Business Continuity Management

Business Continuity Management. Significant Insights from Practice. Kush Srivastava. 2023. Routledge. 144 pp.

Back Cover

Business Continuity Management (BCM) is a critical aspect that investors and directors evaluate in terms of an organizations’ sustainability and future value in the face of supply chain disruptions, threats of economic nature, or climate change. This guide demonstrates a simple and systematic way to ensure that businesses are prepared for any crisis or emergency, including steps to meet the specific requirements prescribed in the international Business Continuity Standard, with a particular focus on the oil and gas sector. The seasoned author team brings their experience to bear on critical issues such as:

• Where managers lose focus on the need for business continuity and how to regain it
• How to select and implement business continuity management tools
• How to plan combining management of the supply chain, risk, and business continuity
• How to think about crisis, and solutions, in peaceful times
• Why organizations should invest in business continuity even in times of scarcity

This guide to understanding the role of BCM as an organizational strategy will earn its place on the desks of senior leaders, safety directors, corporate trainers, and risk management professionals.

The Authors

 

Kush Srivastava, is a global award-winning seasoned Business Continuity, Crisis and Risk Management practitioner and consultant inducted into the BCI Hall of Fame in 2019. He has 30+ years of experience in assessing, designing, and customizing BCMS frameworks leading to organizations being resilient and crisis ready across the management hierarchy.  

Waddah Ghanem Al Hashmi, is a certified director and respected industry specialist with a passion for improving the QHSE and the overall success of compliance, governance, and leadership systems in the energy sector, where he has an in-depth knowledge of all facets of technical, operational, and procedural systems.

 

Quotes

To be successful in bouncing back, prepare for the uncertain.

Summary + Notes

 

Where Do Leaders Falter in Implementing Business Continuity?

Time constraints of leaders and senior managers of the organization to deal with assumptions or probable crisis events. Forward looking leaders prepare for the worst. What if...? What can go wrong? Invest in BC plans allocating financial, operational and human resources.

• Event: Domino's Pizza obscene video. 2009.
• Immediate Result: Image damage.
• Response: Apology. Emphasis on cleanliness and quality. Employees fired.
• Enablers: Root cause analysis. Corrective action. Oven to doorstep tracking.
• Outcome: Domino's awarded Pizza Chain of the Year in 2011.

• Event: United Airlines offloaded passenger. 2017.
• Immediate Result: Image damage. 
• Response: Attack on the passenger. Then apology.
• Enablers: Lack of empathy. Delayed apology. Inadequate procedures.
• Outcome: Capital loss of 1 Bn dlls in 48 hrs.

• Plan A. The daily course of action.
• Plan B.
• Plan C.  

Factors in bad crisis management and the corrections needed:

• Governance. Unmonitored or Ill-Monitored. Set the required framework (people and processes) for implementing it. Adequate oversight. Regular reviews. Delay in action is the same as absence of action.
• Culture. Lead by example. Implement BCM: Prepare plans, practice, asses, feedback and repeat. Be proactive and creative.
• Budget. Allocate the budget for training, tools, and any other “head” in this domain. There is no free lunch.
• Inexperienced managers. Leadership. Continuous training.
• Over worked staff. Customized burden of responsibilities. Don't burn them out.
• Complex documentation. Emergency policies, procedures, and processes must be written in simple, easy-to follow language.
• Form-filling exercise. BCM is not a senseless requisite. Practice and knowledge of BCM matters.

Best Practice for Success in Business Continuity

How to improve:

1. Experience of personnel.
2. Best practices of the industry.
3. Observation of successful organizations.

Implementation phases of BCM:

Planning Phase. 

1. Allocation of budget.
2. Strategy and distribution of roles.
3. Proper documentation: Who, why, what, when, where and how.
• Keep in mind: Cost of planning vs. cost of failure. Deal with crisis in a planned manner rather than react.
• People, processes, technology.
• Care for your people
• Clear processes
• Tech to help downsize a disruption

Execution Phase.

