The importance of implementing a BCMS based on ISO 22301 in order to ensure the continuity of businesses operations

1. Introduction

The COVID-19 Pandemic has changed the global business environment. During the various global implementation of managing the pandemic, we were the audience in receiving the various lockdown regulations, the businesses who has to make hard decisions regarding cash flow, the retrenchment of staff, the placing of people on furlough and in severe circumstances, the closing down of businesses.

Some of the biggest and well-known brands could not survive 30 days without functional and lucrative revenue streams. Most of the airlines globally, asked for help from their various governments for financial support, most of their revenue earning assets stranded on the tarmac at various airfield across the globe. This one industry has such a big knock-on effect on their Stakeholders and in some cases shareholders, that the industry is in Business Rescue.

Some of the companies who has been in existence for 50+ years, could not make the 30 day mark and filed for liquidation at the beginning of the global lockdown.

The we have the industry regulators. Regulators are the Governments watchdogs to provide assurance regarding the state of the industry or is the various industries in a state. Furthermore, the regulators are dependent on the industry to generate their revenue streams. Looking at aviation, the various Aviation Authorities are primarily dependent of safety charges of passengers. With no international and domestic flights, there are no passengers and therefore no safety charges could be levied.

In some cases, the COVID-19 Pandemic has brought about dramatic changes in business behaviour and decisions. Where most businesses provided for office space, infrastructure, etc., at huge costs and landlords having 10-20 year leases, COVID-19 turned this industry on its head. Do we really need to have a central office where everyone drive to every day, where everyone sits in traffic for hours on end, where everyone has a challenge with work-life balance and where people are constantly tired, not because of work, but because of travelling. And then the impact on the environment, where fuel guzzling transport are used and all these gasses impacts on our global health. The health of the earth and the oxygen we breath.

In this article I will address the pre, during, re-opening and post COVID-19 BCM strategies.

2. BCM pre COVID-19

Pre-COVID-19, BCM has been focussing on anything which can disrupt or interrupt their products and services. The immediate focus and objectives of BCM was mostly safety related and possibly Force Majeure (Acts of God, such as floods, etc.).

I have been conducting various BCM Strategies with companies and conducted Business Impact Analysis (BIA) and Scenario Testing with companies over the years, within all the diverse industries such as Medical Schemes, Road Tolling services, Regulators, Construction projects, Mines, Policing Agencies, Banks, Operators of rail systems, etc. During all of these Strategies, BIA's and Scenario Testing, Pandemic were addressed as a risk, but assessed to be a legacy risk over years.

The latest Board risk assessment conducted was the end of January 2020 with a Regulator, when COVID-19 already stared to spread, and still at this time, the Pandemic Scenario were assessed as insignificant.

2.1. Dependency and Interdependency

Stakeholders, vendors, contractors and subcontractors, are part of the reliability, viability and financial health of many companies. Business must conduct a vendor and stakeholder analysis to identify the Dependencies and Interdependencies of their supply chain universe. This universe can also be called the Business Eco System (BES).

This BES can only operate when every part of the BES is doing its critical function for the next part to seamlessly take over and push the process to deliver products and services to be delivered, 

• within the specific time frames, * against the specified quality standards, 

• within the costs and 

• with an effective value chain to deliver when and where needed.

The critical mass of the BES is when everything works in support of the other. 

With the COVID-19 Pandemic and the uncertainty it created and still creates, the BES was hugely affected and damaged. In a pandemic, the first objective is for a company to survive, thus all the critical processes, critical systems, critical vendors, the critical contractors and critical subcontractors, needs to be identified and agreements must be put in place to make arrangements for these products and services to continue to be delivered. 

The flip-side of this is everything that is not critical, are moved to the back of the line for payment, services to be stopped temporarily, negotiations to be conducted for payment to be furloughed, if this could be done.

All of the above has a huge impact on the relationship between the entity and their vendors, subcontractors and Stakeholders.

2.2. Business Impact Analysis (BIA)

A Business Impact Analysis (herein after BIA), is a critical process to determine and take stock of what is the:

• what resources do you have in your total service and product delivery?

• what is the particular and specific need for each of these resources and to measure this against a set criterion;

• where do you have Single Points of Failure (SPF)

• what is the recovery time objective (RTO) of each service;

• what is the Recovery Point Objective (RPO) for each critical service?

• what is the Maximum Data Loss (MDL) acceptable within the legal universe the company operates within?

• what is the Minimum Business Continuity Objective (MBCO)?

