By Jennifer Goetz
From the April 2024 Issue
All organizations evaluate business risks and are increasing facing new and sophisticated challenges, from pandemics to workplace violence incidents. Risk management is one thing, but business continuity planning is another. Some companies may look at creating a business continuity plan like filling in a template — what are some of the major business risks, and what do we now have to update about these risk factors year-to-year? Now with the power of generative AI, facilities can even ask AI to write up a business continuity plan.
A business continuity plan is a framework for organizations to guide organizations away from risky scenarios, while detailing steps to take should one of those scenarios come to pass.
Essentially, a business continuity plan is a framework for organizations to guide organizations away from risky scenarios, while detailing steps to take should one of those scenarios come to pass. Preparing for the likelihood of black swan events from taking place may seem time-consuming, but it is critical to ensure there is something to fall back on should a high-stakes crisis arrive at your doorstep. This plan should reflect the business, its leadership, the personnel directly involved in the plan, and the BC expert or staff member who’s meant to guide the process.
Potential Threats To Business Operations
For facility executives and managers, many potential business interruptions can arise, from supply chain disruptions, power outages, cyberattacks, workplace violence, product contamination, severe weather incidents, and lawsuits, among other crises. Depending on your industry, it’s critical to consider what crisis would pose the most significant threat to your business. What are some of the major repercussions of an event where your organization is at fault?
Business continuity plans should answer a wide range of questions that address what organizations would do in various crisis scenarios. Most facility executives realize that black swan events — ones that seem almost impossible — do happen. These plans will also go in-depth about some of the long-term aftershocks a business can experience after an incident, from reputational damage to a financial strain.
In case of a fire or active shooter, an immediate response is needed. In some cases, more proactive planning can be done ahead of an incident, such as a hurricane that’s projected to be headed toward your facility. Something like a cyberattack is also something all organizations should expect. According to the U.S. Chamber of Commerce survey about small businesses and their biggest concerns, these organizations are most concerned about the impact of a cyberattack, followed by supply chain disruptions and the potential for another pandemic. Cyberattacks in all forms have impacted every industry, from hospitality to healthcare.
The Planning Process
Now, facility executives can work alongside crisis and emergency managers to address some of these questions and provide feedback. Leaders and operators are often responsible for carrying out critical roles during crisis situations, and should be involved in the planning process.
“Facilities has a pivotal role in the realm of operational resilience; a role that persists throughout the entire risk and recovery lifecycle,” says Mark Carroll, an adjunct faculty member with Boston University who has over 35 years of experience in Business Continuity, Risk Management, and Information Technology in a variety of diverse environments and disciplines.
“Well before recovery plans are developed, facility risks are assessed and addressed via controls and insurance both to reduce and transfer the identified risks,” he continues. “For example, a facility that resides in a flood zone is at risk of both the flood itself and, given the high risk, the inability to secure insurance at a reasonable price. While facilities can’t stop a flood from surfacing, they can reduce the impact of a flood via water dams, drainage channeling, etc. for the purpose of obtaining insurance at a reasonable price and reducing the need for that insurance in the first place via preventative controls.”
While facilities can make these proactive efforts to alleviate risks, a recovery plan is still needed. “Having shaped all key facility risks via controls, insurance, avoidance, etc. the recovery aspects are much more manageable and able to be captured in BC and DR plans,” says Carroll. “Those plans themselves are highly dependent on facilities in a multitude of areas that will vary based on the recovery needed.
“Facilities will be at the center of managing redundant power, contracting for abatement services, ensuring compensating controls for door locks, relocating machinery and personnel, and a host of other situation-specific requirements.”
Crisis Leadership
Learn more about business continuity, enterprise risk management, disaster recovery, and more using these online resources.
- Continuity Insights
- Business Continuity Institute (BCI)
- DRI International
- National Fire Protection Association
- Security Industry Association
For these and other online resources, visit Continuity Insights.
Alongside the business continuity plan, the crisis communications plan also needs to be established. Facility executives have to step up in times of crisis, and oftentimes managing a crisis when you don’t have all the information available.
“How good is your crisis communication plan?” says Bo Mitchell, President of 911 Consulting. He says that often the media wants to see an executive, like the CEO, answering questions from the public in the wake of a crisis. Facility executives need to be able to communicate with the public and provide a narrative, before it spins out of control from speculation. There needs to be answers provided, even if there is little information available.
There is a level of preparation that can be done — considering multiple scenarios, conducting training, organize audits, to name a few — to prepare for this scenario.
Putting It Into Action
As important as having a business continuity plan is, it’s just as critical to ensure that this plan leads to action–with training, exercises, and audits–among other methods to test the plan’s efficiency, and adjust accordingly. Executives should undergo crisis simulations to see how well they could perform under pressure. Staff should be tested to identify phishing emails. Everyone needs to come away with lessons learned in these scenarios. With facilities teams involved in addressing these questions, they’ll be more prepared to react to surprises.
“With facilities on the front end of the risk planning, the back end of recovery becomes much more manageable and a much easier facilities engagement as the organization is already heavily vested in initial resilience planning,” says Carroll.
Goetz is the Editorial Director of Facility Executive and Continuity Insights.
Do you have a comment? Share your thoughts in the Comments section below, or send an e-mail to the Editor at jen@groupc.com.