1. Focus on critical operations for the business
2. Risk management must define acceptable level of risk as a quantifiable number.
3. Business Impact Analysis (BIA) parameters must be SMART (Specific, Measurable, Achievable, Realistic and Time-bound)

1. RTO – Recovery Time Objective

2. MAO – Maximum Acceptable Outage
3. MBCO – Minimum Business Continuity Objective
4. RPO – Recovery Point Objective
4. These values determine 
1. Level of investment in BCM
2. Categorization of critical and non critical activities
5. Risk Management. Alignment across the whole organization. Protocols.
6. Emergency response. Define the steps to do after disruption. Quick response.
7. Competence. Experience, training, mentoring, info sharing.
   

Reinforcement Phase.

1. Validate the plan of the initiation phase.
2. Communication Mechanism. Check the information flow.
3. Test and exercise. Team gain confidence. Bring out fallacies. Feedback. Reinforce. Discard.
4. Update budget.

Selecting a BCM Tool: Imperatives and Prime Considerations

• What constitutes a crisis?
• Are we resilient as an organization?
• Are the organization personnel crisis ready?

1. Automation. is what we need? At what degree? Where does it rest the human factor?
2. Universality of the tool. Time in the market. Share of its market. Updates and training. Provider support. Compatibility. Registered users in the organization. Friendly interphase. 
3. Objectivity. The tool serves the purpose of the organization? Cost/benefit. 

Capital Considerations for Assessing BCM Requirements

• How much should we invest in BCM? Cost/benefit. Marginal cost.
• What are the deciding factors to choose BCM? 
• What are the essential requirements? Skilled staff (hard and soft). Adequate budget. Governance.
• What training is required for its effective implementation? Skills. Compatibility. Do-ability.

BCM gives benefits without any adversity being faced by the company, as improvement in operations, better utilization of resources, and deep knowledge of the organization. EXAMPLE: ALCOA Keystone Habits and Paul O'Neill.

“Peace Time” Initiatives for Organization Management

1. To deal with risk:

• Incident Management. 
• Emergency Response. 
• Crisis Management. 
• Crisis Communication. 
• Business Continuity. 
• IT Disaster Recovery. 
• Media Response. 
• Stakeholder Management. 
• Emergency Procurement.

1. Test and Exercise of Various Plans. Ownership: Who do what. Clear hierarchical structure wherein multiple plans come into play during crisis/emergency.
2. Feedback and improvement. Reality check. Follow up open issues until they are resolved, closed.
3. Validate Effectiveness of Training. What works well with the people and what doesn't.
4. Ensure Supply Chain Resiliency. Preparedness of Vendors-Supplier chain. Is our critical dependency covered? Delivery time, cost of operation, penalties from breach of contracts, re-works, further risks: cyber attacks, financial risk, operational risk, fraud, corruption, counterfeiting.
5. Operative Readiness of People, Processes, and Technology. Team and equipment working in line. 
6. Work scenarios. Horizon scanning. Develop Plan B and Plan C in Case of a Long and Extended Outage. Operating from Multiple Delivery Centers and Channels. Identify SPOFs (single points of failure). Diversify: Don't put all eggs in the same basket. Alternate plans.
7. Develop Key-Strategic Partnerships. Establish effective relationships.
8. Reduce Costs of BCM by Adopting New Solutions for Continuity of Critical Operations. Rationalize resources.
9. Explore best practices in the industry. Steal like an artist.

Technology Resilience: How Much Should a BC Manager Know?

BCM Standards, the risk assessment involves the activities of:

1. Identification of risk.
2. Assessing its likelihood and impact.
3. Recommending mitigation measures 
4. Implementing risk controls. 

What is its technology capable of?

1. Basics of IT Network Connectivity, its Architecture, and Configuration
2. IT Systems and OT Systems
3. Cyber Security Risk
4. Cloud computing
5. Critical Security Controls

Implementing BCM in Oil, Gas, and Energy

Upstream 

The upstream segment of oil and gas production refers to the phase consisting of exploration comprising geological surveys and securing legal rights to explore and produce oil and gas through onshore or offshore drilling processes.

