Crisis management as a combination of management of events and management of reputation ACHIEVEMENTS failed unknown, hidden succeeded known, publicised positive perceived negative not perceived REPUTATIONInside influences Outside influencesResilience of organisation Resilience of systemCrisis management capability External factors: "force majeure"
"The interim goal of the planning process is to develop a business continuity plan (or set of plans) that can be evoked (i.e. used) in the event of an interruption. Planning marks neither the start nor the end of the BCM process. Its ultimate goal is to improve the resilience of theorganisations business to interruptions, thereby protecting its operating or trading position." Elliott et al. 2001.
RedundancyThe ingredientsof resilience Adaptability Attitude Participation ...and communication
Some typical risks:-• loss of customer records• breakdown of the supply chain• failure of essential services on which production or customer support depends• inability to deliver the product for a significant period of time for any reason• negative perceptions of the company by clients, customers or the public.
Some reasons why supply chains fail:-• industrial action halts production• faulty components leads to product recall• supplier ceases trading (goes into bankruptcy or receivership)• fire, flood or natural disaster strikes suppliers premises• computer systems fail.
Possible impact of interruptions to supplies and suppliers:-• loss of independence• inability to fulfill orders• loss of confidential or sensitive info.• increased exposure to fraud and unauthorised transactions• loss of data• loss of audit trail• failure of purchasing and scheduling software systems• legal liability due to failure to fulfill contractual obligations.
To what extent should business continuity managementfocus on managing the event itself and to what extent should it focus on protecting the organisations reputation? A poorly managed crisis cannot completely be compensated for by a slick publicity offensive.
A simplerisk assessment matrix HAZARD VULNERABILITY EXPOSURE
occurrence improbable Probability impossible occasional frequent probable Severity of negligible marginal moderate seriouscatastrophic Risk level: acceptable significant critical
Degree of threat High Priority C Priority B Priority A Medium Priority D Priority C Priority B Low Priority E Priority D Priority C Low Medium High Probability of occurrence BCM risk assessment matrix
Objective risk can be calculated fromstatistical data on past events.Not all risks can be measured.Perceived risk is the assessment ofhazard made subjectively by individualsRisk aversion:• intolerance of a risk that is perceived to be unacceptably high• desire to reduce it to negligible levels.
Some risk reduction measures:-• stock reduction• separation of high-risk storage• design changes• safety training• data security• data storage redundancy• product and building security.
Where does Business Continuity sitwithin the organisation and its links?
Company Board and CEO Business continuity management board BCM project team (and leader) • direct project •ensure appropriate resources • ensure quality Risk[Departmental] register [Departmental] working group working group
Where BCM fits in... HOSPITAL AIRPORT AND AND HEALTH TRANSPORT SYSTEM EMERGENCY EMERGENCY PLANS PLAN MUNICIPAL REGIONAL AND MUTUAL NATIONAL COUNTY ORASSISTANCE EMERGENCY PROVINCIAL EMERGENCY PACTS PLAN PLAN EMERGENCY PLANS INDUSTRIAL AND CULTURAL COMMERCIAL HERITAGE EMERGENCY EMERGENCY PLANS PLAN BCM
Permanent emergency plan AftermathMonitoring Strategic,prediction tactical & operational& warning planning Business continuity plan Recovery and reconstruction planning Disaster
Initiating Planning for Implementingthe process business the plan continuity Changing the mindset Managing the crisis • scope • policy • structure • resources • mechanisms
An crisis management plan:-• should be simple in conception• is a living document that needs continual updating• should define the ground rules for co-ordinating emergency activities• should be able to deal with internally and externally generated crises.
Crisis management planning for business continuity:-• should focus on recovery and prevention• should seek to discover what is not known• requires the support of top management• is dependent on context: organisations cannot necessarily be changed drastically• is conditioned by managers perceptions of the risks the organisation faces.
Constructing a risk register• all employees should be encouraged to contribute to the identification, discussion and exploration of risks• institute a "no fault, no blame" culture for the identification of risks• appoint and train a risk manager in each department of the organisation• have frequent and open discussions about how to manage the risks.
Business impact analysisInternal analysis External analysis• products and services • market environment• activities and resources • stakeholder analysis• dependencies • supply chain analysis Business impact evaluation Objectives Risks Priorities Scenarios Create the BCM plan
Business continuity analysis Risk registerSyntheses of Annexes: Masterprocedures detailed plan (1 page procedures each) Revisions, control processes
Internal analysis for determining recovery priorities:-• products and services• activities and resources• linkages and dependencies.
Key issues in the analysis of products and services:-• what does the organisation do (inc. number and variety of P & S)?• who and what are involved in the creation of products and services?• how are activities linked?• market share, revenue and profits of individual products and services?• patterns of time and associated issues.
An audit of company resources (and their vulnerability):-• physical manufacturing equipment• information technology systems• transportation, storage and logistics• telecommunications systems• financial resources• intellectual property• employees (human resources)• buildings and facilities• subsidiaries and divisions which produce components, parts or materials.
Some pertinent issues:-• what is the correct level of duplication and redundancy of resources?• what is under-reaction, over-reaction and the right reaction?• how to evaluate a situation quickly in order to know the right measures to take• what balance between managing the crisis and managing the companys reputation?
Issues for BCM planning:-• prevention of overlapping response• eliminating gaps in response• ensuring response is robust and durable• analysing needs, auditing resources• ensuring a compatible response• training people to do it.
Specifying an incident management structure:-• call-out arrangements• means of co-ordinating groups and teams• command and control structures• communications channels & media contact• inter-departmental and inter- organisational co-ordination measures.
Sub-routines of the BCM plan:-• emergency operations centres• information gathering and data storage• evacuation plans• public warning and alerting systems• resource procurement• press and public relations arrangements• welfare plans for victims and staff• communications plans• continuity of service• long term recovery plans.
Summary of the business continuity planning process:-• identify objectives and scope recognise why and where BCM is needed• identify the causes of possible crises anticipate a range of interruptions• business impact analysis: balance between investment and exposure resources, linkages, depedencies external influences on BCM• business impact evaluation: internal and external analyses the likelihood and consequences of crises anticipate future changes in todays plans