Business continuity management: Preparing your ... - GE Capital

GE Capital

Business continuity management: Preparing your business for emergencies

viewpoint

GE Capital


When you think of unforeseen events that might disrupt your business, some obvious ones come to mind: natural disasters, power outages, data breaches and acts of terrorism, to name a few. But there are also a host of more common threats that can derail most forms of commerce, ranging from flu outbreaks to labor strikes, supply chain interruptions to negative publicity. For the same reason that individuals take out insurance policies to protect their homes and their health, companies need to protect themselves against these kinds of disruptions so they can: minimize the loss of data, revenue and customers; get core business functions back up and running efficiently; reduce dependency on specific personnel; maintain the company’s reputation; and, in extreme cases, safeguard human life. According to Business Network of Emergency Resources, 44 percent of businesses that do not have recovery plans in place and lose records during a disaster never resume business, and 47 percent of businesses without such a plan who experience a fire or theft are out of business within two years.

Business continuity management — a three-pronged strategy comprised of crisis management, disaster recovery and business continuity planning — helps avoid these outcomes by arming business leaders with a blueprint for minimizing damage and recovering quickly when the unexpected happens. Since the domain of financial services firms and insurance companies became mandated by law to have recovery plans in place, business continuity management is now practiced across many industries and by businesses large and small, either because they recognize the benefits or they are required by their business partners to plan for emergencies.


What should a business continuity plan cover? The last thing you want to do during a crisis is spend time trying to figure out what decisions you need to make. A big part of planning ahead for emergencies is understanding those decisions and knowing how to prioritize them in the heat of the moment. Critical questions you should be asking as part of business continuity management include, but are not limited to: • Who? You need to know who is going to make key decisions, which employees are critical to maintaining business operations, and who is going to step in for critical employees who can’t perform their tasks as needed.

viewpoint

2

GE Capital • What? IT equipment and other infrastructure needed to conduct business may be compromised and you need a plan to restore this equipment or turn to a suitable alternative. You also need to know what you are going to communicate to customers, stakeholders and the press. • Where? Employees need to know where they are going to be able to work if their routine workspaces are compromised, and they need to know where to retrieve data and supplies in the event they are lost or destroyed. • How? You need processes in place to guide your employees as they seek to answer the questions above, and you need to know how you are going to communicate with workers and customers under a wide variety of scenarios. Businesses can answer each of these questions by adopting a three-pronged strategy that breaks decisions into three major categories: crisis management, disaster recovery and business continuity.

A recovery coordinator should lead the crisis management team and that person should have the ear of senior management. The recovery coordinator should be supported by a blend of representatives from operations, facilities, administration, communications, IT and human resources. Disaster recovery Where crisis management focuses on people, disaster recovery is mainly concerned with the information technology and other infrastructure that are required to conduct business. The disaster recovery team works to ensure that critical information is being backed up on a regular basis, that alternate systems are in place to carry the load when IT components are compromised, and that the loss of data is minimized. In a perfect world, all data is backed up daily and fully-equipped alternate sites are at the ready during times of crisis. However, these solutions in many cases may be cost

Crisis management Above and beyond any other considerations, the safety of your employees has to come first. You need an emergency response process in place to establish your workers’ whereabouts, take head counts, manage evacuations, identify safe zones or shelters, and coordinate with emergency authorities. After the safety of your workforce is established, you need someone within your organization to serve a command-andcontrol function, coordinating the response of each business and the interactions between them, prioritizing and allocating resources, and managing media communications.


prohibitive, so it’s up to the disaster recovery teams to judge which information or IT capabilities the company can’t afford to lose. Due to the focus on technology systems and components, this team is mainly comprised of IT specialists, but representatives of each business are included to help assess the nature and extent of any problems and report back to their respective departments. Business continuity One of four discrete threat scenarios typically cause business interruption — and your business should have a plan for addressing each one from a business process perspective: 1. Loss of facility: The place where work happens is compromised in some way. 2. Loss of IT: Employees and customers lose access to information technology resources that are needed to support revenue-generating activities. 3. Loss of a critical vendor: A key business partner experiences their own disruption, which in turn affects your ability to service customers. 4. Loss of workforce: Key personnel are unavailable to work. The business continuity team is the most forwardlooking of the three, as it documents how the company will respond, in a methodical step-by-step way, when addressing each of these disruptions before they occur. When a crisis hits, they work to ensure that these procedures are being followed, that workarounds are operating as designed, that authority is being delegated properly, and that external partners such as vendors are actively involved if necessary.

viewpoint

3

GE Capital and customer relationship perspective. Business dependencies also need to be assessed, as your company may be able to restore its internal processes quickly but business can’t resume because a data provider or other outside partner is still in recovery mode.

