Demystifying BCMS and making it clear, practicable, rehearsable

By Enrique Victor D. Pampolina, Risk Advisory Partner — Deloitte Philippines

During the start of the pandemic, one of the many challenges for companies in activating their business continuity plans was the confusion around which particular plan was to be activated. Companies institutionalize various plans, such as building emergency and evacuation plan, people continuity plans, or an earthquake response plan. But who had the foresight to prepare for a full-blown global pandemic? On the other end, there are also companies that have no business continuity plans at all, except for the minimum required fire/building evacuation plans.

Another challenge for businesses is the way their departmental units’ BCMS work in silos within the organization. An IT department, for example, may have an IT Disaster Recovery Plan, but one that doesn’t utilize a full-blown business impact analysis exercise of their operations, or a Building Administrator’s own Building Resiliency Plan that is not linked to an HR department’s People Continuity Plan. While having these plans is essential, it is also important that they are integrated and developed together as an enterprise-wide initiative.

What exactly are these plans and how do they interact with each other? What are the key components of a robust Business Continuity Management Systems, or BCMS, and how do we simplify them to be less confusing?

A BCMS is composed of the distinct plans of Emergency (or Incident) Response, Crisis Management, IT Disaster Recovery, and Business Continuity. While each plan is distinct, each one actually flows and interacts with the other plans when triggered or activated. It is also possible that an emergency or a crisis can be properly addressed without the benefit of activating the business continuity plans (BCP). BCPs are only activated when the emergency or crisis has resulted in an impacted or disrupted organization, such as when your building is inaccessible, or your equipment or technology are unusable.

IT Disaster Recovery (DR) Plan is, by far, the most well-understood and developed of the plans, at least by the IT practitioners within companies. Often, however, it is developed and prepared by the IT Department with less involvement from the business community or operating departments. IT DR development should be subsumed under the broader BCMS since the IT systems and applications that need to be recovered must fulfill the same business processes that are deemed most critical and essential by the organization during its Business Impact Analysis workshops.

For years, the bias was for companies to institute scenario-based business continuity plans, such as the popular Big One earthquake emergency plan, when in fact, asset-based business continuity planning is more flexible and practical. While scenarios may change, your most critical activities as a company, the ones that you need to recover immediately, remain the same regardless of what crisis or emergency is happening. This is why companies that prepared their BCPs in keeping with asset-based planning were quickest to adapt to the pandemic, recover their assets, and continue their mission-critical activities.

At Deloitte Philippines, we are a big proponent of the asset-based business continuity planning, emphasizing the need for companies to identify their most critical operations while recovering their assets, which we label as BETH3 or Building, Equipment, Technology, HR (or People/Employees), and 3rd Parties for ease of recall.

Critical operations can usually be continued by recovering any or all of these BETH3 components. But let me point out that one pitfall of inadequately prepared BCPs is not treating third-party contractors as integral to your operations the same way your organic BETH assets are, be it your third-party IT service provider or your security, housekeeping, or even catering services. As the saying goes, you are only as strong as your weakest link, so any weakness in your third parties will impact you if you don’t include them in the BCMS development. This is why it is important that you demand from your third parties the same rigor in developing their BCMS as you do with your own operating departments.

Even as we emphasize asset-based BCMS, companies can still complement their BCMS with scenario-specific playbooks. Playbooks are two- to three-pager quick guide emergency, crisis, and business continuity plans that are skewed towards addressing a defined scenario, e.g., Big One earthquake hitting the Metro, Black Swan climate disaster such as Yolanda hitting the Metro, or political unrest marked by bombings or rallies. Said playbook would include, among others, key contact numbers (internal and external), step-by-step action items, and meeting frequencies of crisis management, emergency response, and business continuity teams.

But more than completing a well-documented and written BCMS, it is the actual cascade of the plans within the organization that is most critical, because this will allow each member of the organization (from the Crisis Management Team Commander down to the most junior employee) to know their role and participation in the said plans.

As I always emphasize to companies, the journey of developing, writing, cascading, testing, continuously improving, and rehearsing your BCMS is the destination. It is an ongoing activity with no end. Companies that commit to this non-stop process of improving their BCMS instill in their teams the needed risk imagination and readiness mentality that are the end goals of an effective BCMS.

Spotlight is BusinessWorld’s sponsored section that allows advertisers to amplify their brand and connect with BusinessWorld’s audience by enabling them to publish their stories directly on the BusinessWorld Web site. For more information, send an email to online@bworldonline.com.

Join us on Viber to get more updates from BusinessWorld: https://bit.ly/3hv6bLA.