Imagine having less than eight hours to move your most important files, equipment and other critical items out before the floodwaters hit your building. Now imagine your building is under water and you have to resume serving your customers. Does this sound like a nightmare? This exact scenario happened to GreatAmerica Leasing Corporation in Cedar Rapids, IA, during the epic 500-year flood that in the spring of 2008 plunged much of the Midwest under water.
GreatAmerica enhanced its disaster recovery plan following 9/11 and hired a full-time business continuity professional. At noon on June 11, 2008, the Executive Business Continuity Planning team met and activated the plan. By 10:00 p.m. that day, the move was completed just before power was shut off to the building. On June 12 at 9:00 a.m., GreatAmerica was operating with Incident Response Teams at the pre-arranged recovery site servicing clients. On June 13, the building had nine feet of water in it and GreatAmerica was not able to return to the building for 68 days.
Natural disaster was just one of the continuity scenarios the Business Continuity Planning team practiced. A robust Business Continuity Plan — and extraordinarily resilient employees — allowed GreatAmerica to continue operating and serving its customers with minimal interruption during the flood.
Many companies today have more pressing issues than putting a Business Resumption Plan (BRP) into place or to keeping their existing plan current. However, like all things managerial, companies cannot afford to ignore certain responsibilities they have to their employees, shareholders and other stakeholders. In fact, a current, well-developed BRP can be another bargaining chip when negotiating for funding facilities.
What is a BRP?
A Business Resumption Plan, also known as a Business Continuity Plan (BCP) or a Disaster Recovery plan (DR), is documented strategy used to help guide a company through an emergency to restore the company’s ability to operate, while minimizing impacts to employees, customers and other stakeholders. The BRP clearly defines duties, authorities and responsibilities of all staff.
A BRP is not just about computer back-ups or putting business interruption insurance in place. A robust plan goes a lot deeper and provides for as many possible situations as feasible without creating a document that no one will ever read or use.
What About Pandemics?
Most companies put BRPs in place in case there is a fire, a flood, a hurricane or some other natural disaster. The reality is that today a pandemic is actually more likely to sideline a company. The office might still be habitable, but the staff can be taken out in large numbers very quickly. Not many years ago Ontario, Canada experienced SARS, which had a profound effect on many companies and certain industries such as travel and hospitality. Today our threat is the H1N1 flu virus.
There are many things that companies can do to limit the impact of a pandemic, which are well documented in the media, but the point is that pandemic planning should form an important part of any business continuity planning.
Implementing a BRP?
As a simplified overview, there are a series of steps that need to be taken in order to develop a comprehensive BRP. This could be fully or partially outsourced, or it could be managed internally, providing your company has project management capabilities and the executive and management have had exposure to BRPs in the past. It is important to note though, that to establish a good BRP usually takes months and is nearly impossible for someone to project manage off the corner of their desk.
Figure 1 provides a visual overview of the steps involved. Each step is described in more detail below.
The first step is to determine who should be involved and how the plan should be designed. At the highest level is the Emergency Management Team (EMT), which typically consists of the executive or senior managers. The EMT, which should be a relatively small group, is charged with the responsibility of determining when to invoke the BRP, to what degree, and then to make the multitude of decisions based on the circumstances and the new information that is escalated to the EMT throughout the emergency.
The EMT then determines how the company will be divided into resumption teams. In most companies that will be by department, however some smaller departments could be merged together. In other cases, if the company has multiple business units, the logical split might be by business unit rather than by department. The EMT would select a team leader for each department or business unit and then decide on how much detail is required in the BRP. The amount of detail is very important, it must be refined enough to cover off all of the critical areas or functions that could cost the company either financial penalties or reputational damage.
Once the framework has been established in the design phase, the most time-consuming part of developing a BRP is identifying the critical criteria or job functions and then documenting them consistently. Each function such as receiving credit applications, adjudicating credit applications, paying vendors, preparing portfolio performance reports for funders, etc. must be captured and an ideal recovery objective time frame established for each task. Once these critical functions are validated by the EMT, this information would then be used by the EMT to determine the size of the backup recovery site and how many people would need to work from home. The team leaders must also think about which critical stakeholders should be contacted if the systems are going to be done for an extended period of time.
Team leaders should engage their staff throughout this phase to make sure that all critical functions are captured and that there is agreement from the front-line staff regarding which processes need to be resumed and in what order.
