Ex­pect­ing the un­ex­pected: A busi­ness view­point

Daily Mirror (Sri Lanka) - - MIRROR BUSINESS - BY LIONEL WIJESIRI (Lionel Wijesiri is a re­tired com­pany di­rec­tor with over 30 years’ ex­pe­ri­ence in se­nior busi­ness man­age­ment. Presently he is a free­lance jour­nal­ist and could be con­tacted on law­[email protected])

The Easter day bomb­ings in Sri Lanka cre­ated a sense of deep fear among the cit­i­zens; it still pre­vails even one month af­ter the in­ci­dents. Even in the busi­ness sec­tor, these acts of ter­ror have served to cre­ate un­cer­tainty within the mar­ket­place. Most an­a­lysts be­lieve, if the trend con­tin­ues for an­other few weeks, it can lead to investor ap­pre­hen­sion and many other ad­verse fi­nan­cial con­se­quences.

The Sri Lankan busi­ness com­mu­nity there­fore now has to be vig­i­lant and make ar­range­ments to deal with the im­pact of this type of in­ci­dents in fu­ture. By re­main­ing alert but not alarmed, they can re­duce the im­pact of any fu­ture threats. The busi­ness com­mu­nity can­not be com­pla­cent hop­ing that there wouldn’t be any more at­tacks.

Busi­ness con­ti­nu­ity plan­ning

It is in this re­spect that the con­cept of busi­ness con­ti­nu­ity plan­ning (BCP) plays an im­por­tant role in to­day’s busi­ness, whether they are small or big. Let us see what it re­ally means.

If we are to take the phrase ‘busi­ness con­ti­nu­ity’ for its sur­face value, the most ob­vi­ous mean­ing would be the abil­ity of the busi­ness or en­ter­prise to con­tinue op­er­at­ing as a go­ing con­cern for a very long time. But the term ac­tu­ally means more than what the words lit­er­ally mean.

The In­ter­na­tional Or­gan­i­sa­tion for Stan­dard­i­s­a­tion, in ISO 22300, de­fined busi­ness con­ti­nu­ity as the ca­pa­bil­ity of an or­gan­i­sa­tion to con­tinue the de­liv­ery of its prod­ucts or ser­vices, at ac­cept­able pre-de­fined lev­els, fol­low­ing a dis­rup­tive in­ci­dent. It im­plies the re­spon­si­bil­ity of the busi­ness own­ers and man­age­ment for the busi­ness in en­sur­ing that it stays afloat and ‘on course’ de­spite any ob­sta­cles or stum­bling blocks it en­coun­ters along the way.

These ‘dis­rup­tions’ may con­sti­tute any ma­jor cri­sis from a ter­ror­ist at­tack to nat­u­ral dis­as­ters such as flood­ing or fire. It can even in­clude the pull-out of the main cus­tomer with 35 per­cent of the cus­tomer base and your mar­ket­ing man­ager.

In fact, busi­ness con­ti­nu­ity is to be about build­ing and im­prov­ing re­silience in the busi­ness. Or­gan­i­sa­tional re­silience means that the busi­ness can weather any storm and with­stand any hits and still re­main op­er­a­tional, pro­duc­tive and prof­itable.

Two com­po­nents

Pre­plan­ning: The pre­plan­ning refers to the ar­range­ments, mea­sures, tac­tics and poli­cies de­signed to en­sure con­ti­nu­ity of busi­ness op­er­a­tions, so that crit­i­cal prod­ucts and ser­vices are still de­liv­ered to cus­tomers.

Re­sources: The sec­ond com­po­nent refers to the re­sources or as­sets that are nec­es­sary for re­cov­ery mea­sures, thereby sup­port­ing busi­ness con­ti­nu­ity. These re­sources of­ten in­clude man­power or per­son­nel, in­for­ma­tion, fa­cil­i­ties, ma­chin­ery and equip­ment, phys­i­cal se­cu­rity tools, le­gal sup­port and fund­ing.

Steps in de­vel­op­ing a BCP 1: Iden­tify cost.

Pre­pare a ten­ta­tive bud­get tak­ing into con­sid­er­a­tion the ex­penses that may be in­curred in the process of de­vel­op­ing the plan. These in­clude costs of re­search, train­ings and sem­i­nars and other ser­vices sought in the process of mov­ing the plan along.

2: Form BCP team.

Choose the peo­ple who will be as­signed the task of plan­ning for the con­ti­nu­ity of the busi­ness. Iden­tify their key roles and re­spon­si­bil­i­ties. De­fine the lines of au­thor­ity and ac­count­abil­ity, as well as man­age­ment suc­ces­sion. The leader can be a se­nior man­ager. There can be a pro­gramme co­or­di­na­tor, in­for­ma­tion of­fi­cer, rep­re­sen­ta­tives from all busi­ness units, etc.

A team could have only five peo­ple on board or it could have as much as 20 or even 30 mem­bers.

3: Con­duct a Busi­ness Im­pact Anal­y­sis

Con­duct a Busi­ness Im­pact Anal­y­sis (BIA). A BIA in­cludes an explorator­y com­po­nent to re­veal any vul­ner­a­bil­i­ties and a plan­ning com­po­nent to de­velop strate­gies for min­imis­ing risk. The re­sult is a busi­ness im­pact anal­y­sis re­port, which de­scribes the po­ten­tial risks spe­cific to the or­gan­i­sa­tion stud­ied. It will also aid the team in gath­er­ing in­for­ma­tion that will be help­ful when it comes to de­vel­op­ing strate­gies that can be adopted by the com­pany for its re­cov­ery from the cri­sis.

