Many organisations have had to rethink their business continuity plans in the wake of the COVID-19 pandemic — if they had a plan to begin with. Cecilia Locati, FCMA, CGMA, the founder of consulting company Internal Control Toolbox, has worked with organisations of many types, and she shares where they fall on the spectrum between “no plan” and “world-class plan”. She describes the key traits of a strong plan, the human obstacles to such plans, and more in this episode.
What you’ll learn from this episode:
- What a business continuity plan should include.
- The obstacles companies face in carrying out a business continuity plan.
- The importance of being generic and specific at the same time in putting together a business continuity plan.
- How human biases sometimes get in the way of strong planning.
Play the episode below or read the edited transcript:
To comment on this podcast or to suggest an idea for another podcast, contact Neil Amato, an FM magazine senior editor, at Neil.Amato@aicpa-cima.com.
Neil Amato: Joining me on the podcast is Cecilia Locati. Cecilia, thank you for being here.
Cecilia Locati: Thank you very much for inviting me here, Neil. It’s a pleasure to be here with you today.
Amato: You’ve consulted with clients, large clients, smaller clients, private companies, listed companies. Where do they fall on the spectrum between no plan and world-class plan when it comes to business continuity?
Locati: Well, first of all, I would say that especially in small businesses, it’s extremely rare to find documented world-class business continuity plans, and even in big international listed companies it is not always the case. I would say that there are several steps in the journey from no plan to world-class plan and several levels of maturity.
Some companies seem to refuse to think that something could go wrong or badly wrong. They don’t even want to consider scenarios where they might lose part of their business or have their operations severely disrupted due to external events. Then there are companies that sometimes consider potential risks and events that could compromise business continuity and they plan for it, but in their own heads. So they think, “If this happens, then we can do this or that.” For example, “We will shuffle production” or “We expand to new markets” and so on, but through action plans which cater to different types of potential impacts on the company are not written down. I would say this is case of the majority of the small businesses.
The next level of awareness is where there is some written-down plans, but they are only covering specific type of events. For example, the company has a specific plan in case of cyberattack or servers going down, but they do not have a comprehensive business continuity plan for the entire business. The following level in terms of maturity is to have a comprehensive business continuity plan, but the plan was last updated ten years ago, possibly during the last financial crisis. And in my experience, this is a fairly common case for big companies.
Then we have companies which have the perfect plan; however, this has never been tested. It is really important to test the plan because otherwise when there needs to be action in a crisis with minimal margin for mistakes there is a high chance that things are not going to work out according to the plan. For example, if management believes that they can manage an operational disruption in a plant by reshuffling production to other plants, this is something that needs to be tried to see exactly if that’s going to work out and what potential adjustments are needed to make it work out.
Then finally the highest level of maturity is achieved by those companies which have a plan, it is periodically updated and tested extensively to ensure that it is sound and can be implemented whenever that’s needed.
Amato: Great. So you’ve talked about some of the key components I guess you know a plan that can be updated, a plan that is kind of ready for as much as it can be, but expand on that a little bit more. What are the key components of a strong business continuity plan?
Locati: The business continuity plan needs to cover several types of risks, both internal and external. Example of external risks are hurricanes, fires, floods, pandemics, while examples of internal risks can be internal fraud or supply chain issues.
What is really important here is that the plan should be generic enough to cater for all these types of scenarios, but specific enough to be able to instruct on specific actions that need to be taken based on the type of impact that these scenarios have on the company. And when I talk about specific actions, I’m referring not only to describing the actions, but also specifying who needs to take those actions, who is going to be the team forming a task force to manage the crisis, who needs to be informed, and by who and when.
It is also very important that any additional resource which might be required to manage the crisis is identified. For example, a temporary office or laptops for the personnel who don’t have one. The plan shall include specific details about the communication, such as who needs to be communicating what to whom and when and how it needs to be identified. The communication should be planned both internally to the company, but also externally with customers and vendors and other stakeholders who might need to be informed.
Then, as previously mentioned, the action needs to be tested and consistently updated to ensure that the business continuity plan is actually ready to be implemented whenever the next crisis is going to hit.