A best practice is to create BRP manuals specific to the team (department or business unit) and then create a master copy for the EMT that includes all team BRP manuals rolled up. The core of the BRP manuals would be the same across teams, however; the team BRP would have only information that is pertinent to that department or business unit in a well-organized, easy-to-use format. Appendices should be used for information that is unique to the various teams or that needs to be updated regularly, such as contact lists, as it is easier to update and manage.
Validation & Approval
The validation phase is where EMT is deeply involved to ensure consistency across the organization. A common problem when documenting the processes and determining the recovery timeframes is for some team leaders to believe that all processes are critical and must be brought back on line within two hours. In many cases, the proposed recovery timeframes are far more aggressive than the actual service delivery standards. This is where the EMT must ensure that the original BRP goals are satisfied and that the resumption resources are placed where the company is most vulnerable to those financial or reputational risks.
Once the various team BRP plans are reviewed and amendments negotiated and the manuals updated, the team leaders and the EMT should sign off on their approval and acceptance of the plan.
Communication & Training
The Business Resumption Plan project should not be a secret; it needs to be communicated across the organization right from the start and throughout the process. It is also a good idea to communicate with your customers (key vendors, brokers and other sales channels) as well as your funding sources that you have a documented, operational BRP.
Prior to participating in the testing of the BRP, the team leaders, alternate team leaders and the executive management team need to be trained on the manual and what their role will be in the case of an emergency. Once the mock disaster is tested and the BRP is amended to include feedback from the testing phase, the rest of the company needs to be provided with a less detailed overview of the BRP, how it will work, what their roles and responsibilities will be if it is enacted, and who, when and how to communicate in the event of a disaster.
Testing of Scenarios
The testing phase is critical as it provides the EMT and team leaders with an opportunity to operationalize the BRP, which to this point has only been theoretical. The common practice is to create one or two mock scenarios, and have everyone involved act as if it is a real emergency. It is important to follow the routine established in the BRP as closely as possible, using cell phones or text messaging for example, having the EMT in a separate room from the team leaders and determine where the gaps or problems are in the BRP. This test will provide each of the participants with a time to try out the plan, similar to fire drills in school, and also provides good intelligence back to the EMT for further modifications to the BRP, if necessary.
If at all possible, it is good to hold the test at the back-up site, which might be another office that is off-site or it could be a series of meeting rooms in a local hotel. Another good idea is to test the phone and computer systems from your staff’s homes if this is part of your BRP. As stated above, the BRP is only theory until it is put into practice. Problems with switching over phones, problems with computer speeds required for certain programs, firewall issues accessing the main network are all challenges that will quickly be identified when staff are asked to work from home for a day.
A mistake that many organizations make is to create a BRP and then to not practice. It is important to practice different scenarios regularly and to add in new possible threats. You can have fun with designing the practice sessions, but the dry run is anything but funny and must be taken seriously.
Maintenance of Plan
The final step in the process is to ensure the plan is continuously maintained. People move between departments, new people are added and others leave the company entirely. Accounting for all of your employees in the case of an emergency is paramount. Further, business processes change; some processes are refined while others might be added. An out-of-date BRP is obviously less effective when it is not regularly maintained.
The BRP should be scheduled for full review by team leaders and vetted by the EMT semi-annually and more often if there are significant shifts in the organization. Staff changes should be added, deleted or moved in real time. If your company has a Human Resources department, this can easily be part of its process, otherwise it could be added it to the list of responsibilities for the payroll administrator.
GreatAmerica did not get lucky; it had forethought and a well-developed Business Continuity Plan. It is difficult to say with certainty what would have happened if GreatAmerica had no plan in place, but what is certain, is that business would have been severely impacted and customers would have gone elsewhere, at least for a period of time, which could have devastated the sales and financial health of the company and the employees.
Business Continuity planning is an integral and important part of running any type of company. The process is not complicated, however it is time consuming and requires proper project management. It is a good idea to get outside help with the project design and management, unless your company possesses both the expertise and time required to create a robust and effective BRP.
Murray Derraugh is an associate with The Alta Group, a global consultancy for Equipment Leasing and Finance. Derraugh has several years of senior management experience running leasing and finance companies, has created business resumption plans, designed education and training programs for Canadian and U.S.-based lease and finance associations, and advised companies on areas of income optimization and expense reduction. The Alta Group provides in-depth insight and innovative approaches that enable companies to strengthen strategic processes.