This document discusses business continuity planning and crisis management. It begins by outlining the pre-crisis, crisis, and post-crisis situations an organization may face. It then discusses managing both the crisis event itself as well as the organization's reputation during a crisis. The rest of the document provides guidance on developing a business continuity plan, including conducting risk assessments, developing contingency plans, and establishing roles and responsibilities to manage crises effectively.

1. Business Continuity
Planning and
Management
David Alexander
University College London

2. Pre-crisis situation
Crisis of management
Trigger
Crisis incident
Operational crisis
Post-crisis situation
Crisis of legitimation

3. CRISIS
OPERATIONS
REPUTATION (ACHIEVEMENTS)
Perception Concrete
developments
• positive
Communication
• negative

4. Crisis management as a combination
of management of events and
management of reputation
ACHIEVEMENTS
failed unknown, hidden
succeeded known, publicised
positive perceived
negative not perceived
REPUTATION
Inside influences Outside influences
Resilience of organisation Resilience of system
Crisis management capability External factors:
"force majeure"

5. "The interim goal of the planning
process is to develop a business
continuity plan (or set of plans) that
can be evoked (i.e. used) in the event
of an interruption. Planning marks
neither the start nor the end of the
BCM process. Its ultimate goal is to
improve the resilience of the
organisation's business to interruptions,
thereby protecting its operating or
trading position."
Elliott et al. 2001.

6. Redundancy
The ingredients
of resilience
Adaptability Attitude
Participation
...and
communication

8. Managing risks

9. Some typical risks:-
• loss of customer records
• breakdown of the supply chain
• failure of essential services on which
production or customer support depends
• inability to deliver the product for a
significant period of time for any reason
• negative perceptions of the company by
clients, customers or the public.

10. Some reasons why supply chains fail:-
• industrial action halts production
• faulty components leads to product recall
• supplier ceases trading (goes
into bankruptcy or receivership)
• fire, flood or natural disaster
strikes supplier's premises
• computer systems fail.

11. Possible impact of interruptions
to supplies and suppliers:-
• loss of independence
• inability to fulfill orders
• loss of confidential or sensitive info.
• increased exposure to fraud
and unauthorised transactions
• loss of data
• loss of audit trail
• failure of purchasing and
scheduling software systems
• legal liability due to failure to
fulfill contractual obligations.

12. To what extent should
business continuity management
focus on managing the event itself
and to what extent should it
focus on protecting the
organisation's reputation?
A poorly managed crisis cannot
completely be compensated for
by a slick publicity offensive.

13. Generic crisis typology
Technical / economic
Natural
disaster
Major accident
Aggressive
Product failure
takeover
Computer failure
Social
Internal breakdown External
Sabotage
Product
Occupational tampering
health disease
Terrorism
Fraud
Social / organisational

14. A simple
risk assessment
matrix
HAZARD
VULNERABILITY
EXPOSURE

15. occurrence
improbable
Probability
impossible
occasional
frequent
probable
Severity
of
negligible
marginal
moderate
serious
catastrophic
Risk level: acceptable significant critical

16. Degree of threat
High Priority C Priority B Priority A
Medium Priority D Priority C Priority B
Low Priority E Priority D Priority C
Low Medium High
Probability of occurrence
BCM risk assessment matrix

17. Objective risk can be calculated from
statistical data on past events.
Not all risks can be measured.
Perceived risk is the assessment of
hazard made subjectively by individuals
Risk aversion:
• intolerance of a risk that is perceived
to be unacceptably high
• desire to reduce it to negligible levels.

18. Some risk reduction measures:-
• stock reduction
• separation of high-risk storage
• design changes
• safety training
• data security
• data storage redundancy
• product and building security.