A typ­i­cal BIA may in­clude key busi­ness ar­eas, crit­i­cal func­tions of the busi­ness, re­sources re­quired to en­sure the con­ti­nu­ity of these key ar­eas and tol­er­a­ble down­times for each crit­i­cal process or func­tion.

4: Strate­gise and plan

Based on the re­sults of BIA, iden­tify re­sponse and re­cov­ery strate­gies and plans to ad­dress the ef­fects of the dis­rup­tion and present them in de­tail. It is in this phase where the team will pro­vide de­tails on the ar­range­ments and mea­sures that the com­pany will un­der­take in order to mit­i­gate threats. Cost es­ti­mates should also be in­cluded. That is how de­tailed this phase should be.

5: Doc­u­men­ta­tion

Write the Busi­ness Con­ti­nu­ity Plan. First do the draft. Make ad­just­ments. Retest and if sat­is­fied, fi­nalise. The plan must be tested fre­quently and up­dated when nec­es­sary.

6. Train­ing and test­ing

The train­ing pro­gramme or cur­ricu­lum needs to be fol­lowed by the mem­bers of the busi­ness con­ti­nu­ity team and the other mem­bers of the or­gan­i­sa­tion.


An­other im­por­tant el­e­ment of a busi­ness con­ti­nu­ity plan is that it needs to be a solid work­ing doc­u­ment where ev­ery as­pect is con­stantly re­viewed and up­dated in re­sponse to or­gan­i­sa­tional changes in cir­cum­stances. To keep pace with is­sues as they arise, the plan must be for­mally owned by a mem­ber of staff who can take on the re­spon­si­bil­ity for over­see­ing ar­range­ments and who pos­sesses the au­thor­ity to co-or­di­nate ac­tions.

Who­ever man­ages the plan will need to take full in­ter­est in al­most ev­ery as­pect of the busi­ness. From re­cruit­ment to IT poli­cies, from out­sourced ser­vices to new build­ing and ren­o­va­tion work – there are se­cu­rity im­pli­ca­tions to al­most ev­ery ma­jor de­ci­sion.


The en­tre­pre­neur should also de­cide what should be pro­tected and what their pri­or­i­ties are. The gen­eral cat­e­gories are as fol­lows:

(a) Peo­ple – staff, vis­i­tors, con­trac­tors, cus­tomers; (b) Phys­i­cal as­sets – build­ings, con­tents, equip­ment and sen­si­tive ma­te­ri­als; (c) In­for­ma­tion – IT sys­tems, on­line trans­ac­tion sys­tems, elec­tronic and pa­per data; (d) Pro­cesses – sup­ply chains, crit­i­cal pro­ce­dures, pro­duc­tion cy­cle.

The or­gan­i­sa­tions need a clear con­sen­sus about those as­sets, which they re­gard as valu­able and those they re­gard as es­sen­tial. For ex­am­ple, (a) those as­sets which the or­gan­i­sa­tion has a duty to pro­tect – staff, client ser­vices, pro­duc­tion sys­tems, etc. (b) high-value as­sets that are worth ad­di­tional or spe­cific se­cu­rity in­vest­ment, (c) unique as­sets which, though not nec­es­sar­ily of a high mon­e­tary value, would be dif­fi­cult to re­place.


How a busi­ness de­fends it­self against a ter­ror­ist at­tack de­pends on in­di­vid­ual cir­cum­stances. For most or­gan­i­sa­tions the re­sponse will in­volve a mix of good house­keep­ing along­side ap­pro­pri­ate in­vest­ments in CCTV, in­truder alarms and lighting that can de­ter as well as de­tect. In fact, many rec­om­mended counter-ter­ror­ism mea­sures will help to pro­tect against other crim­i­nal acts such as theft and van­dal­ism.

Cer­tain sit­u­a­tions, how­ever, may re­quire more spe­cial­ist equip­ment (par­cel and mail scan­ning tech­nol­ogy, for ex­am­ple) and or­gan­i­sa­tions should seek pro­fes­sional ad­vice for an assess­ment of their re­quire­ments and op­tions be­fore tak­ing any ma­jor de­ci­sions.

If an at­tack by a ve­hi­cle bomb is a con­cern, the pri­or­ity should be to en­sure all unau­tho­rised and/or un­screened ve­hi­cles are kept at a safe dis­tance, ide­ally keep­ing cars at least 30 me­tres from the build­ings and larger vans and lor­ries at least 90 me­tres away.

Ac­cess routes, car parks and sur­round­ing open ar­eas should also be as­sessed. Suit­able traf­fic calm­ing mea­sures such as bends and chi­canes and tested ve­hi­cle se­cu­rity bar­ri­ers should be in­stalled to cre­ate and en­force the ap­pro­pri­ate blast stand-off dis­tances.

The guid­ance about safe use of email at work is es­sen­tial. The mem­bers of staff should be aware that their work email ac­count should be used pre­dom­i­nantly for work-re­lated cor­re­spon­dence and pri­vate email ac­counts are not used to con­tact clients or for­ward/ re­ceive con­fi­den­tial in­for­ma­tion.

How­ever, no sin­gle se­cu­rity re­sponse or level of in­vest­ment will pro­vide ‘to­tal’ pro­tec­tion. Nor is it prac­ti­cal for a busi­ness to in­vest in ev­ery so­lu­tion avail­able on the mar­ket. How­ever, an up-to-date busi­ness con­ti­nu­ity plan and se­cu­rity plan can help to pro­tect against the worst pos­si­ble con­se­quences.

Newspapers in English

Newspapers from Sri Lanka

© PressReader. All rights reserved.