Business continuity is the strategic and tactical capability of an organization to plan for and respond to business interruption in a way that allows them to continue business operations at an acceptable, defined level. ASIS International calls it Organizational Resilience (OR). Business continuity is not something a company undertakes when they learn a hurricane is coming. It requires a methodical, detailed analysis of both organizational and stakeholder requirements and the development of a process that includes:
• Creating and setting the standard that the plan will be measured against or held to;
• The understanding of an organization’s risk, security, preparedness, response, continuity and recovery requirements;
• Establishing a policy and objectives to manage risks;
• Implementing and operating controls to manage an organization’s risks within the context of the organization’s mission and culture;
• Monitoring and reviewing the performance and effectiveness of the OR management system; and
• Continual improvement based on objective measurements.
Large-scale interruptions can result from catastrophic natural disasters, such as the recent disaster in Japan, pandemics and manmade acts such as terrorism or war. Other lesser interruptions can result from events like a localized fire, flooding, civil unrest, local epidemics, a labor dispute, or internal criminal events such as workplace violence incidents. Business continuity may also be threatened by the unexpected death of one or more key officials. Whatever the event, it is necessary that organizations in the supply chain prepare for these eventualities in order to minimize effects on their core mission, preserve the safety of personnel and maintain the integrity of physical sites and business processes.
Knowing and mapping the standard business process is the key component of the BCP. It should include a review of the ancillary relationships that, if affected, would have a direct impact on the organization’s ability to meet its legal and stakeholder obligations. The emphasis of such planning is “resilience,” the adaptive capacity of an organization to a complex and changing environment and the protection of critical assets. Once this concept is fully incorporated into an organization’s management systems, the end result should be a significant improvement in the capacity of the organization to respond to disruptive events.
The process of crisis and business continuity planning involves developing formal plans to guide an organization through extraordinary times. Not only is the written product of the process a valuable result, the process itself has great value to an organization. As risks and situations are identified during planning, they can be immediately mitigated. Similarly, when resources and assets are surveyed, opportunities and efficiencies may become apparent, and can be seized upon immediately.
The planning process seeks to identify significant vulnerabilities and uncover previously unrecognized single-points-of-failure. The process then seeks to create redundancies and parallels for those points to minimize their criticality. In today’s competitive market, OR is critical, and planning should include not only the core processes of the organization, but also the ancillary processes and organizations that are critical to central objectives.
Ultimately, the resulting plan, training and awareness provide organizations with the capacity to manage extraordinary events in a manner that minimizes disruption and loss. By doing this, organizations garner the confidence of stakeholders, shareholders, staff and customers, and prepare themselves to perform in a manner that justifies that confidence, should the worst happen.
The primary objective of BCP is to assess threats, examine existing preparations, identify vulnerabilities, and determine potential points-of-failure for an organization’s facilities, processes and business enterprises. In addition, an organization must prepare adequate plans to confront and manage extraordinary events that may endanger personnel and property, or disrupt the course and conduct of business for the organization. In other words, the BCP should include plans to provide for multiple layers of responses based upon an event and its severity.
The objectives need to be measurable and consistent with the organization’s established policies and should include:
• Risk prevention, reduction and mitigation;
• Resilience improvement;
• Financial, operational, and business continuity requirements;
• Compliance with legal and other requirements; and
• Continued improvement.
The plan should be an individual fit for a unique organization’s corporate culture, operational requirements and organizational structure. Even companies of similar size producing the same type of product are a different combination of culture, management style and organizational structure. Companies have different degrees of vertical integration, supply chain, and distribution interface dependency. No universal BCP model will fit every company’s needs. An adequate, workable plan must be tailored to address the challenges of a company in a real-world crisis when the survival of the enterprise is at stake.
The preparation of a custom business continuity plan is a detailed and involved process. As such, it should be designed to minimize any impact on a company during preparation. Any process that unnecessarily interferes with productivity on the part of the staff and organization becomes a cost as opposed to a benefit.
The required input information is normally gathered from operating and administrative units. A company’s operating management and administrators will best be able to establish the criteria and parameters for normal operations and stages of recovery. Management within individual operating units should be responsible for analyzing the impact of disruption on various process components; the best recovery mechanisms; and the criticality of sources, resources and production components.
Planning Parameters and Style
“If it ain’t broke, don’t fix it.” Use and adapt those things that are already developed or in place. The first part of the plan development process is to assess current plans and identify pre-existing plans that are working and available. It is easier to use preexisting processes than to develop new methods for no reason.