19. Where does Business Continuity sit
within the organisation and its links?

20. Company Board and CEO
Business continuity management board
BCM project team (and leader)
• direct project
•ensure appropriate resources
• ensure quality
Risk
[Departmental] register [Departmental]
working group working group

21. Where BCM fits in...
HOSPITAL AIRPORT AND
AND HEALTH TRANSPORT
SYSTEM EMERGENCY
EMERGENCY PLANS
PLAN
MUNICIPAL REGIONAL AND
MUTUAL NATIONAL
COUNTY OR
ASSISTANCE EMERGENCY PROVINCIAL
EMERGENCY
PACTS PLAN PLAN
EMERGENCY PLANS
INDUSTRIAL
AND CULTURAL
COMMERCIAL HERITAGE
EMERGENCY EMERGENCY
PLANS PLAN
BCM

22. Constructing a BCM plan

23. Permanent emergency plan
Aftermath
Monitoring Strategic,
prediction tactical & operational
& warning planning
Business continuity plan
Recovery and
reconstruction
planning
Disaster

24. Initiating Planning for Implementing
the process business the plan
continuity
Changing
the mindset Managing
the crisis
• scope
• policy
• structure
• resources
• mechanisms

25. An crisis management plan:-
• should be simple in conception
• is a living document that needs
continual updating
• should define the ground rules for
co-ordinating emergency activities
• should be able to deal with internally
and externally generated crises.

26. Crisis management planning
for business continuity:-
• should focus on recovery and prevention
• should seek to discover what is not known
• requires the support of top management
• is dependent on context: organisations
cannot necessarily be changed drastically
• is conditioned by managers' perceptions
of the risks the organisation faces.

27. Constructing a risk register
• all employees should be encouraged
to contribute to the identification,
discussion and exploration of risks
• institute a "no fault, no blame"
culture for the identification of risks
• appoint and train a risk manager
in each department of the organisation
• have frequent and open discussions
about how to manage the risks.

28. Business impact analysis
Internal analysis External analysis
• products and services • market environment
• activities and resources • stakeholder analysis
• dependencies • supply chain analysis
Business impact evaluation
Objectives Risks
Priorities Scenarios
Create the BCM plan

29. Staff Directors Managers
THE
Suppliers Customers
COMPANY
Competitors Creditors,
Distributors,
bankers
wholesalers
retailers

30. Business continuity analysis
Risk
register
Syntheses
of Annexes:
Master
procedures detailed
plan
(1 page procedures
each)
Revisions,
control
processes

31. Internal analysis for determining
recovery priorities:-
• products and services
• activities and resources
• linkages and dependencies.

32. Key issues in the analysis of
products and services:-
• what does the organisation do
(inc. number and variety of P & S)?
• who and what are involved in the
creation of products and services?
• how are activities linked?
• market share, revenue and profits
of individual products and services?
• patterns of time and associated issues.

33. An audit of company resources
(and their vulnerability):-
• physical manufacturing equipment
• information technology systems
• transportation, storage and logistics
• telecommunications systems
• financial resources
• intellectual property
• employees (human resources)
• buildings and facilities
• subsidiaries and divisions which produce
components, parts or materials.

34. Some pertinent issues:-
• what is the correct level of duplication
and redundancy of resources?
• what is under-reaction, over-reaction
and the right reaction?
• how to evaluate a situation
quickly in order to know
the right measures to take
• what balance between managing
the crisis and managing
the company's reputation?

35. Issues for BCM planning:-
• prevention of overlapping response
• eliminating gaps in response
• ensuring response is robust and durable
• analysing needs, auditing resources
• ensuring a compatible response
• training people to do it.

36. Specifying an incident
management structure:-
• call-out arrangements
• means of co-ordinating groups and teams
• command and control structures
• communications channels & media contact
• inter-departmental and inter-
organisational co-ordination measures.

37. Sub-routines of the BCM plan:-
• emergency operations centres
• information gathering and data storage
• evacuation plans
• public warning and alerting systems
• resource procurement
• press and public relations arrangements
• welfare plans for victims and staff
• communications plans
• continuity of service
• long term recovery plans.

38. Summary of the business continuity
planning process:-
• identify objectives and scope
recognise why and where BCM is needed
• identify the causes of possible crises
anticipate a range of interruptions
• business impact analysis:
balance between investment and exposure
resources, linkages, depedencies
external influences on BCM
• business impact evaluation:
internal and external analyses
the likelihood and consequences of crises
anticipate future changes in today's plans

39. Perception Knowledge
Risk
assessment
Risk Risk
Disaster
management analysis
threat
Risk
Institutional communication Adaptation
learning

40. Good luck with your plans!