Ten lessons learned from COVID for business continuity, part two

In part two, we will focus on regular plan exercises, supplier management, and continuous improvement.

In part one, we explained that all companies need to prepare for moments of crisis. We learned that risk management associated with an interruption of business activities starts with defining key processes and a thorough risk analysis. We then learned through practical examples that recovery plans are not enough, but that we must prepare continuity plans and update them regularly. Did you not catch part one? Read it here.

Recovery and continuity plans are usually left somewhere in a file cabinet, all dusty. Only a few managers know about them and no longer remember what’s in them. Science fiction? No, the reality of Czech companies.

Every employee must know the plans. It is a good idea to regularly announce exercises, such as working from home or serving clients without email. Everybody must know what the announcement of the plan means for them, where to go, what to do, and whom to report to.

Every company usually has three to five critical processes and their recovery and continuity plans should be practiced plans every year. For each process, there are multiple possible disruption scenarios, so always choose one of them. You can exercise for fire one year, and the next year for flooding.

If your company has thousands of employees and hundreds of processes, organise exercises for individual organisational units, for instance for regions or districts.

Many companies consider risk management to be static. They conduct an analysis, prepare a plan, and they then file it away in a drawer.

Continuity management is one continuous process which you should manage in compliance with guidelines and policies. It should have its strategy and a manager. Do not forget about continuous improvement and learning. Write down all mistakes and issues that you have registered during the exercise. Learn from them and adjust plans accordingly. Risk management must respond to changes in production, processes, and regulations.

Organisations have incorporated continuity management under operations. Managers responsible for production then made excuses such as: “We don’t have time for such things. We need to address more important matters.” What was the problem?

It is business that is responsible for protecting key activities like continuity management. Therefore, keep them separate from operations, similarly like you do audit. Continuity management must not be adapted to the needs of operations.

Car companies relied on the fact that suppliers will not dare to misbehave under contractual obligations and high penalties. But the just-in-time system failed. Although car companies had enough employees and machines, they were short of parts.

Losses from production interruptions can exceed the penalties for deadline default many times. Supply chain management thus belongs among the most important business continuity disciplines.

Coordinate the protection of important activities with your suppliers. Align your plans or have suppliers adapt their plans to your plan. Prepare procedures for critically important suppliers how to quickly activate an alternate supplier in case of a supply failure. Any supplier can fail. Have others on standby who can jump in quickly and supply anything necessary. Keep a stock of essential materials and parts.

A Czech hospital was attacked by ransomware. For almost two weeks, the systems could not be restored, and the hospital did not have procedures in place to maintain healthcare. The organisation operating in a key sector lacked a proper continuity plan.

Anyone can be attacked by ransomware. Hackers and other criminals multiply their activities during times of crisis. It thus comes as no surprise that the number of cyber-attacks has increased many times during COVID-19. More people may normally work on averting an attack, but at a time of crisis, many more problems must be addressed at the same time, and hackers have a greater change to succeed. Just as a predator attacks the weakest members of the herd, hackers attack the most vulnerable institutions. Don’t forget to prepare for the arrival of several crises at the same time.

In multiple crises, have a team ready that will prioritise and coordinate solutions to all problems. You can also contract backup capacities with your partners in advance, helping you out before you manage to restore your processes.