The topic of business resilience in the 21st century is a complicated one. That is especially true when thinking of the significant challenges facing all business due to the worldwide pandemic.
While the need to focus attention on business continuity during the pandemic is crucial and an essential part of operational risk management, the current hurricane season has certainly added additional emphasis on its importance. It’s more important than ever that organizations pay attention to the business resilience needs of corporations facing severe weather-related risks.
The 2020 hurricane season in the United States has been particularly active.
As of this writing, the 2020 Atlantic hurricane season is the first on record in which nine tropical storms formed before August and 13 formed before September. The strongest storm thus far in 2020 has been Hurricane Laura with sustained winds of 150 miles per hour at its peak. Laura, which formed on Aug. 20 and dissipated Aug. 29, wreaked havoc on the Gulf Coast as well as the Midwestern and Eastern United States. To date, approximately 70 deaths have been recorded and damage costs are estimated to be around $9 billion.
Weather-related risk continues to grow as storms become more frequent and grow in intensity -- all the more reason to prepare a solid business resilience plan.
What do we mean by business resilience?
The classical definition of business resilience is the ability of an organization to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity.
This begins with an understanding that workflows must be preserved in order for organizations to survive unexpected events. An often overlooked element of business resilience centers around the human element in which team members need to be prepared with a structured approach to manage and deal with the event(s) at hand.
Much discussion on business resilience touches on “Black Swan” events, first discussed by Nassim Taleb, who warned that, “Our world is dominated by the extreme, the unknown and the very improbable... while we spend our time engaged in small talk, focusing on the known and repeated.”
Truer words could not have been spoken as we think about the significant challenges facing organizations in a complex global world of intertwined supply chains. During the Coronavirus disease (COVID-19) pandemic, we have seen some of those challenges with disrupted supply chains of basic supplies and commodities. The reasons for these disruptions will be the subject of research for years to come.
That’s why it’s important for companies to develop a focused plan that outlines straightforward and actionable steps to build an effective supply chain/disaster management plan for the significant risk of weather-related events.
What steps to business resilience should you consider?
The development of a solid business continuity plan is at the heart of operational risk management. That point has never been more important than it is today, as businesses large and small are working to manage the impact that COVID-19 is having upon their respective operations. As indicated earlier, however, other operational risks like weather-related events are also extremely important. A key component of any solid business continuity management approach is consideration to how a business reacts to what we refer to as a “critical incident,” which can take the shape and form of weather-related events, pandemics, fire, flood, labor actions, port closures and motor vehicle accidents, to name a few.
The key to each of these events is business preparedness that includes processes that allow organizations to react quickly with strong pre-planned mitigation strategies that can be cascaded to all parts of the business. The situation we face each day is very fluid and subject to state-by-state interpretation and actions they implement. That said, the ability to pre-plan is critical to how we manage and communicate within our business community.
There’s a 10-step process for business resilience preparedness:
Step 1: Business continuity management policy
Each operational location has developed a business continuity management (BCM) policy statement and has clearly communicated this to all staff.
Step 2: Provision of resource
Each operational location has appointed a BCM champion with the appropriate seniority to be accountable for implementing the plan and managing a critical incident.
Step 3: Incident management team
Each operational location has formed an incident management team (IMT) with deputies for all key functions.
Step 4: Business impact analysis
Each operational location has conducted a business impact analysis (BIA) that identifies and isolates activities that support its key products and services and its priorities for recovery of critical activities.
Step 5: BIA risk assessment
Each operational location has completed a thorough risk assessment and documented the locational threats (for example, does the site pose a flood hazard due to coastal and/or low-lying geographic exposure?).
Step 6: Determining choices
Using the risk assessment conducted in Step 5, assure that the operational location has identified risk solutions for each of its critical activities.
Step 7: Determining BCM strategy
Each operational location has determined how it will recover each critical activity within its recovery time objective, including the resources required for resumption. Communication with state and local governments will determine the likely course of action.
Step 8: Business continuity plans
Each operational location has created business continuity plans (BCPs) for all possible risks that could affect critical operations and the BCPs are to detail how to manage the incident and how it will recover activities. Each location has identified primary and secondary locations for storage of supplies and/or alternate work sites. Communicate with local governments to determine a likely course of action.
Step 9: Maintaining and reviewing
Each operational site has ensured and leadership has validated that its BCM arrangements are reviewed and documented at planned intervals. Depending on the situation, the plan may require further development to include where only basic safety and security functions are maintained. Communicate with local governments to determine the likely course of action.
Step 10: Testing and exercising
The IMT has developed a process to conduct at least three table-top exercises during a 12-month period of time. Lessons learned should be incorporated into future planning. The critical incident team has planned for the effective allocation of resources between facilities to meet on a regular basis.
These steps are intended to serve as a guide, rather than a complete strategy. Each business should consider the unique characteristics present within their industry and particular business segments.
Remember: test, modify, test, modify. All plans are dynamic and should be consistently modified to meet the unique characteristics of events as they present themselves.
If organizations are aware of their vulnerabilities and take steps to develop capabilities to address those unexpected disruptions to business operations, significant risk will be mitigated and the business will be in a more advantaged position when compared to peers.