risk reference: 02 Health and Safety –Fire (from table above)

An example of BC measures for pandemic flu or other disruptive situation:

Investigate

The BCP Strategy factors

Example of BC Strategy:

d) BCP Performance Evaluation

Plans must be exercised and validated through simulations and performance assessment. An Example:

Test/Maintain/Audit

• At least twice yearly the BCP can be subject to audit either internal or external with the view to keeping the framework on its toes and delivers the intended results when disruption occurs.

To conclude, a Business Continuity Management and Business Continuity Plan is an adequate and suitable proactive initiatives and is intended to prevent or reduce undesirable impacts on people, infrastructure before or after a fire, pandemic, storm, earthquake or if there is disruptions related to utility shortage like hydro, gas, electricity etc.

A BCP, during a pandemic, comes as a defensive weapon for businesses, social organisations or schools as it may be required to take unique measures to help slowdown the spread of the disease thus limiting, cancelling social and public gatherings, put in quarantines and/or self-isolations.

By Dr T. Chris Bungshy

Certified Lead Implementer/Auditor of ISO 22301 BCMS – BSI UK

NEBOSH – IGC UK, Grad IOSH, PCQI/IRCA UK