The business continuity team is comprised of XXXX. All three teams need to be involved in the planning process when a business begins to map out its strategy for managing events that could seriously threaten the health of its workforce, compromise its ability to deliver products and services to customers, or tarnish the company’s reputation.

While the business continuity team is getting a handle on potential business impacts from a broad perspective, the disaster recovery team should be conducting a technical impact analysis to understand how different businesses within the organization would be affected by an IT disruption, such as loss of Internet connectivity or a critical application.

The process for building a formal business continuity management plan typically involves five key steps: 1) assessing the risks, 2) determining the business impact if those risks come to fruition, 3) developing a recovery strategy, 4) developing and documenting the formal plan, and 5) validating and testing the plan. Step 1: Conducting a risk assessment The first step in crafting a business continuity plan is to understand and catalog the multitude of risks that can impact your business. These range from geographical threats (e.g., hurricanes in the U.S. Southeast, snow or ice in the U.S. Midwest and U.S. Northeast, earthquakes in California), to security risks (both cyber-related and physical breaches), to personnel issues (e.g., pandemics, labor unions, location-specific workforce issues in remote corners of the world), to infrastructure disruptions (e.g., IT failure, lost power/phone service). Businesses should also consider potential threats to vendors, who may be exposed to many of these same risks, as well as local economic conditions such as low unemployment that could make it difficult to solve staffing shortages. While these issues can affect all businesses equally, there are also risks specific to your company that should be identified and analyzed. For instance, a refrigerant company whose business is keeping customers’ food products fresh has to consider the risk of freezer failure.

Understanding these potential repercussions is important because it helps you prioritize your recovery plans to focus first on those processes that would cause the most harm if they were compromised for a prolonged period. Conversely, you may decide that those processes with relatively low potential impact could go a number of days or weeks before they began to meaningfully impact the business.

Step 2: Analyzing business impacts The second step entails examining the worst case scenarios if any of the identified risks actually come to fruition. These impacts should include not only the quantitative aspects such as lost revenue and associated expenses, but the qualitative costs as well, such as potential hits to your corporate image and compromised customer service. The business continuity team’s task is to identify those business processes that would be jeopardized in such an event, and how those disruptions would impact the business from a financial, legal, regulatory


Step 3: Setting a recovery strategy Next, your business needs a game plan for how it’s going to recover when any of the risks your company faces materialize. One helpful way to think about this aspect of the planning exercise is to match up the four kinds of loss identified above with how your organization would optimally respond. Loss of facility Your business needs a workplace strategy in case your existing locations are rendered unavailable. In some instances, employees may be able to accomplish their work from home or another remote location. In others, work may need to be transferred to a sister site or another location within your company. viewpoint

4

GE Capital Loss of IT Your business should have technical workarounds should you lose access to data or applications needed to operate and generate revenue. The disaster recovery team will want to make sure the business is backing up vital records and other critical information, and that redundant IT systems are in place that share the same data but not the same location in case one of them is inoperable. The team will also want to decide whether to maintain a “hot site” (an alternate location where all systems are loaded and ready to go), a “warm site” (basic machines exist but may or may not have operating systems on them) or a “cold site” (an empty alternative workspace where IT systems can be installed) to house IT processes in the event of an emergency. Loss of a critical vendor Even when you require your vendors to have their own business continuity plans in place, you can’t control what happens within their organization when a crisis hits. You should have emergency contact numbers for each vendor, and a contingency plan for obtaining products or services when they aren’t able to recover quickly. Loss of workforce Losing key personnel can be just as disruptive as losing a main supplier or service provider. That’s why each business should have a plan that identifies what work needs to be done no matter what, and what work can wait. When the employees who normally manage critical tasks can’t be counted on, you may need to leverage other people within your organization. The business continuity team should have a wellestablished workflow assignment plan that maps out