And then finally employees and management should be informed that the plan exists, because otherwise they would not be able to act on it and know where they can find it in case of necessity.
Amato: How have events such as 9/11 or the financial crisis about 12 years ago changed the way that leading companies think about risk management business continuity plan?
Locati: I think that every crisis takes by surprise a lot of people and indeed a lot of companies. Some are more ready, some are less ready, some can manage through the crisis, and some can’t. During the crisis, business continuity planning becomes the hot topic, and everyone is talking about that. After the crisis, some wise company will update their business continuity plan or perhaps write it down based on the experience they just gained in managing the actual crisis. However, some others will just carry on trying to manage the post-crisis challenges and kind of forgetting about the fact that statistically worldwide crises are quite recurring.
Overall the last 20 years there has been increasing attention towards risk management and what could potentially go wrong. However, we as human beings tend to think that things could go wrong, but it will never happen to us, or things could go wrong but not now, or things could go wrong, but hopefully we will manage in a way or another. It’s like thinking about our own death. A lot of us don’t think about it on a daily basis, and we live like we will never die, and yes, we are aware of the risks and dangers, but sometimes it’s just easier not to think about them and to hope for the best, instead of planning for the worst.
Amato: And we will get to some of those human nature obstacles in more detail in just a little bit. Are there things that companies maybe haven’t learned and maybe problems that were amplified by being caught off guard by the COVID-19 pandemic?
Locati: I think that the more companies think about risks in advance and manage risks on a daily basis, the more they’re going to be ready to face crisis events such as the COVID pandemic.
I’ll give you an example. Let’s assume that your company produces a product for which you need a very specific raw material and there are only a very few suppliers of such raw material in the world. And over the years the company has established a very good relationship with one of those suppliers, which is the preferred vendor and currently covers 100% of the sourcing requirements.
Now, if you have a good risk management programme, this would have been identified as a dependency risk from this preferred supplier. An alternative solution would have been [exploring] the risk of this preferred supplier not being to supply your company with that specific material. Likely, the company would have identified alternative suppliers, tried to work with a few of them, so if there is an unexpected internal or external event these suppliers can be used as a backup for your primary vendor so that the supplies are granted and the company avoids stopping production.
Now if the company has never done that and there is a crisis, management will need to first identify which materials are sourced from a single supplier, then it needs to identify whether there are other supplies for the same material, with the same quality and technical characteristics. Then they will need to get in touch with them, trying to get a sample to perform quality checks, and then finally if all those steps are successful, the company might be able to use the raw material in their production.
As you can see, there is a lot of work in terms of risk management that can and should be done much earlier than during the crisis, which clearly is not the best moment to do all of this.
What some companies haven’t learned is that indeed it is almost impossible to predict certain events and especially to predict when they will happen and how they will happen. However, it is possible to take actions today to mitigate the impact of those events in the future and to be in the best position to manage risks when they crystallise.
Another example, if companies would have thought that their employees would have not been able to perform their tasks in their office, they could have taken keys steps to provide all of them with laptops. They could have ensured that the information that the employees need to perform their duties can be accessed from a remote location and also that their IT system were actually able to support a 100% remote workforce connected all at the same time.
And if you think about the scenarios that could lead to people not being able to come into offices, there are actually plenty, from a pandemic, to natural disaster, from contamination of the office with potential toxic chemicals, to office closure due to the discovery of an unsafe situation, from war, to interruptions of the public transportation, or perhaps the inability of the employees to run cars due to a fuel shortage. This is just to say that there are a lot of scenarios that can actually result in people not being able to come into that office, yet some companies were not able to support 100% remote workforce working from home when COVID started.
So there is a lot of work on risk management that can be done in advance and can be both useful to manage risks faced daily by companies, as well as the black swan events.
Then on top of this daily risk management, companies need to think about a different range of crisis scenarios which are much more catastrophic and multiple risks which can crystallise all at the same time and can stress the company even further.
Amato: Obviously companies have a lot to think about, and right in the middle of that crisis is not the time, but what are some of the barriers for companies to having those strong plans?
