Preparedness improves Response.
What if a tidal wave hit a major US city? What are the chances of that happening and would the government and business sectors be prepared? This is the first in a series of blogs that will look at how organizations can prepare for anything and what it takes to be prepared.
There is a growing trend across the globe in both the private and public sectors toward greater use of risk-based management.
That’s a good thing.
Another trend is the growing understanding by senior leaders of organizations that they need to be better prepared for business disruptions and crisis.
That’s also a good thing.
The problem is most organizations are actually unprepared to handle anything beyond the typical problems faced every day. I’m not saying they can’t eventually handle it, but they will waste a lot of time trying to figure out what they should be doing and some may never recover.
That’s a situation that can easily be addressed.
So why are so many businesses and organizations unprepared? We have identified three big challenges they need to overcome:
First, is ensuring plans are actually in place. There are 5 essential ones. We’ll talk about them in this series of blogs.
Second is ensuring organizations not only use risk management but also start integrating risk management across their entire enterprise and use it as the basis for their plans.
And finally, organizations need to ensure effective communication efforts are integrated into all their plans.
Why the focus on Communication?
Effective communication is a key element in all of the 5 essential plans organizations need to be prepared for a disaster or a crisis.
More than that though, communication is fundamental to how we do business.
For the US Government, communication with stakeholders, especially the public is deemed a Primary Mission Essential Function. Meaning, without the ability to communicate the government can’t function properly.
5 Essential Plans every organization needs
The first two most of you are probably already familiar with:
- Business Continuity Plan
- Crisis Action Plan
The second two are just as important but very few organizations actually have them in place:
3. Cybersecurity Crisis Response Plan
4. Crisis Communication Plan
And finally, the fifth plan is a new one that the global crisis we are facing today has made essential:
5.Pandemic Action Plan
We did a survey a few years back in collaboration with RMIA, the Risk Management Institution of Australasia. Here the RMIA survey findings about the first 4 essential plans.
Per the survey here are the percentages of respondents who said their organizations had each one of the following four plans:
- Business Continuity Plan 75%
- Crisis Action Plan 33%
- Cybersecurity Crisis Response Plan 26%
- Crisis Communication Plan 21%
This matches up closely with a recent survey by a major U.S. insurance firm. That survey found that while larger businesses had business continuity plans in place, about half of all small businesses were operating without a business continuity plan. Many thought that having insurance was good enough.
Unfortunately, this is still the situation today, per the results of a study done by Mercer this year.
There were also some issues with the business continuity plans that we’ve identified.
The top ones were:
- Most BCPs were too IT focused and didn’t cover all the critical functions and business processes.
- Testing of the plans weren’t done or if they were it was mostly done on the IT systems.
- Most didn’t address what to do when major suppliers and vendors had a problem.
- Most were old and had not been reviewed or updated in years.
- Only a few people actually had a copy of the plan, and it usually was saved on the network. So if the network went out – no one had access to the plan.
Incidents happen every day and most are small and can be handled by standard business practices and procedures.
For example, IT outages happen regularly and they usually get resolved by your IT staff quickly.
Bigger incidents may cause minor business disruption or even the delay in the delivery of products or services. Still, most organizations are prepared to deal with those through their normal processes.
The more serious incidents, those that cause major business disruption and can even threaten the survival of your company require immediate action and focus. These are truly a crisis.
The important thing to note is that most of these major incidents can and should be planned for. Even if you don’t know exactly when or how they will occur.
If you look at the plans you see that they actually are part of a larger continuum of effort that starts on the normal, day to day side.
You have policy, business processes and standard operating procedures that are meant to handle most issues.
When things get disrupted beyond the normal … then the Business Continuity Plan kicks in to restore or redevelop the critical business functions needed to keep operations going.
When a major disaster or crisis hits, the BCP isn’t really geared to handling that.
So a Crisis Action Plan is needed to guide management decision making and actions at the critical points.
We’ll talk about that Plan in the next installment of our blog.