Crisis Management — From Business Continuity Plans Towards Recovery Strategy Download -By Kate Robinson (Risk Management) and Niels Willeboordse (IT Risk & Control) A long-term crisis could cause an unparalleled disruption to business. Typical Business Continuity Plans (BCPs) support businesses re-starting their business in the instance of an isolated short-term crisis event. However, when the crisis is for an undefined period, how do we find our way to recovery? Typically, BCPs describe the actions to be taken in the immediate aftermath of an isolated short-term crisis event. They should support your organisation in identifying essential business functions and their basic operational requirements (i.e. who you need and what they need to do their jobs). However, after the ‘dust has settled’ and these initial plans have been implemented, what next? In short, you must invoke the Crisis Management Team, assess the impact on your business and develop a longer-term Recovery Strategy. Download Topics IT Management, Applications and Transformation Risk Management and Regulatory Compliance Business Performance Appoint the Right Leaders In a time of crisis, it is essential to appoint leaders with the necessary skills and capabilities to steer the organisation. Organisations must ensure that the Crisis Manager understands the business (including the supporting functions) and is able to identify risks and operational impacts that result from measures or targets taken to weather a crisis event. The Crisis Manager should be supported by a team of delegates from across the organisation (the Crisis Management Team). The Crisis Management Team (CMT) should be able to identify risks and the operational impacts of those risk within their department or area of expertise. Together this team should be able to define short-and long-term targets and measures to enable the organisation to weather the crisis with minimal negative operational and financial impacts. In the instance of a crisis event, the CMT should be invoked without delay. It is their role to lead the business continuity and crisis management initiatives. It is often the case that finance takes the lead in crisis management; members of the finance team are well placed to provide insight across the breadth of the business and have the analytical skills necessary for strategic decision making. In times of crisis it may be logical and necessary to pursue cost savings, however this should not come at the expense of the long-term needs of the business. In our experience we have seen that a solely cost saving agenda can have longer term impacts which may not support the company’s strategy. Examples of scenario’s which should be avoided include mandating employees use a proportion of their vacation days in a defined period or terminating all temporary employment contracts, where those workers held key positions in the business or essential projects. In both scenarios, cost saving measures can result in essential functions being understaffed. It is therefore essential to have a multi-disciplinary CMT who can assess the impact of proposed actions/initiatives. Operational Impact In an ideal scenario, your organisation will have performed Business Impact Analysis (BIA) and risk assessments twice annually. The purpose of these assessments is to identify critical business functions and their related risk exposures. The output of such assessments should include BCPs and risk management practices which protect and preserve critical business functions. However, in the event of a crisis event occurring the output of this analysis also provides a benchmark for assessing the crisis impact. Armed with an overview of your critical business functions, you should conduct a systematic assessment of how these operations have been impacted, what level of output is required and what resources/ infrastructure are needed to maintain required output levels. It is important to recognise that the critical functions of your organisation will likely include both core (profit driving) and support functions. Having regard for the longer-term operational impact, it is necessary to determine whether the crisis event has highlighted shortcomings in your operations. You should determine whether there are elements of the business which are no longer viable, or which might be reorganized to better serve the organisation. This is an opportunity for inflection, to assess what the organisation has done well and what learnings could be taken from the crisis event. IT Impact Many businesses are highly dependent on IT to enable the breadth of their operations (from employee computer usage to complex IT infrastructure). For example, the Coronavirus crisis highlighted a number of short comings when it comes to IT enablement in times of crisis. Failure to perform adequate BIAs as a component of ‘business as usual’ operations may result in the need to quickly implement work arounds or significant IT infrastructure changes to accommodate remote/ alternative methods of working or changing customer demand. Naturally this can result in unforeseen operational (e.g. supply chain failure) or information security risks (e.g. use of unsecure technologies). When considering measures to mitigate the operational challenges imposed by a crisis event it remains essential to apply risk management procedures. Financial Impact In the event of a large-scale crisis which impacts the broader economy, such as we have seen with the Coronavirus, there will undoubtedly be an impact on the financial viability of your organisation. Financial impacts may be direct (through declining customer demand or customer delinquency) or indirect (e.g. through supply chain inefficiency or macroeconomic pressures). In the aftermath of such an event, it is necessary to develop an outlook on the financial impacts, this should include revisiting annual budgets, forecasts and expectations regarding customer delinquency. The finance department, working with the CMT should develop appropriate cost saving measures to preserve the financial position of your organisation (whilst preventing short sighted decision-making). Effective cash management will be essential to the financial viability of organisations in times of crisis. This is especially relevant when organisations or their customers/suppliers are dependent on debt facilities (either via banks or via customers/suppliers). Remember that your business is dependent on the survival of your key customers and suppliers, so it may be beneficial to work out alternative financing arrangements in times of crisis. For useful tips regarding cash management please read this “Cash Control during the Corona crisis” article. With regard to the longer term, you should assess the impact of a crisis event on long term budgets and business plans. If there is a material financial impact it may be necessary to reconsider any growth or investment strategies which are not directly aligned to preserving the essential functions of the organisation. The Role of Finance Immediate Short Term Mid to Long Term Make cash available to support implementation of business plans. Assets the impact on short term (annual) budgets and forecasts. Re-assess expectations regarding customer delinquency. Practice prudent cash management. Re-evaluate long term budgets and forecasts. Re-assess growth and investment strategies. Support CMT in development, implementation and monitoring of Recovery Strategy. Note: the roles identified in this table are examples and do not represent an exhaustive list. Develop & Implement a Recovery Strategy A Recovery Strategy should be driven by the analysis you have performed in the previous phase. This means that a Recovery Strategy should prioritise mobilisation of your essential business functions, having regard for operational capacity in the immediate period after the crisis event and target operational capacity (based on the revised financial forecasts). It is unlikely that business will return to normal in the short term, a Recover Strategy should provide a realistic roadmap for recovering your business operations and it should be supported by clear operational and financial targets. Performance against key targets should be periodically assessed to track the recovery process and validate appropriateness of the Recovery Strategy. How Protiviti Can Help At Protiviti we have observed that many organisations were simply not prepared to deal with a crisis event. Whether due to a lack of planning (performing Business Impact Assessments) or due to failings in the planning process, it is clear that many organisations do not have the necessary crisis management procedures in place. It is important to recognise that crisis management is not only applicable during times of crisis. Businesses should prepare for such events during times of ‘calm seas’ and revisit these plans at least twice annually to ensure that they are capable of responding quickly when a crisis event occurs. Protiviti has a breadth of knowledge and experience in all areas of risk management, as well as IT management and operational restructuring. Our expertise spans Operations, Finance and IT across all industries. We can support your organisation at whatever stage, whether that is in tackling a current crisis or planning for future resilience. If you would like to know more about this topic or learn how Protiviti can help your organization, please contact Kate Robinson or Niels Willeboordse. Leadership Niels Willeboordse Niels is a director within the technology consulting team of Protiviti with more than 15 years of experience in IT audit and IT risk advisory. Niels is specialised in SAP (ECC, S/4HANA) implementation related projects, specifically: SAP authorizations implementations, ... Learn more