Locati: I see three main barriers to having a strong business continuity plan. The first one is time and the second one is resources, and they really go hand-in-hand. Business continuity plans address future risks that are not perceived as immediate, as they tend to be other types of tasks and they tend to be at the bottom of the priority list of anyone in the company. There are oftentimes other tasks which are perceived as more important and urgent. And, indeed, to put together strong business continuity plans, several people across all levels of the organisation need to be involved so that there is also the complexity of coordinating this effort. Overall, it is not an easy task to tackle, and it really requires a commitment of time and resources from the company.
Then the third barrier I can see is a complex one, and it has to do with human nature and our continuity biases that might push some executives to believe that the potential crisis will not affect their company or perhaps the crisis not likely to happen anytime soon, so there is no rush in committing time and resources to build this strong business continuity plans we are talking about.
Amato: Yeah, so you mentioned human nature just then and a little bit earlier. Is there more to say on kind of how those human obstacles delay putting plans in place?
Locati: There are several cognitive biases that come into play when planning for unexpected events. First of all, I would mention the optimism bias, and that’s a tendency to be overoptimistic and underestimating the probability of a negative event. So the optimism bias might lead us to think that bad things happen but not to us and not right now. This bias is quite common in business executives, because part of their role requires them to be able to look at future opportunities in an optimistic way and lead and inspire others.
Then there is the normalcy bias that comes into play as well. That is the refusal to plan for disaster which has never happened before. This is a case which has been clearly illustrated by the COVID pandemic.
In 2008 the crisis was a financial one, and some people believe that about ten years later there would have been another crisis at the same time. However, this time it was the turn of the pandemic, which is indeed having deep financial effects as well.
Then we have the illusion-of-control bias, which is the tendency to estimate our degree of influence over external events, and the overconfidence bias, which is the excessive confidence in our own answers to questions, and both of them do not help when it comes to put down a plan. They lead us to think that we will be able to control events to a much more extensive degree than what we will actually be able to do.
Also, the planning fallacy bias, which is the tendency to underestimate the time it takes to complete tasks tends to come into play when it comes to testing business continuity plans. The list of action then needs to be executed in order to manage the crisis might require more time to be implemented than was initially thought.
So let’s come back to the previous example of the dependency risk from one supplier. In this case, management could think that finding alternative suppliers, getting in touch with them, do quality checks on the product might take a certain amount of time, let’s say a few days. Well, actually it might take much more than that because of the number of possible reasons from failures in quality checks, to inability of the supplier to fulfil the quantity requested. So the planning fallacy bias might lead the company to underestimate the time that it would take to find alternative suppliers, and therefore management would not invest the time to find those suppliers in advance, because they think it’s going to be a quick job.
Finally, if you observe what happened with COVID, when the pandemic started in China, a lot of companies in the rest of the world were not worried and did not take any action because they didn’t think that the pandemic would have an impact on them. And even when the pandemic reached them, their reaction has not always been prompt. That’s the consequence of the so-called ostrich effect, which is the tendency to ignore an obvious negative situation.
Amato: You mentioned that the ostrich effect there. What is that for people who might not know the term?
Locati: That’s the tendency to try to ignore a situation which can potentially be negative. Well, actually it is negative, but we kind of try to hide ourselves and put our hands in front of our eyes and not look at what is in front of us because we don’t like what we see.
Amato: Now how can someone preparing a business continuity plan make it, and this is to paraphrase a phrase you used before, “specific enough to be actionable, but generic enough to be adapted to another crisis”?
Locati: Yes, let me go a little bit deeper on this. What I meant when I say that business continuity should be specific but at the same time generic is that it is nearly impossible to predict every single possible scenario that would unfold and potentially compromise business continuity. But what management can do is to identify the impact and consequences of potentially disastrous events or scenarios.
With specific reference to the COVID crisis, I think there is no point in having a business continuity plan in case of a pandemic, because that’s going to be useful only if there is a pandemic again. It is much more helpful to have a plan which will enable the company to react not only to the pandemic scenario, but also to several other types of crisis.
