30 Jul RE-THINKING BUSINESS CONTINUITY PREPAREDNESS: LEARNINGS FROM COVID-19 PANDEMIC
Many of us have thought that we have “effective” business continuity plans in place to deal with large-scale disruptions. We were somehow assured by testing and auditing those plans to comply with policies, guidelines and standards. Yet many of us were caught under-prepared to cope with the COVID-19-induced crises that unfolded in an accelerated manner. A PwC survey observed that 83% of Malaysian businesses were significantly impacted, with only 47 % claiming to be well-prepared.[i] The way that we usually measure the effectiveness of our plans and approaches somehow could not translate into real preparedness when confronted with global discontinuities.
Have we brushed aside the pandemic threat as a “black swan” event[ii] that came as a surprise, inappropriately rationalised and has major effects? Perhaps even legitimising and rationalising that thorough risk assessment as one very unlikely event to happen, despite early warnings from similar past events of smaller scales (SARS, MERS and Avian influenza). We may not have factored in significant capacity degradation of people and inability of technology to scale up, in operating legacy complex processes that are rigid, thus fall short of absorbing shocks and reducing surprises. We now learned that there were aspects of disconnect between effectiveness and preparedness for large-scale discontinuity events.
Overcoming such setbacks resulting from under-preparedness, we need to quickly re-think what business continuity is and focus on what value it brings towards enhancing resilience in coping with the next global large-scale discontinuities.
Re-thinking Business Continuity
The International Organisation for Standard (ISO) defines business continuity as the “capability of an organisation to continue the delivery of products and services within acceptable time-frames at predefined capacity during a disruption”[iii] That capacity to continue delivery is conditioned upon resource availability of people and technological systems to operate various business processes. We need to re-think that concept as an ongoing agile capability that is responsive towards containing and recovering from catastrophic events. Particularly those discontinuities beyond what we can possibly rationalise. Hence, we should now embrace business continuity as one resilience-enhancing practice, with a capacity to cope with dangers and learn to bounce back[iv]. The conventional approach sees business continuity as something of an add-on, with complex procedures, tasks and assumptions. This approach is unlikely to bring much value to contain stabilisation when confronted with continuous shocks and surprises that are beyond anticipation.
Thus, one fundamental question to ask concerning preparedness is as follows: what assurance do you have that the critical business processes can continue to operate the moment when your business is struck with a discontinuity crisis? Responses to this question will be the guiding principle in rethinking business continuity.
Above all, one pre-requisite to engender rethinking of business continuity lies with strong C-level commitment towards embedding business continuity into the mindset of each and every level of managers and associates, including those of third-parties providers. Preparedness needs to be interwoven into the cultural fabric of business norms and peoples’ behaviour as an actionable strategic priority. Without a strong tone at the top to drive a cultural change and continuously enhancing on those changes, business continuity will end up as one of many regulatory compliance objectives and statistics, producing “fantasy documents” to justify its effectiveness.[v]
Replaying the COVID-19 induced crises, we are confronted with:
- Significant reduction in peoples’ capacity to operate business processes across geographies due to illness, death and other personal challenges.
- Logistic, device availability, and end-user support bottle-neck with handling the sudden surge in demand to deploy work-from-home arrangements.
- Problems of many manually operated tasks and activities within business processes that rely on peoples’ intervention, such as review and approval of hard-copy records (some are regulatory or procedural requirements).
- Conventional plans that placed reliance on transferring operations to another unaffected geographical location were not the solution for pandemic responses.
Operationally, all of these hinder the completion of a particular transaction – impacting revenue generation and payments. Operational issues would chalk up tactical deployment and further break-down strategic goals during crises. Amid all these challenges, we need to explore areas where we can rethink the way that business continuity preparedness can be enhanced, with the following broad questions and recommendations.
How Agile is your Response?
- Seamless transition to secure remote working arrangements.
- Embedded “testing” or exercise via continuous hybrid working arrangements.
- Principle-based response, embracing sense-making instead of prescriptive recovery tasks and activities with voluminous plans and manuals.
- Empower responders to decide on the ground, monitoring from a “command post”.
- Serious about regular awareness, exercises (rehearsals) and continuous learning as one cultural norm.
- Know exactly what critical business processes are to focus on bringing stability to people, technology and processes.
Simplify Business Processes
- Streamline business processes – digitalise workflows and data, and remove redundant tasks and activities.
- Develop a self-service portal and data warehouse to ease users’ accessibility.
- Use models of software-, platform- and infrastructure-as-a-service.
- New business models and architectures that adopt digitalisation in design thinking.
- Engage policy-makers and/or regulators towards digital data exchanges, such as tax and regulatory submissions.
How Scalable is your Technology?
- Use technology as a service that can change in size and scale to respond to shocks induced by discontinuities (E.g. bandwidth, virtual private network, software licenses, and equipment).
- Engage the third parties to provide user support across geographies instead of rigid capacity from in-house support.
- Consider application-, platform- or infrastructure-as-a-service: scalable to users, transaction volumes and development activities.
How Prepared are your Third-party Providers?
- Due diligence over third-party service providers’ business continuity preparedness.
- Third-party service assessment, including business continuity.
- Joint business continuity awareness, exercises and collaborative learnings – embracing shared responsibility.
As many nations are transitioning into an endemic phase of COVID-19, let us not discard all those learnings from the unprecedented event. Among those salient considerations that support the re-thinking of business continuity include:
- Sensitive to the ever-changing risk landscape, watch out for early warnings and avoid decisions that put early warnings on back-burner issues.
- Embed regular discourse on business continuity across all levels of associates and managers, including third parties’ representatives, towards enhancing awareness and strengthening cultural embeddedness.
- Prioritising strategic change towards business process simplification by embracing digitalisation in design thinking, coupled with adoption of scalable technologies and usage of reliable third-party service providers.
Before the next globally impacted discontinuity crises emerge, we need to enhance our preparedness without further delay. The end goal is to embed business continuity thinking and agile capability within business models and processes that have sufficient planned capacity to cope with shocks, the notion of a 24 by 7 prepared state.
Hence, it is a journey of business taking ownership of knowing where we are, what we want to achieve towards a business continuity prepared state, and how do we get there. All of these can only happen and sustain when we embody a change of mindset that sets things in action, regularly challenging our preparedness state amid uncertainties. To this end, the whole is greater than the sums of its parts prevail. Let us not forget this adage, as we need to embrace a shared responsibility among all stakeholders in this journey to reach the end goal, hopefully.
[i] PricewaterhouseCoopers, “Building Resilience for the Next Normal,” PwC Global Crisis Survey – Malaysia Report, https://www.pwc.com/my/en/publications/2021/global-crisis-survey-malaysia.html
[ii] Taleb, N.N.; The Black Swan: The Impact of the Highly Improbable, Penguin, London, 2010.
[iii] International Organisation for Standardisation (ISO). ISO22301:2019. Security and Resilience – Business Continuity Management Systems – Requirements, Switzerland, October 2019, https://www.iso.org/standard/75106.html
[iv] Wildavsky, A.; Searching for Safety, Routledge, USA, 1988.
[v] Clarke, L.B.; Mission Improbable: Using Fantasy Documents to Tame Disaster, University of Chicago, Chicago, 1999.
Wong, Albert K.L. is pursuing his PhD in business continuity management (BCM). He promotes thought leadership and advises on organisational resilience. He embraces 30+ years of experience as a director, manager and expert role across pharmaceutical, financial service and technology industries, plus outsourcing, consulting and assurance practices.