Foundations for recovery
In the event of an interruption to BAU the response plan is activated. There are foundational elements to its success:
Communications: Communications are a critical component of a successful and rapid return to BAU. Customers, suppliers, shareholders, employees and the media tend to rely heavily on the communications from the company in the hours after a business interruption. The message and manner of delivery can determine the tone of media coverage and influence the actions of the company’s stakeholders. Enterprise response plans should identify a crisis management team (and back-up members who are able to step up if others are incapacitated) to lead the communications, with pre-determined spokespeople identified, properly trained and prepared.
Training: Preparing personnel to respond to a business interruption is critical. For large workforces this may involve online training sessions that can be scaled and made available over widely dispersed geographies. Key personnel benefit from face-to-face training with department heads in a live classroom environment. The benefit of early training is that different business units – such as finance, IT, HR and legal – can understand their roles and responsibilities during any interruption to BAU, and can swiftly shift gears to get the business back up and running as soon as possible.
Notification: Companies should be clear on who needs to be alerted to a business interruption, within what time period, and by whom. Ensure that any legislative and regulatory reporting requirements are clearly documented and that personnel understand their responsibilities and the process for notification. This may, for example, include notifying insurers, legal service providers and regulators. Personnel also need to be alert to any reporting deadlines – for example notification of an eligible data breach to the Office of the Australian Information Commissioner generally needs to take place within 30 daysii; a company which needs to comply with the EU’s General Data Protection Regulation has 72 hours to notify the authorities.
Resilience: Effective business interruption response plans have resilience built-in. Factors to consider include; are there second tier suppliers who can step into the breach if the main supplier’s production is halted by a flood? Is there a disaster recovery facility to provide critical computing services in the event that a phishing attack takes place? Where resilience measures are documented in the advance plan, they can swiftly be activated when required.
Insurance: The key imperative for business is to minimise damage; this needs to be the first priority. Bringing in your insurance advisor at the earliest possible opportunity can help steer you toward a panel of experts that might be available under the insurance policy and provide early advice about what indemnity might be available under the policy.
Quantification: When an organisation suffers loss of revenue – whether through a fire or cyber event or any other business interruption, organisations need to quantify any loss of revenue or profit. At this point it is important to work with a suitably qualified risk accountant to calculate the actual loss sustained in order to optimise the payout under the policy. The cost of hiring a qualified independent risk accountant can often be claimed from the insurer.
Review and repeat: We recommend that when a real-life situation occurs, you conduct a review and assess the business interruption plan – what worked, what didn’t. With that insight, you can repair and refine the plan, and continue to review and test the plan annually in order to be better prepared next time.
Assess insurance: In the event that a business interruption reveals gaps in the insurance cover, or if the business changes, it is imperative to review insurance policies to ensure they are fit for purpose.
ii https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/ Print