For example, one of the impacts that COVID had on businesses was that offices and plants were shut down in certain locations, either because of government instructions or because of an outbreak of COVID within the office or the plant. In this case it would be more effective to focus on the risk of the office or plant being shut down and how this would impact the business, and most importantly, which actions should be taken in this case to manage the situation from a number of different perspectives, from operational continuity to communication plans.
For example, for an international company that has several plants in different locations which could potentially back up each other, management could design a plan to ensure that the other plants could absorb the operation of the plant which has been shut down. Also, there needs to be clear responsibilities regarding actions to be taken to manage such situations and communication plans to ensure that all people that need to be informed are communicated with.
So my advice in this case for the companies who do not have a business continuity plan or who need to update their existing plan would be to start thinking about possible scenarios and how those would impact the business. Then think about possible combinations of such scenarios. For example, multiple plants shutting down at the same time in several locations — or offices, same thing. Management can think about scenarios where a plant is shut down but employees can still access the premises and scenarios where the plant is destroyed together with documents, machinery, and everything else. In any case, management should plan on how to ensure business continuity for all these cases.
So to sum it up, in order to build strong business continuity plan, management should really think about every possible combination of things going wrong and then identify a specific set of actions which would be able to address the majority of the impacts caused by those triggering events. And in this context, I find that the Pareto rule can help quickly to identify and prioritise those impacts.
Amato: How regularly should a business continuity plan be updated?
Locati: Well, this really depends on how fast the business is changing. In a fast-paced company or a startup, it is more likely the processes are often redesigned to adapt to changing business requirements. In this case the business continuity plan should be reviewed more frequently than in other companies where there are rarely changes in personnel, processes, or reporting lines. So it really depends on the type of company. However, I would say that it should be reviewed at least once per year, if no significant changes to the business processes have been made during the year.
Amato: It seems that at some organisations, risk management and strategy operate in silos. They are separate. They are not integrated. How can organisations better integrate strategy and risk management and why is there value in that?
Locati: Neil, I’m glad you asked this question because it’s such a critical point. Risk management and strategy really need to go hand-in-hand. To be honest, every executive I’ve met does risk management in their daily job, and not only the executives. Everyone in the company does risk management to a certain extent, even if not all of them would call it “risk management”. Indeed diligent CFOs are concerned about foreign exchange risks or about market volatility and the impact on the company. Diligent plant managers are concerned with the risk of one of the machineries breaking down or the risk of a fire in a plant.
What risk management brings is a comprehensive and consistent view over all the different types of risks that the company might face in the pursuing its strategy. The risk management function should aim to support executives to think through all the possible risks they might face in pursuing the company strategy from a compliance, to operational, to financial risks.
In addition, risk management should also help in identifying the risk appetite and translating it into operational decisions. For example, what does it mean for a company to say that they are risk-averse when it comes to health and safety, as opposed to being flexible toward the same type of risk?
A company which is risk-averse will be willing to commit much more resources and allocate more budget to build a working environment which meets the highest health and safety standards. While a company who is flexible towards that risk might be willing to take on more risk in the health and safety area to pursue its objective and might want to invest less time and resources in trying to minimise health and safety accidents. There is no right or wrong; it’s just the result of a specific choice.
As you can see from this example, decisions around risk appetite are strictly interlinked with the company strategy chosen. And even before choosing a specific strategy, risk management can help executives to evaluate whether each one of the possible suggested strategies aligns with the mission, the values of the company, and the risk appetite. The enterprise risk management framework by COSO — here I’m referring to the 2017 updated version — has highlighted this very well and especially the interconnection between risk management and strategy.
Amato: Cecilia, you’ve given organisations some good advice, a lot of things to think about. Is there anything you’d like to add on this topic in closing?
Locati: I would just reiterate the message that crisis happens regularly. And even though they cannot be predicted in terms of timing and detail on how they will unfold, we are certain that we will face another crisis again. And because of that, it is vital that companies that want to be ready and resilient during the next crisis think about how to manage risks on a daily basis and implement a solid risk management process together with the strong business continuity plan.
Amato: Cecilia, thank you very much.
Locati: It’s been a pleasure.