Blog contributors: Danyle Hepler, Corporate Health & Safety Manager; Karin Holland, Technical Expert
After Hurricane Sandy hit the East Coast in 2012, a photo circulated of a New York City street with buildings in total darkness – except for one. The owners of the building, which housed a multinational firm, had anticipated an extreme event like Sandy and had taken precautions to protect the structure. Unlike the neighboring businesses, this company was able to recover quickly and resume business.
Many of the street’s other businesses, unfortunately, suffered losses as part of the $33 billion in damage Sandy caused in New York state alone. According to the Federal Emergency Management Agency (FEMA), “following a disaster, 90% of smaller companies fail within a year unless they can resume operations within five days.”
But you don’t have to be one of the largest corporations in the world to be resilient. Being prepared with a business continuity plan (BCP), a detailed set of proactive measures to help a company prevent and recover from potential threats, is the right decision for any company – from a corner store to a global organization. Many leaders responsible for ensuring business continuity at their company have developed this type of plan to protect the company’s people, facilities, and equipment so it can rebound as quickly as possible after a natural or human-caused disaster strikes.
Of course, it is hard to envision and think ahead about threats and their impacts if you haven’t had the experience. For example, the operators of a coastal power plant in New England had not experienced a major hurricane in many years so when they learned a hurricane would soon hit they didn’t have a BCP in place to prepare for and mitigate impacts. Fortunately, due to storm forecasting technology they had some time to prepare and suffered only minor losses. If the threat had been one that did not allow for lead time, however, the outcome would have been different.
Companies that have not yet been hit by cybercrimes can fall into this trap as well. Sixty-one percent of companies experienced a cyberattack in the last year according to the 2019 Cyber Readiness Report. On average, those incidents cost U.S. companies $119,000 each. Fortune 500 companies are more likely to have the resources to respond to a breach, but it could be a significant hit for an unprepared smaller company.
The level of detail may vary due to an organization’s complexity, but organizations of all sizes would benefit from developing a plan for how they will remain or get back up and running following a disaster. Many midsized and smaller companies that supply large firms need to demonstrate that they’re a reliable source of materials and services for those larger companies. Midsized and smaller companies often have contractual agreements to fulfill and their customers require them to show and/or submit their BCPs to prove they can meet their obligations. When this happens to your company, will you have confidence in what you are submitting? Will your BCP be a differentiator between you and a competitor?
BCPs can also differentiate a company to investors. Because they add value by preventing future costs due to damages from a disaster, investors often have greater confidence in companies that have a BCP in place. But these plans go beyond financial benefits. Many companies view their social and environmental commitments as material and incorporate those perspectives into their business continuity planning.
So, companies of all sizes and types need to be prepared, but just what should be in your BCP? There are some crucial elements, starting with a full vulnerability assessment, a focus on location, an understanding of your industry’s requirements, and the involvement of key stakeholders, among others. Consider the following five focus areas:
1. Conduct a comprehensive vulnerability assessment with key stakeholders
It’s crucial to start your BCP by identifying the key stakeholders who lead core company programs and efforts such as Quality, Maintenance, HR, Finance, suppliers, etc. Without the right people, it will be impossible to develop the right BCP. Of course, the “right people” will depend on each company. From there, the group needs to work together to conduct a comprehensive vulnerability assessment. To do so, the group inventories all company assets, prioritizes those at risk, and then tries to determine the likely impacts to the business should a disaster occur.
Doing this exercise as a unified team will help determine if there are redundant systems, how many communication lines each would be able to run, how much inventory they have, and if it’s on-site or not. It’s crucial to understand where everything is and if there are redundancies.
Once you have collected threats from stakeholders, the next step is to rank them based on how great the risk is that they present. Your stakeholders can also help put dollar figures on each threat or create a timeline to determine how long it would take to resume normal operations if a disaster were to take place. Cost and recovery time are key to assessing response alternatives for your BCP.
