As defined by the online encyclopedia Britannica, an island is “any area of land smaller than a continent and entirely surrounded by water.” When you live on an island, most of your life is constrained within the geographical boundaries of the territory, which includes the inherent circumstance of being surrounded by water. Your day-to-day activities depend on a large amount of products that are transported via cargo ships; for example oil, food, electrical appliances, machinery and equipment, vehicles, and plastics. Mobilizing people in an emergency evacuation is a feat that clearly takes more than a car and a full trunk. The likelihood of short- and medium-term disruptions on communications, technology, and other essential infrastructure is higher than in larger landmasses. Disruptions to this supply chain are devastating to most businesses and the people depending on them, both as owners or consumers.
I visited the island of Puerto Rico, 18 months after Hurricane Maria made landfall on Sept. 20, 2017. According to a report published by the National Oceanic and Atmospheric Administration (NOAA), this hurricane was classified as a catastrophic high-end Category 4 hurricane with winds of 155 MPH and dumping a massive 38 inches of rain at some locations. The Federal Emergency Management Administration (FEMA) reported that Maria severely impacted more than 166,000 homes, knocking out 95 percent of cellular sites. Water systems were inoperable, and 100 percent of the population was left without electricity after Puerto Rico’s entire electrical grid failed. Economic activity was brought to a halt for days, and both the private and public sectors reported losses of $43.1 billion, with the manufacturing and agriculture the most impacted sectors, according to a study published by the Puerto Rico Planning Board. Virtually everything in its path was decimated, including the lives of the survivors who dealt with suicidal thoughts and are now facing post-traumatic stress disorder (PTSD), as noted and documented by César A. Alfonso, MD of the Psychiatric Times Journal. Puerto Ricans on and off the island are affected forever. Even a year and a half after the hurricane struck, Maria is still a subject brought up in every interaction, as lives are lived in a new normal.
This article is not about Hurricane Maria or Puerto Rico. This article is about you and your organization being resilient.
Whenever you analyze the potential impact of a disruption to your organization, design your recovery strategies, and document your business continuity plans, best practices published by most governing bodies and organizations recommend considering a “worst-case scenario” event. This is great for planning purposes until the scenario you planned for is worse than the event happening. You can give it any name: hurricane, cyber event, power failure, anything. There is the possibility something may be lacking in your scenario, which is theoretically acceptable up until the crucial “point of no return.” Then you lose the ability to recover within the established organizational recovery parameters, also known as recovery time objective (RTO) and recovery point objective (RPO), among other service and operational levels.
As a business continuity practitioner, you must keep in mind the “core four elements” of business continuity planning: people, place, process, and technology. These elements – depicted on Figure 2 – are interrelated and one cannot efficiently operate without the other. For example, your people need technology in order to conduct a process from a place, among other variations of this epithet.
Depending on the organization, senior management will have a genuine concern for each one of these “core four elements” and will provide you with the resources you need – both financial and operational – to support a holistic business continuity program. However, if the organization has different priorities, strategizing for one of these elements and including it in your planning scope may result in it being rescheduled for “next quarter” or even unintentionally disregarded. Similarly, designing recovery strategies for these elements is frequently performed in silos: we document plans in silos, we validate them through formal or informal exercises and tests in silos; without considering the evident interdependencies of each other. These elements are not silos – they are not islands – they are part of your organization and need to be taken into consideration when planning for a “worst-case scenario” event.
Let’s examine each element individually at a high level to help better illustrate my point.
Process. Your processes and activities are the soul of your business. Some support the delivery of your products and services (support processes) while others help accomplish your organization’s goals (core processes). Knowing your business processes and activities, including your inputs and outputs, is vital for a timely recovery. You must analyze the processes and activities performed by your organization to better understand any probable impacts over time. This type of assessment is frequently accomplished by the business impact analysis (BIA). Documenting a high-level process map or SIPOC (suppliers, inputs, process, outputs, customers) diagram is a valuable tool as well, since it visually summarizes the upstream and downstream dependencies of a process. The goal is to establish priorities for resuming these activities and define realistic recovery parameters based upon quantitative (i.e., financial) and qualitative (i.e., operational) measurements. This analysis must also take into consideration any dependencies with internal (i.e., data, technology, people, places) and external (i.e., third and fourth parties, customers, regulators, investors) factors – this is critical and unfortunately many times goes overlooked.
