A well governed and intelligently managed business will prepare for the day when everything falls apart. A pipe will break and flood an office; a bushfire will take out a warehouse; a hacker will infiltrate a computer network; an erupting volcano will ground flights holding up an order and throwing an entire supply chain into disarray.
Resilience and redundancy are embedded into most businesses wherever possible. But complex, often international and interdependent supply chains can quickly grind to a halt if one link breaks, and few businesses will be able entirely to avoid some form of business interruption.
Enterprise leaders from around the world are alert to the risk of business interruption and in Aon’s 2019 Global Risk Management Surveyi those surveyed ranked ‘business interruption’ fourth out of a list of ten risks that worried them. In 2017 it ranked eighth.
Asia Pacific businesses are even more concerned; ‘business interruption’ ranks third, after ‘damage to reputation and brand’ in first place, and ‘rising competition’ in secondi.
Advanced preparation, in the form of detailed risk registers that identify potential hazards, the probability of them occurring, and the quantum of impact they could have, form the foundations for a response plan. This can be formulated, shared with key stakeholders, tested in advance, and be ready to swing into action when business as usual (BAU) suddenly halts.
Advanced preparation also allows a business to maturely assess the transfer of risk; to determine what level of insurance cover is appropriate and affordable and what support is available in the event of a business interruption.
In the current insurance environment, underwriters are asking about a business’ ability to respond to a non-BAU event and in our experience, a number of insurers are providing strong recommendations that response plans be developed and tested. Where no business continuity plan or crisis management plan exists, that could impact on pricing and/or the insurer being willing to underwrite that policy.
Foundations for recovery
In the event of an interruption to BAU the response plan is activated. There are foundational elements to its success:
Communications: Communications are a critical component of a successful and rapid return to BAU. Customers, suppliers, shareholders, employees and the media tend to rely heavily on the communications from the company in the hours after a business interruption. The message and manner of delivery can determine the tone of media coverage and influence the actions of the company’s stakeholders. Enterprise response plans should identify a crisis management team (and back-up members who are able to step up if others are incapacitated) to lead the communications, with pre-determined spokespeople identified, properly trained and prepared.
Training: Preparing personnel to respond to a business interruption is critical. For large workforces this may involve online training sessions that can be scaled and made available over widely dispersed geographies. Key personnel benefit from face-to-face training with department heads in a live classroom environment. The benefit of early training is that different business units – such as finance, IT, HR and legal – can understand their roles and responsibilities during any interruption to BAU, and can swiftly shift gears to get the business back up and running as soon as possible.
Notification: Companies should be clear on who needs to be alerted to a business interruption, within what time period, and by whom. Ensure that any legislative and regulatory reporting requirements are clearly documented and that personnel understand their responsibilities and the process for notification. This may, for example, include notifying insurers, legal service providers and regulators. Personnel also need to be alert to any reporting deadlines – for example notification of an eligible data breach to the Office of the Australian Information Commissioner generally needs to take place within 30 daysii; a company which needs to comply with the EU’s General Data Protection Regulation has 72 hours to notify the authorities.
Resilience: Effective business interruption response plans have resilience built-in. Factors to consider include; are there second tier suppliers who can step into the breach if the main supplier’s production is halted by a flood? Is there a disaster recovery facility to provide critical computing services in the event that a phishing attack takes place? Where resilience measures are documented in the advance plan, they can swiftly be activated when required.
Insurance: The key imperative for business is to minimise damage; this needs to be the first priority. Bringing in your insurance advisor at the earliest possible opportunity can help steer you toward a panel of experts that might be available under the insurance policy and provide early advice about what indemnity might be available under the policy.
Quantification: When an organisation suffers loss of revenue – whether through a fire or cyber event or any other business interruption, organisations need to quantify any loss of revenue or profit. At this point it is important to work with a suitably qualified risk accountant to calculate the actual loss sustained in order to optimise the payout under the policy. The cost of hiring a qualified independent risk accountant can often be claimed from the insurer.
Review and repeat: We recommend that when a real-life situation occurs, you conduct a review and assess the business interruption plan – what worked, what didn’t. With that insight, you can repair and refine the plan, and continue to review and test the plan annually in order to be better prepared next time.
Assess insurance: In the event that a business interruption reveals gaps in the insurance cover, or if the business changes, it is imperative to review insurance policies to ensure they are fit for purpose.