• what is the Maximum Acceptable Outage (MAO) and

• what is the Maximum Tolerable Period of Disruption (MTPoD or MTPD)

All of the above is easy to determine and to allocate a timeframe to each.

But not in a pandemic. We have seen many pandemics over the years, from SARS (2003), Swine Flu (2009), MERS (2012), West Africa Ebola (2014) and the Zika Virus (2015). And now we are living in the most deadliest virus since the Spanish Flu (1918), called COVID-19. 

With more that 9 million people infected and close to 500 000 people killed by the virus, we need to have a revision of the BIA as it was, to be a more robust analysis, incorporating a Pandemic and what needs to be done. Globally, all of us have first hand experience of what is needed and what can be done during this devastating pandemic. These steps and actions needs to be documented and incorporated into the various strategies decided upon.

2.3. BCM Strategies

In the pre COVID-19 BCM process, must of the companies I have dealt with was focussing on evacuations, possibly a person getting sick at work which needs to be evacuated and how do you deal with this situation, a possible shooter on premises, hostage taking and then incidents which could impact your systems environment, such as floods, fires, etc. The last ones would be invocating the Disaster Recovery Plan (DRP).

The various strategies are graphically displayed in the diagram below.

But within a pandemic, all of these are strategies are questionable. The focus has been on a DR site, which could be on this diagram be Strategy 6 and 9. But in a pandemic, these sites are working under the same threats as you and they are actually causing more vulnerabilities for your company.

So the only Strategy that is actually working in COVID-19, is social distancing, thus Strategy 7, Working from Home (WFH).

This is where the challenge starts and the questions regarding the BIA expands. Do you have:

• enough laptop computers for all your staff

• do you have all the programs you are working on installed and updated on these huge number of Laptops;

• do you have everyone on a Virtual Private Network (VPN);

• do your employees have the resources at their homes to actually operate seamlessly from home, such as uncapped internet, vast speeds (10-20 Mbps), and can your centralised infrastructure handle the extra capacity?

This is where the BIA and the strategies listed evaporates.

3. During COVID-19

When the World Health Organisation (WHO) declared COVID-19 a Global Pandemic in March 2020, the world changed.

China closed, Italy closed, Spain, France, and I can go on, closed. And with Closed I mean going into a Hard, deliberate and intentional Lockdown of everything and every moving part of all the businesses.

And the question stands, how we prepared were Governments, Corporates, Businesses, Hospitals, etc, to deal with the pandemic.

On a Government Level the following happened:

• denial, this could not happen to us syndrome

• poor leadership and decision making

• poor communication and keeping people and everyone informed

• poor availability of scientific information to drive decision making

• poor advise to the population regarding preventative measure;

• the lack of accountability and the blaming of others

• the lack of strategic resources to manage this pandemic and

• the lack of supply chain, prior to the pandemic, to have diversified their procurement strategy.

All of these impacted gravely in every part of the population and economy to follow. 

3.1. Risk Based Capacity (RBC)

During every BIA, one needs to look at the Risk Bearing Capacity (RBC). This is a specialised field of determining the resilience of a company.

RBC is not a BCM term used frequently. RBC is from Risk Management, where RBC means: 

Risk bearing ability is directly related to financial measures such as liquidity, solvency, profitability, repayment capacity and financial efficiency.

The question is, how much provision has been made for 3 to 6 months, and in COVID-19, possibly longer, pertaining to:

• finances to pay for personnel, to pay for resources, to pay for systems, technology, etc;

• what is the resilience factors you have built into your equations pertaining to all of the above.

RBC is a critical process to follow and to be incorporated into the BCM and ERM processes. The RBC calculation is not a simple one, as one needs to be looking at:

• stock levels to produce the critical products and services

• within the stock levels, what is the critical spares one needs to be looking at

• within these critical spare’s levels, what is the changes which would affect the delivery of these critical spares, such as transport (rail, road, marine, aviation, etc.)

• the lead time analysis per critical spares item and what is the critical ordering levels. All of these needs to be revised and all of these has a financial and solvency impact on the business.

3.2. 90 days to bankruptcy

Without a proper RBC in place, every company and individual has a window of 90 days before they start to be in distress. Because of the uncertainty of the pandemic, nobody knows how long it would take to get the pandemic under control, how long it will take to restart the local economies and nobody knows when the global economy would open up.

All of this comes with changes in the external environment where you as a business owner, corporate CEO or a President of a Country, has no control.

We could see the distress of global communities on day 30, day 60 and day 90. Workers are getting retrenched, companies are filing for liquidation and critical resources becomes scarce and expensive.