which employees will be pulled into critical assignments in the case of emergencies. Your business should ensure that employees are cross trained on different tasks to ensure they establish a basic competency level for work assignments they may be asked to cover. As these determinations are made, you should conduct cost-benefit analyses along the way to make sure that the expenses tied to your contingency plans in each area don’t exceed their level of importance to your business. A lot of companies exhibit a tendency to go overboard on business continuity plans, sometimes at great expense. Some costs may in fact be prohibitive. For instance, a hot site for IT applications may offer the quickest recovery but won’t be worth the expense if the businesses those applications support can go a few days without them and still keep customers happy. Step 4: Formalizing the plan Once the recovery strategy has been discussed, it’s time to write down the procedures that will guide employees’ step-by-step responses in each scenario. When it comes to business continuity, a certain degree of flexibility is needed so employees don’t fall into the trap of not being able to respond to changing conditions as they occur. These procedures are meant to help them prioritize decisions that need to be made and provide general guidance on how to make them. By contrast, the technical procedures drafted by the disaster recovery team should be detailed and precise. After all, when an application needs to be brought back online, there’s only one way to do it. As such, the team should create explicit instructions for aiding the recovery of lost IT applications and components, along with an inventory of all Internet protocol (IP) addresses associated with the business and emergency contact information for any IT vendors.


Importantly, you need to consider all of the assumptions that underpin your plan during this step, particularly those related to the recovery schedule and the timing of each step along the way. For instance, if your strategy spans a recovery period of two weeks, you need to come up with alternate plans for what you will do if your business is still working at less than full capacity when that time is up. Step 5: Validating the plan Having a formal plan will allow you to begin the process of training all personnel who will be involved when a crisis hits, from key executives to members of all three teams, to vendors. The more they understand their own individual responsibilities, the better equipped your organization will be to act quickly and efficiently throughout the recovery timeline. This training should begin as a series of tabletop exercises, where different scenarios are considered so employees can understand their assignments and expectations from the standpoint of timing and results. During these meetings the business continuity team members stress the interdependencies between departments and response teams, so that individual responders will understand how their actions will relate to others. The tabletop exercises should eventually transition to real-life walkthroughs. During this final step, it’s important to be on the lookout for procedures that may need to change or adjust in the face of wrong assumptions or new information. Each team leader should be thinking of ways the plan may get off track, so that gaps can be remedied beforehand.

viewpoint

5

GE Capital Conclusion Most business leaders like to think that if they deliver a superior good or service, customers will stick by them no matter what comes. But, in reality, even the most loyal customer will hold out only for so long before they go elsewhere to meet their needs. These days, there are any number of growing threats that can knock a business out of commission for an extended period of time, increasing the chances of losing sales that never come back. Knowing how your business would respond ahead of time to these potential disruptions is the best way to soften the blow, protect critical information and processes, and help your organization recover as quickly as possible.

GE Capital is an extension of GE’s rich heritage of building and supporting growth. Investing in the sectors we know best, we can provide more than just financing: We bring insight, knowledge and expertise to every loan. And as a result, businesses that finance with GE Capital benefit from the global know-how and expertise of GE. gecapital.com

© 2014 General Electric Capital Corporation. All rights reserved. This publication provides general information and should not be used or taken as business, financial, tax, accounting, legal or other advice. It has been prepared without regard to the circumstances and objectives of anyone who may review it; therefore, you should not rely on this publication in place of expert advice or the exercise of your independent judgment. The views expressed in this publication reflect those of the authors and contributors and not necessarily the views of General Electric Capital Corporation or any of its affiliates (together, “GE”). GE does not guarantee that the information contained in this publication is reliable, accurate, complete or current, and GE assumes no responsibility to update or amend the publication. GE makes no representation or warranties of any kind whatsoever regarding the contents of this publication, and accepts no liability of any kind for any loss or harm arising from the use of the information contained in this publication. “GE,” “General Electric Company,” “General Electric,” “General Electric Capital Corporation,” the GE Logo, and various other marks and logos used in this publication are registered trademarks, trade names and service marks of General Electric Company. You may not use, reproduce, or redistribute this publication, any part of this publication, or any trademark or trade name without the written permission of GE.


viewpoint

6