People within a company are more familiar with culture and process than outsiders. Use their expertise first. Modify their information and ideas as needed to conform to the specified models, standards and best practices being used to guide the project. Most solutions and remedies already exist within an organization if the right people can be interviewed and encouraged to participate. This internal information gathering process is an area where an outside consultant experienced with the planning process and familiar with best practices and current models can contribute to the efficiency and economy of developing the plan.
Most importantly, make the product of the project work for the company. Every company has a unique culture, facility, and environment. Make sure to accommodate these individual characteristics.
Business success is based on survival of the fittest. A large part of being the “fittest” in the modern world is being prepared to take advantage of competitive options that appear suddenly and disappear just as quickly. In a large-scale catastrophe, being prepared to survive crisis and quickly resume normal operations is a distinct advantage in a market where competitors struggle to do the same. On a local scale, surviving emergencies and crises that affect your business alone can be the only thing that prevents unaffected competitors from moving in on your markets to fill the void for your customers. Being the “fittest” means being as prepared as possible to cope with and recover from catastrophe. That preparation is based on thorough planning, having a complete understanding of factors that threaten your business processes, and having a sound plan for replication, repair and contingency operations toward the ultimate objective of minimizing losses, returning to normality and turning the situation from survival to competitive advantage.
On the Ground and In the Air: Protecting the Supply Chain
A port in Montreal and a major airline that operates more than 3,400 flights a day: we asked two readers to share their experiences with protecting their supply chains.
Security magazine: How do you secure your supply chain?
Vance Toler, director, corporate security, Southwest Airlines, Co.:“To a large degree, the supply chain, distribution centers and warehouses involve protecting moving targets, so taking the time to understand operational needs and accurately define the true risk, including specific points in the process that present highest likelihood of loss, is the most important challenge security leaders need to overcome. Communication is key to developing successful cross-departmental partnerships. In each of these environments the potential points of compromise encompass a large number of people across different geographical locations, but that threat is not distributed equally. We identify what specific points in the process present highest likelihood of loss, including the potential impact of that loss event. Is the likelihood of loss in a given point only a few items, or much larger quantities? Only then do we identify and implement accurate risk-based, cost-effective options to mitigate loss.”
Steve Chyzenski, chief security officer, Termont Montreal (a container terminal situated within the Port of Montreal):“As a sea port, everything we do is guided by
legislation, through the Canadian federal government and the port security doctrine of the United Nations. So much of our day is spent working with federal agencies and customs officials. We are considered an open-air bonded warehouse, and we are about one-half mile long by one-quarter mile wide. At any given time we have upwards to 8,000 containers coming from or destined to any area of the world. Again, there are no walls and no roof – nothing to keep the bad guys out. Our challenges include the fact that most of what is found is contraband – illegal drugs and firearms. Are we making a dent in that illegal operation? We are making a dent in what goes by, but I don’t think that we’ll ever stop it. It’s not just coming from organized crime, but it’s from extremists that are funding their operations through illegal drugs, and they are using our sea ports to get their goods into foreign countries. No matter what we do they will keep trying, because it’s a source of funding for them. But while the ships are in our port, in our care, we have to ensure that they nothing goes amiss.
Our open environment, coupled with the bad economy, is very inviting to strangers. Fortunately we have a great intervention team and detection system, but the invitation is huge. We’re lucky that we have many layers of security and we have very few break-ins.”
Security magazine: What solutions are working for you, and what tools do you wish that you had to use?
Vance Toler: “At Southwest Airlines, cargo is an important part of our revenue producing operation. A few years ago, corporate security, in partnership with our cargo department, developed an awareness campaign to lay the foundation for, and to bring both visibility and accountability to a sustainable program aimed at theft prevention. Other targeted initiatives include a process for tracking specific high-value cargo from dockside delivery to destination.
We also conduct annual security assessments of high-volume facilities, which include photographs and specific threat-based ratings on areas of concern and our cargo leaders respond with corrective action taken.
Incident statistics are tracked and monthly reports sent to local leaders. Technology also plays a key role with the broad use of cameras in our warehouses.
The bottom line: I believe our layered approach makes our cargo facilities and shipping process one of the most secure in the industry.
What do I wish that we had? RFID technology would be an enhancement, not only with our ability to provide better service for our customers, but would offer specific location detail for missing items.”
Steve Chyzenski: “We have a great guard force, which is our security base, but we also employ a hybrid fiber optic and wireless security system. We use infrared cameras to survey the waterside. Analytics has been helpful, as well. It’s a great new tool for us. I look forward to the day where the cargo is RFID sealed. It would greatly assist us, as now, our guard force has to check containers several times a day.”