2. Understand industry requirements
Some industries are regulated in ways that mandate certain aspects of BCPs. For example, the City of Boston’s zoning code “requires all projects achieve at minimum the ‘certifiable’ level utilizing the most appropriate U.S. Green Building Council Leadership in Environmental and Energy Design (LEED) Rating System(s)” with the expectation that projects will have the goal of constructing “the highest performing and most resilient building feasible.” Likewise, building safety regulations such as seismic codes dictate not only how structures must be built to withstand earthquakes, but also how storage racks inside buildings must be anchored. Such policies will help shape developers’ BCPs.
In the pharmaceutical and food industries, regulations are designed to ensure the production of safe and effective products. For this reason, BCPs in these business segments may need to work closely with their quality assurance team to understand recall requirements and must stay sharply focused on maintaining production process standards and procedures, even if the manufacturing facility must be relocated.
Whatever industry you’re in, it’s crucial that you understand requirements and ensure your BCP appropriately includes them.
3. Customize your plans by location
Because there are different hazards and issues depending on geography, corporate BCPs need to include location-specific plans. For example, utility companies often have facilities with different challenges spread out over large geographic areas. Smart Electric Power Alliance reports that electric utilities “are deploying unique, region-specific technologies to prevent outages within their service territories.” Other utility companies are controlling power generation to avoid sparking that may cause ignition of wildfires. One example of this is California’s Anza Electric Cooperative, which has five different weather stations to help predict where wildfires might start so it can “shut off circuits due to local weather conditions to prevent fire ignition.”
Likewise, for other organizations there will be situations that can be handled at the local site and others where coordination with another sister site will be necessary. This will be the case, for example, if a product can only be made in a particular type of facility.
Planning across geographies is also important to ensure individual locations work together. A large chemical company took this approach by strategically placing several large trailer generators so they can be moved as needed. In this case, the company must invest capital and place the generators to suit the needs of individual locations. When BCPs are connected at different levels in this way, trigger points will indicate when it’s time to escalate to the next level of the plan.
4. Make your plan user friendly
One potential pitfall of BCPs is that they can become too comprehensive and therefore difficult to implement. To avoid this, key stakeholders must agree on what should stay and what should go and work diligently to make their plan very concise. It is much more effective to have something short and meaningful that won’t just sit on your shelf and will be accessible in multiple locations. Likewise, you can have an action-oriented plan, but if it has 350 actions, it will be impossible to implement. Another key is to have clear accountability for each aspect of your plan so there is no confusion about who will do what when the time comes.
5. Don’t forget your peopleImagine if your facility is in an earthquake and your BCP ensures that your equipment is fully functional soon after the disaster. If you haven’t factored in what your employees will need in the aftermath, you’re missing a key part of the plan. It’s not just “turning the machines back on,” but also getting your people back, which may be challenging or impossible if transportation infrastructure connecting the facility and community is damaged. Sometimes, impacted organizations may even include making sure employees’ families have food and other essentials. Rightfully so, your staff will worry about their families first. Do you have plans to help them have the peace of mind they need to enable them to come back to work?
Regardless of your company’s size, the industry you work in, or the location of your facilities, threats ranging from natural disasters to workplace violence put your bottom line at risk. You need a business continuity plan to ensure your operations can recover quickly if the worst happens. What you put into this plan and how you communicate and implement it are also crucial to its success. You will need a realistic plan that includes a full vulnerability assessment, location-specific needs, industry requirements, and a user-friendly format. If you have questions about your current plan or are looking to set one up for the first time, email Danyle or Karin.
Danyle is a Corporate Health & Safety Manager at Haley & Aldrich. She is a Certified Safety Professional (CSP) and Certified Environmental and Safety Compliance Officer (CESCO), Certified Professional Environmental Auditor (CPEA). She is a contributor to the 6th revision of ANSI/ASSP Z590.3-2011 American National Standard: Prevention Through Design: Guidelines for Addressing Occupational Hazards and Risks in Design and Redesign Processes, as well as ASSP TR-Z590.5-2019, Technical Report: How to Develop and Implement An Active Shooter/Armed Assailant Plan.
Karin is a Technical Expert who leads the resilience practice at Haley & Aldrich. She is a Credentialed EnvisionTM Sustainability Professional, an EnvisionTM Verifier, a LEED-Accredited Professional and a certified ISO 14001/EMS lead auditor.