Technology. Most business processes and activities are supported by information and communication technology systems such as applications, data, electronic records and files, cloud networks, telecom, and infrastructure. Since technology is a core element, you must consider the business needs and recovery priority for each activity as established by the BIA, as well as the point in time to which data is recovered. Avoid designing and implementing a single high availability recovery strategy for all technology components and applications. Without a doubt, these advanced recovery strategies significantly reduce recovery times; however, not every process or application requires a top-of-the-line approach. These types of approach usually involve substantial financial investments and highly skilled resources which mean more money. Nowadays many applications depend on a plethora of up and down stream systems and data, and many of them have conflicting recovery strategies. Even though your application may have a recovery strategy that takes two hours to recover, that does not mean it will be functional, consideration must also be taken into account for dependencies. Designing a manual workaround in the event technology components are not available is sometimes sufficient to achieve the purpose of the business activity – remember: we are operating at a lower capacity.
Place. With the convenience and availability of lightning-fast Internet connections, almost everyone is able to perform their daily functions from a variety of alternate places. We can work from home, from another office, from a third-party location, or even from a coffee shop. This pseudo freedom and lack of physical restrictions, however, bring other challenges. You need to consider things like security and access controls, additional utilities, equipment, and temporary logical access to information and communication technology systems, unless you have a fully dedicated alternate place. On the other hand, folks in the retail or manufacturing sectors have an even more challenging experience when taking their products and operations elsewhere. Individuals working in these sectors may want to consider implementing some sort of redundancy or investing in secondary facilities and additional vital equipment (for example, a mobile structure or spare machinery that can replace your damaged property). This must include complying with any regulatory organization and relevant license or authorizations. Also remember to inform your customers, providers, and even the postal service of the temporary change in physical address.
People. Richard Branson, founder of the Virgin Group, once said, “A company’s employees are its greatest asset.” That is certainly true when we talk about recovering a business after a disruption. Your employees are the ones who will carry out your processes, utilize your technology, and ensure your place is in the best possible shape to continue operations. The people element is also very fragile and difficult to replace. There is the possibility of losing them if they find another job opportunity, if there is a major natural event or a health crisis affecting them or their families, or if they hit the lottery and decide to go off the grid. They have the knowledge to make your business succeed or fail, and as such it is your leadership and your responsibility to help prepare them on how to perform the business activities even if the other three elements are not necessarily available. Some strategies to help you avoid losing this core element are investing in training and awareness campaigns, departmental cross training events, and establishing relationships with a third-party to provide temporary staff.
Now that we’ve discussed the “core four elements” on their own, let’s bring them together. Because these core elements are not silos, a disruption affecting one element may have an impact on another one. Remember my opening story about Hurricane Maria? This is exactly what happened in Puerto Rico: a multiple loss scenario where a single widespread event affected all four core elements. This disruption impacted the island’s technology infrastructure leaving it inoperable after the longest and largest blackout in American history. Many places were severely damaged or completely destroyed, people lost their houses or even their lives, and others left the island. Business processes and organizations were put on halt for days, even weeks. What is worse is the recovery process from Hurricane Maria is not over yet. It may even continue for years. All the while, Puerto Rico faces the threat of hurricanes and severe weather every year.
Would you recover from that? It may be difficult to do so, but it may be a little easier if you: (1) establish a business continuity framework considering multiple scenarios; (2) implement policy and procedures to ensure standard execution across your organization and all-inclusive planning is performed; (3) review your program’s performance by conducting comprehensive exercises considering two or more core elements, and (4) improve your plans and program by applying lessons learned. At the same time, you will be maturing your business continuity program and moving away from the organizational island.
Hiram Barbosa, MBA, MBCI, CBCP, is a business continuity and risk management professional who leads organizations to identify, assess, prepare, and respond to risks that may impact their ability to continue operations. He has developed, implemented, and overseen the compliance of policies, frameworks, and procedures to ensure the continuity of operations and protection of information for organizations within the healthcare, insurance, technology, and financial services industries. Barbosa obtained an MBA in operational management and completed the crisis management and business continuity professional education short program from MIT.