1. Single Point of Failures (SPOFs). Risk mitigation plans for upstream operations is a very costly option that negates the very initiative.
2. Cost of Maintenance & Predictive Maintenance. Maintaining spare equipment may not justify its utility.
3. Cost of Equipment and Spares. High cost of equipment.
4. Recovery Time Objective (RTO). Indefinite delay by factors beyond control of the operations personnel, i.e. repairs and maintenance.
5. Minimum Business Continuity Objective (MBCO). Practicing business continuity can be a challenge.
6. Availability of Skilled Staff. maintain appropriate levels of workforce to ensure support and conduct critical operations.

Critical factors listed from 1 to 9 make it an extremely unlikely case for implementing BCM.

Middle stream

Processing, storing, and distributing crude oil, natural gas, and other energy products. Planning logistics, transport of raw materials, infrastructure at the end point for processing, and storage.

Downstream

1. From post-production to the point of sale. It is the final step where processed products are ready to be used and consumed.
2. Multiple SPOFs in the Life Cycle. Strategy of risk treatment, tolerance, transfer, or termination – the four Ts of risk management.
3. Supply Chain Risk Management. Address the supply chain risk that can be triggered by a combination of factors.
4. Very Heavy Cost of Plan B. Heavy investment that may impact the financial viability of the project itself.
5. Complexity of End-to-End Operations Cycle. Onerous task of developing alternate strategies for the multiple points and possibilities for outage and disruption.
6. Diversity of Workforce. Difference of these factors should not result in any event or incident that may cause disruption in the operations of the company.
7. RTO. Not easily determined, and in certain types of events and outages.

• All streams in oil and gas operations, whether upstream, midstream, or downstream, are filled with risks and uncertainties that can jeopardize the core foundation of their respective organizations.
• Due to the risks and threats to oil and gas being very dynamic, oil and gas organizations must be pro-active in assessing any emerging risk or any developing situation that may snowball into a crisis.

Business Continuity in Hard Times

Minimum business continuity preparedness.

1. Crisis requires a quick management decision. 
2. Consider the worst-case scenario and plan accordingly. Wall of confidence.
3. Minimum business continuity will prepare the organization to have plans and strategies to deal with any crisis and emergency. Multiplier effect.
4. Organizations facing challenges and adopting minimum business continuity have better control of their limited options for conducting their operations. 
5. Early warning systems that trigger actions prior to an incident.

Hiring Business Continuity Manager

Does the prospect understand:

1. What is BCM in its true sense?
2. How is BCM related to other management information systems (MIS)?
3. What BCM inputs are required by management during a crisis, emergency, or disruption?
4. What is the correlation between incident management, emergency response, crisis management, business continuity management, IT disaster recovery, and media management? 

The HR team:

1. must have appropriate understanding of BCM and its life cycle.
2. must match the candidate’s skill and experience to the requirement of the enterprise.
3. should perform training need analysis (TNA) for assessing the BCM preparedness for the job.
4. must test regularly the staff having a role in the organization of BCM to ensure that enterprise interest is not compromised during a crisis or emergency.

Supply Chain Risk Management

 We only must run a bit faster than our competitors to be successful.

1. SCRM is synthesized with organization CM and BCM for its resilience.
2. Supply chain vulnerabilities must be analyzed, and mitigation plans should be developed in “peace time.”
3. Use technology as an enabler to deal with new emerging risks and threats. 

Management Involvement in BCM

1. The organization must have clearly documented BCM test and exercise plans, and its management must ensure conduct of the test/exercise as per calendar.
2. Quick flow of data and details of incidents to senior management for them to take the right decisions with minimum delay
3. Management must contribute their bit in planning, scheduling, and participation in testing of plans.
4. Management, guided by the financial numbers (definite impact of downtime/outage), must ensure the test covers mitigating the risks and threats.

 

My Impressions

Red Team rules applied:

• Rule 1: Always have an escape plan
• Rule 2: Never get caught.
• Rule 3: Be aware of your surroundings.
• Rule 4: Always have a backup plan.
• Rule 5: Assumption is the mother of all fuckups.
• Rule 6: Trust your gut.
• Rule 7: Simple and light equals freedom, agility and mobility.
• Rule 8: KISS: Keep it simple, stupid.
• Rule 9: The solution is in the problem.
• Rule 10: Don't become predictable.
• Rule 11: Never take the elevator.
• Rule 12: Act, don’t react.