Resources are getting less and less and governments are starting to be more and more dependent on philanthropic donations and cash injections to stimulate the critical services and products of countries.

None of these were prepared for during the BIA, nor the BCM strategies.

3.3. Business Resilience Changes

I love this word, Resilience. This means, the ability of an organization to absorb and adapt in a changing environment (ISO 22316:2017: 3.4).

COVID-19 has provided the Global economy to reset and to determine how they will be doing business to survive, not only during COVID-19, but to rethink their business strategies.

We have to look at the biggest winners to see where the world are heading over the past 90 days. 

Biggest winners:

• everything online (food, clothes, etc)

• everything digital which can enhance the business (Cloud services, digital platforms to enhance business without having personal contact, etc.)

All of the above comes with risk. Every time one goes online, you are opening up yourself for the chance that your identify or your Personally Identifiable Information (PII) could be accessed. You are submitting many kind of PII during this process, from your name, bank details, address, etc and all of these are opening the gap for Identify theft.

Cloud services has been coming for a long time, and it is here to stay. Most of us are working on Onedrive, DropBox, Google Drive and many other systems. So the question is, where are the rest of the companies, are they still loyal and stuck to their own hardware with people WFH?

These are the questions asked during the BCM, RBC and RBC-BIA based BCM analysis. With less people working from traditional offices, would this still be the best approach? Most companies, whether they know it or not, are using hybrid systems.

Coming back to Resilience. How will your company change to be resilient and who will drive this?

3.4. Leadership

Leadership and Tone at the Top during these challenging times is critical. Some leaders can instil calmness, direction, strategy and a new vision for everyone to follow. Other leaders can do just the opposite.

This is the time for leaders on all levels of the organisation to stand up and demonstrate their leadership qualities. This is the time for new and innovative thinkers and for leaders to be open minded to see the new future.

Leaders will ensure that resilience of the company and leaders will also ensure the crippling effect for companies.

Now is the time to stand up and be counted.

4. Post COVID-19: Opening of Economies

This is the current challenge the world is facing. How to open the economies in the midst of a pandemic, with no cure are present. How do Global leaders make this decision and make provision for the pandemic to get another grip on everyone, from the vulnerable to the healthy.

4.1. Start-up funding

Funding is a critical factor in restarting the economy, whether it aviation, mines, banking, restaurants, etc. In every sector you need funding. And if this funding has been used to survive the 90 days, then you are sitting with huge challenges.

One needs funds to restart and if there were no revenue streams for 90 days and longer. This is back to our RBC & Risk, RBC & BCM and RBC & BIA.

The challenge is, are you conducting business as pre-COVID19, or did you re-think your strategies?

5. Conclusion

What is the importance of this article? During COVID-19, we have seen many of our customers transmitting their help signal in how to lead, how to manage this pandemic and how to fund their businesses. This was the initial start of the pandemic.

The longer the pandemic persists and the longer economies are closed down, the more the tone of these businesses changed. From managing the pandemic to the point of business rescue, retrenchments, closing down business units, etc.

In conclusion to this article, the following are recommended:

• if you did not adopt ISO 22301 as your Business Continuity Resilience Partner as yet, do it immediately. There are huge benefits in this approach and a bigger financial one if you can proof to your clients that you are BCM ready and Resilient;

• revise your BCM strategies, not only from a survival point of view, but with an innovative and creative thinking driving your BCM Strategy

• Conduct or revise your BIA to be a RBC based BIA. This is critical in resilience;

• Conduct or revise your BCM Strategies to be RBC based strategies and 

• if you did not conduct a Risk Bearing Capacity (RBC) analysis as yet, make a decision and get this done as soon as possible.

6. About the Author

Nico Snyman is the Founder and Chief Executive Officer (CEO) of Crest Advisory Africa (Pty) Ltd (herein after CAA), based in Johannesburg South Africa. CAA has offices in South Africa, Botswana, Namibia and we will be opening offices soon in the United States, UK and Australia.

Nico has an MBA, specializing in Total Quality Management (TQM) and is an Internationally Certified Management System Auditor with the PECB. Nico is also a Senior Lead Auditor in 14 ISO standards through the PECB.

With over 35 years of experience across the various disciplines, Nico has a vast subject matter expert (SME) base across various industries, from Government, Corporate, Regulators, Banks, Mines, Medical Schemes, etc.

Nico served as a Brigadier in the South African Police Service (SAPS), an Executive on the Biggest Global project between 2007 and 2011, the Gautrain Project and as an Executive, was instrumental with the establishment of the Bombela Operating Company (BOC) between 2009 and 2013.