What has COVID-19 taught us about business resilience?
A small business owner asked me for advice about crisis management and business resiliency. I avoid the word ‘crisis’ as it implies a sense of loss of control and that’s when we often don’t show up as the best versions of ourselves. Last week I wrote about the loss of control and what that leads to. There are lots of synonyms; crisis management, emergency management, business resilience, disaster recovery, but it all boils down to decision making with ambiguity.
In recent weeks there has been an increase in the number and types of controls that governments around the world are imposing on us for public safety. There have been different levels of impacts on different businesses, with nearly all businesses at all sizes affected in some way.
Some businesses were prepared, some were not, finding themselves hastily implementing business continuity plans on the fly. Much like an insurance policy, business continuity plans are policies that you don’t ever want to implement but are critical when you do need them. This is why it’s important to periodically review them, not just when we need them.
I have three principles to get started, which can be built on.
Continuously improve. For those of us who were unprepared and hastily deploying work from home arrangements, I would recommend that re-thinking and revising these plans when there is some breathing space. We often put in an 80% solution in time, rather than a 100% solution late in order to protect revenue, people or property. There are specialists who can help you do this. @Mike Bourton.
Plan on planning, not on every eventuality. You’ll be pleased to hear you don’t need a business resilience plan for every single event that could potentially cause your business to go into survival/protect mode. Fastidious planners such as the military know that you cannot have a plan for everything. They make plans for two things only – the most likely and the most dangerous. Every other eventuality is planned via the planning process that your business continuity plan enacts. I did some work with business resilience expert Mike Bourton some time ago for a very well-known organisation. The client previously had playbooks for a huge number of potential events, but when it was tested by a real-life scenario it failed. It was too thick to wade through at speed and it was too prescriptive; the scenario didn't fully align with reality, leaving leaders confused about what they should do. We left them with a master playbook, which in practical terms was a short guide on ‘how-to quickly plan for any eventuality.'
Practice makes permanent, not perfect. During business-as-usual it can be a good idea to rehearse your resilience plans, check your communications plans and connectivity. For businesses that don’t routinely have teams working from home, it might pay off to have team members to take turns to work from home, or even lose all connectivity for a half-day. This will identify key team members and also focus the mind on how you might mitigate the risk if they or you are unreachable for a period of time.
What to include in a business continuity plan? I always used to tell people that the content of a plan should be helpful information which people can easily use at 3am when there are two or more people on a phone call who do not have intimate knowledge of your business.
Introduction. The overall plan and the top-level priorities that are within it.
Glossary. This is very important to explain any area-specific terms or jargon in the event that someone who is unfamiliar with the whole of the business is running the recovery.
Key business risks. What are the most important, most likely, and most dangerous risks to the business?
Key business activities. What are the critical activities which must be restored in priority order for the business to survive?
Incident response team. Who are the ideal people that you need to convene to respond to an incident? Additionally, it could also include backup people.
Incident response plan. As this is not incident specific, it is more about how the incident response team will quickly analyse a situation, plan the specific response and then act. It might form questions such as how the response team is going to meet? How it will make decisions? What information will they need to make decisions? Who needs to be informed?
Contact list. Up to date contact details of the incident response team and business areas which are critical to forming a response plan.
Recovery plan. The priority of activities which need to occur to enable the business to return to business-as-usual.
Test schedule. When was the last time you tested your plan and when is the next time you are going to test it.
I’d be interested to hear your thoughts on these principles so please do comment, like and share the article below. If you would like to know more about resilience or are looking for some help, send me a message.