The COVID-19 pandemic was most likely not your first business continuity interruption. And unfortunately it won’t be the last one. So now is a good time to review why you need an up-to-date business continuity plan that can help you prepare for future risks to your operation.
In today’s information-based society, most organizations have prepared an IT disaster response and recovery plan. In my experience working in asset-intensive industries, I have found that business continuity plans are often not as robust as their associated IT plans. This can lead to some nasty surprises.
Why is there a need for robust business continuity plans?
Depending on your location(s), major risk events like these need to be considered in planning for emergencies:
- Meteorological: tornados, hurricanes, flooding, wildfire
- Geological: earthquake, tsunami, volcano, landslide
- Biological: infestation, pandemic
- Human Factors: accidental, intentional
The probability of these potential events depend on many factors in the specific area(s) in which you operate. I once worked at a plant that had both a 100-year and a 500-year flood within a few years of each other! Another not widely recognized example is that there are small portions of the southeastern U.S.—thousands of miles from California – that are at high risk for earthquakes. Just because an event doesn’t happen often doesn’t mean it shouldn’t be reflected in your business continuity plan.
In preparing or reviewing a business continuity plan, a business or operating plant needs to define its Recovery Time Objective (RTO) as part of conducting a Business Impact Analysis. RTO is the estimated duration of time allowed for a business or plant to restore post-disaster operations to avoid negative consequences to the business operation and supply chain. Each business or plant has a unique RTO based on their step in the overall business supply chain. At one client, I individually asked each department manager what their RTO estimate was for their department and for the plant. I received different department RTOs as expected, but there was a wide range of answers for the plant. That told me leadership had not thought through their required business and location’s recovery time objective. Thus, they did not have consensus on what constituted a negative business impact. Was it an hour, a day, three days, or a week? Without a RTO that allows for understanding potential acceptable economic loss, it’s difficult to develop a cost-effective plan to mitigate risk and build resiliency.
How does a business develop a credible continuity plan?
Assuming there is awareness of the need for a credible continuity plan, how does a business develop one? And how can a business prove their plan is valid and auditable, especially when a third-party insurer is involved? Fortunately, there are recognized standards to use as a basis for development.
NFPA 1600 defines the essential elements of a business continuity plan “for preparedness including the planning, implementation, assessment, and maintenance of programs for prevention, mitigation, response, continuity, and recovery.” One of the strengths of 1600 is how it connects all of these elements into an integrated program.
ISO 22301 “provides guidance on how to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). This standard helps organizations protect against, prepare for, respond to, and recover when disruptive incidents arise.”
Which should a business use as the basis for a business continuity plan? The International Organization for Standardization publishes ISO 22301, which most countries recognize as the main business continuity standard. The National Fire Protection Agency publishes NFPA 1600, which is primarily a U.S. standard. Researching comments for both standards, there is consensus that the standards are nearly identical, with some small differences between them. The point here is not to focus on the differences but to suggest selecting a standard to use based on your plant or business location. U.S.-based businesses with domestic assets may choose NFPA over ISO, while international-based business may choose ISO.
How do HSE plans differ from business continuity plans?
All organizations maintain up-to-date health, safety, and environment (HSE) plans. You may be wondering how those plans differ from a business continuity plan. Most HSE plans drive compliance and prevention. Business continuity program plans examine and identify potential emergencies and disasters based on the risk probabilities. Based on likely threats and hazards, a business continuity plan aims to reduce the impact of these events by building resiliency. Because not all risk events can be prevented, the plan prepares for those risks. It prescribes actions required to deal with the consequences of actual events and to recover from those events. The plan includes actions to build resiliency to meet the needs of the business. In summary, based on NFPA 1600 chapters a business continuity plan covers:
Program Management Planning
Implementation Execution
Training & Education Exercise and Tests
Program Maintenance
The purpose of the business continuity plan is to increase and sustain an organization’s preparedness, preventive actions, risk mitigation, and the effectiveness for response and recovery.
Why do business continuity plans sometimes fall short of expectations?
Companies that do have business continuity plans often find that their initial plan falls short of desired expectations and results. There are several causes for unexpected or undesirable results. One cause is not fully appreciating the risks of natural disasters, and relying on “that’s why we have insurance for property damage and business interruption.” Insurance is the last line of defense, not the first. Simply relying on insurance disregards the impacts to the broader business perspective.
This leads to a second issue – not assessing realistic risk to your overall supply chain. NFPA 1600 and ISO 22301 encourage risk assessment both upstream and downstream of your operation. In one example, a plant had a multiple-part critical assembly for their final product sole-sourced from a plant in a foreign country. That plant was located in an earthquake zone. Yes, there was an event, and guess what happened to the supply of the assembly after the quake. Yes, it stopped, and affected domestic production. Because the third-party producer did not have an effective recovery plan the domestic producer had to scramble to find an alternative source.
Another cause of a business continuity plan falling short of expectations is an undefined or arbitrarily determined Recovery Time Objective. This will lead to poor results when an event happens or higher preparedness costs due to meeting an unrealistic RTO duration. Taking a thoughtful, data-based approach that considers asset value, product risk, and lost business revenue will lead to a realistic RTO to meet the business need.
Decisions made early on in capital project planning can also contribute to unsatisfactory business resilience. Value engineering decisions to save on initial cost are typically made during feasibility studies and detailed design phases of large capital projects. I have seen several manufacturers eliminate permanent emergency generators to save money when building new facilities. This was probably a good risk-versus-reward decision. Then to save additional, but smaller amounts, they opted not to construct the necessary electrical connections outside the building to facilitate hooking portable emergency generators. This would save a small amount of capital but could result in a longer and more difficult recovery.
How should a business review and reinforce its business continuity plan?
What can a business do to address these common obstacles and gaps in their plans? Begin by recognizing the location risks where your assets operate. Adopt a standard to develop or improve your business continuity plan. Create a cross-functional business steering committee and a cross-functional working group to develop and execute the plan. Executing the plan includes building risk-based resiliency and conducting education and simple exercises to meet your organizations’ education needs. I recently observed a manufacturing site experience a medical emergency with one of their employees. Their site had a clearly defined emergency response plan that covered such an incident. They reviewed the plan during their normal safety meetings. However, the actual event uncovered significant gaps in executing the plan. It was noted they had not done exercises (such as simple tabletop drills) with the shift leaders to practice.
Lastly, it is part of the standards (for example, NFPA 1600-2019: Chapter 10) to establish continuous improvement for your business continuity program. It is a good practice to conduct after-action reviews and reports from both planned and unplanned events with internal resources. There is also value in using a third party to assess your business continuity plan based on a standard to identify potential gaps that may not be evident to the internal organization. I once assessed a specific aspect of a plant and determined the plant had installed their basement water pumps (in case of small water incursion) tied in to the sanitary water system. In an emergency, these pumps would have overwhelmed the sanitary system, causing back up and a functional failure. At another site, an assessment uncovered that the plan did not take into account, some human factors (risks) in the post-natural disaster recovery phase.
Now is a good time to conduct an after-action review for how your organization has responded to the COVID-19 pandemic. You can use what you learn to help create or improve your business continuity plan so that you’re better prepared and more resilient the next time you need to respond to, and recover from, a significant event.
John Cray, CMRP, is a principal consultant with Life Cycle Engineering (LCE). He has more than 30 years’ experience in maintenance management, reliability engineering, small capital projects, manufacturing leadership, corporate reliability leadership, and consulting roles. You can reach John at [email protected].