Rising from the ashes: How to create, maintain business continuity plans

Tara Tobler, the associate director of business continuity at Sandhurst Consulting in Calgary, recently heard Banff’s deputy emergency manager say those words — and it really stuck with h

There are so many risks, both known and unknown, that it’s nearly impossible to plan for every scenario. For example, very few organizations brainstormed specifically for a global pandemic that would require them to shut down their workplaces and send everybody home for months on end, said Tobler.

But a good business continuity management (BCM) plan doesn’t plan for specific “black swan” events, she said.

“Instead, you build the structure, you build the capacity, so that no matter what happens, you know what to do,” said Tobler. “Your primary work location isn’t available. Who cares why — fire, flood, pandemic. Yeah, sure, now there’s the dragon flying overhead. From a business continuity perspective, it doesn’t matter.”

Where to start

The first step in building a new plan, or assessing an existing one, is to look across the entire organization, she said, ensuring that it touches upon every area.

“Some groups are going to have more time sensitive processes than others,” she said. “Payroll always comes up — even for the folks that have nothing to do with payroll. They always want to make sure, of course, that they’re going to get paid.”

Tobler starts by identifying all the critical processes that need to continue within a day.

“For corporate functions, that’s a pretty common time frame. For some, like health care, it’s going to be a shorter time frame,” she said.

That includes a run through of the applications and technology being used, the personnel involved, and where the work needs to be conducted from, said Tobler.

“You go department by department. Then, for critical processes — which payroll is always going to be one of them — you need a separate process,” she said.

Documentation then needs to be prepared, and tested, to ensure everything responds and reacts as expected.

Kareem Sadek, Toronto-based partner, advisory, emerging tech risk leader at KPMG in Canada, said the COVID-19 pandemic exposed some big issues in BCM and resiliency.

“A lot of people started looking at the lessons learned, coming out of the pandemic, and said, ‘Great. We survived. This is awesome and we did something right,’” he said. “But what is the outcome here?”

For him, it was a realization that the previous approach was too siloed, solely focusing on business continuity for various crises without a cohesive strategy. Different critical areas, such as disaster recovery, cyber resiliency, and pandemic planning are all interrelated, he said.

“How do you actually remove those silos and make sure that, if something does get triggered, how do you integrate and how do you activate the other plans?” said Sadek. “I think that’s the ‘aha’ moment. We have different things, it’s not a single owner or a throat to choke, per se, but it’s actually how they play together.”

Conducting stress tests

Sadek said it’s important to have maintenance plans for BCM to ensure any major organizational changes are taken into account — such as an acquisition or the implementation of new systems.

It’s also critical to conduct stress tests to ensure all plans are still effective and applicable, and there are a couple of ways to do this, he said. The first is a tabletop exercise where you sit down with the key stakeholders who are part of the communication plan.

“You put them all in a room and you sort of do a flip through your business continuity plan,” he said.

The second stage is creating scenarios and walking through them — such as a fire at specific facility or a cyber incident, he said. The end goal is to see how all the different elements and people respond, he said.

“Where did we pass? Where did we fail? And what do we need to improve on,” said Sadek.

Tobler said the Disaster Recovery Institute Canada recommends conducting tests at least annually. But if you’ve had a near miss, or a significant process or people change, it might be wise to do it more frequently.

There are a couple of tactics she has embraced for these scenarios. The first is a walkthrough, where you’re just reading the plan and ensuring it all makes sense and still applies.

“I don’t personally see a lot of value in that type,” said Tobler. She prefers to take it up a level to what she called a tabletop exercise.

“You put in situations, injects, and then you discuss,” she said. “You use your plan and/or your procedure documents and discuss how you are going to respond.”

Start small and then build familiarity and confidence with the plans and the people, and then you can take it simulation or functional exercise where people are doing the things called for in the BCM.

“If it says, ‘Okay, call the executive’ then you’re going to pick up the phone and make that call,” she said.

Outsourced payroll

Many organizations outsource the actual processing of payroll to third party companies, such as ADP or Dayforce.

“Basically what you’ve done is outsourced your risk,” she said. “No matter what happens in your organization, you say, ‘Okay, payroll. ADP — just hit pay.’”

If something catastrophic happens at the organization, and it can’t get updated payroll information to the provider, it can simply instruct them to rerun the last pay period.

“It’s not going to be 100 per cent accurate, but it will be close and we’ll make any adjustments that we need to do,” she said.

But no organization, regardless of size or resources, is infallible — even large organizations can experience outages.

“Rogers went down, right? The same with Microsoft,” she said. “They have way more protections than most other companies, but they still go down.”

Organizations need to understand not just their BCM plans, but also that of their partners and suppliers. Most companies will have documentation that outlines the plans they have in place and how often they conduct exercises.

The contract may state that the payroll provider can run payroll in 24 hours or 48 hours, no matter what, but it’s important to find out what happens if they can’t do it, she said.

“That’s number one, understanding your service level agreements, their business continuity plan,” said Tobler. “Number two is to walk through that scenario internally. If they can’t do payroll, think through a backup.”

For example, does it mean you have to go to the bank and issue physical cheques? Can you run your own EFT payments?

“You need to think through what happens if that critical third party isn’t available,” she said.

Enter some text...