Michelle Cross, National Business Continuity Practice Leader, Wells Fargo Insurance Services, USA
When it comes to business recovery, IT often leads the way. IT has helped organizations be prepared with back-up servers, cold sites, hot sites and Cloud. Applications can be recovered and data can be restored in minutes but what happens next? Are these applications sitting waiting for someone to press the ‘on’ button? Technology recovery is essential, but it is only one piece of the resiliency puzzle. Organizations overlooking the other pieces business continuity, crisis management and crisis communications may find they are unable to survive the disruption.
Organizational resiliency requires getting back to the basics, and step one is Business Continuity. Business Continuity is protecting the operation; the facility, assets, human capital, and technology. Protecting the operations means identifying what functions, at a minimum must be done to keep the business running; when they need to be done; and what resources are needed to make sure they can be done on time. While it can be a tedious exercise, identifying the functions and their recovery time is the basis for achieving resiliency. Once the critical functions are defined, the company can focus on these and prioritize where and how resources will be allocated to best protect those functions and the organization.
Continuing operations requires resources: a facility, (assets, supply chain), human capital and technology, when resources can be limited. Most companies don’t have ready and waiting backups for an entire facility with equipment, staff and raw material just waiting to be used. Prioritizing allows the company to steer resources where they are most needed and to ensure resources are recovered to support the business. For example, when the disaster recovery plan restores “application ABC” in <24 hours, it should be directly tied to supporting a function that must be recovered in <24 hours. If not, the recovery is too robust, and that often means spending more money and resources than is actually needed. A company doesn’t need to invest in a fully redundant, mirrored system where data loss is limited to 15 minutes and applications are restored almost immediately, if their most critical function needs to recover in two days. Aligning technology and business needs helps IT better allocate resources to support the business, while maintaining their budget.
“Organizational resiliency requires getting back to the basics and step one is Business Continuity”
When resources don’t recover as quickly or aren’t fully available, the company needs to identify alternate strategies to continue those functions. When the facility isn’t available because of a fire, a snow storm, or because it is a crime scene from a workplace shooting–how will the critical functions be done? In this case, many companies will have staff transfer to another company location, or where available, will use telecommuting as a strategy. But has anyone fully considered the aspects of telecommuting to ensure the strategy will work? Have the staffs worked from home before–do they even know how to log in? Will they use personal computers (authorized by the company) or do they take laptop computers home each evening? Is there enough capacity or licenses for everyone to log in remotely at the same time? For one company, telecommuting was a preferred strategy until they discovered that everyone can’t log in remotely at the same time.
Protecting Human Capital resources can bring additional challenges. Collectively, the workforce is needed to support the organization. If a large group of employees gets food poisoning from the company picnic, they aren’t coming to work for a few days. What if 20 of your top performers or most experienced staff buy a winning lottery ticket and quit? Can others in the company fill in for them? Will temporary staff or contractors be hired? Can the work be sent to another company l ocation o r t o a vendor? T he impact is not limited to large groups. Some employees have special skills or licenses or credentials that are necessary to complete critical functions: The accountant who has the only password and the single laptop with credentials to access the banking system; the administrative assistant who keeps the keys to the file cabinet containing confidential customer files on her key ring; the facilities manager who is the only person in the company who knows the location of the off-site records storage. Companies need to consider the impact to staff in general and minimize the impact any single employee could have on recovering operations.
The final two pieces of the puzzle go hand in hand: Crisis Management and Crisis Communications. Crisis Management is the overall strategic response to a crisis for the purpose of minimizing the impact to the organization and protecting the company’s reputation. The Crisis Management team is responsible for assessing the consequences of incidents that have the potential to threaten the company as a whole. The primary activities include evaluating the potential impact of the crisis event and selecting, prioritizing and implementing strategic responses to minimize the impact to the company. This team is also responsible for declaring when an event becomes a crisis and when the crisis is over. Crisis Management is like the rudder on a boat–it directs and coordinates the response to most quickly and effectively facilitate recovery.
Managing the crisis well is important but communications about the crisis response and management is essential. Crisis Communications are any and all communications about a crisis. It is not enough to respond and recover successfully from a crisis; companies need to communicate that success. The media, the marketplace and the public have greater faith in companies that are able to manage a crisis. The communications should address all key stakeholders employees, customers, vendors, investors/ the board, regulatory agencies and the media and be made only by trained, designated spokespersons of the company.
Disaster recovery, business continuity, crisis management and crisis communications on their own each bring tremendous value to facilitate recovery but when they are considered pieces of a puzzle, they come together to create organizational resiliency and a matching bottom line.