Crisis and continuity planning - thinking outside the box
If an unplanned for and unexpected disaster befalls and organisation, how does it navigate through the three phases of crisis management, disaster recovery and business continuity?
When an organisation is planning for or facing a crisis, its internal auditors’ first and most important job is to challenge groupthink – a state of being in which people agree, not because the information supports the conclusion, but because they feel intimidated to disagree. This was one of the key messages delivered by Daniel Roberts, group head of risk, FCG, to delegates attending ACCA's 2015 annual Internal Audit Conference.
‘There are three types of groupthink that appear when a crisis needs managing,’ he said. ‘Type 1 overestimates the power and morality of the group; type 2 is typified by close-mindedness, rationalising warnings and stereotyping those opposed to them; and the third type feel pressured into uniformity and suffer the self-censorship and illusions of unanimity that go with it.
'These "right-thinking people" who fall victim to groupthink hold organisations back when they are facing a crisis,’ Daniel said. ‘Your organisation is full of similar right-thinking people and you have to be very careful of them. It is your job as internal auditors to challenge them when you see groupthink in action.’
Moving on to planning for disasters, in their many forms, Daniel pointed out that ‘anyone can predict the future, but getting the dates right is tough’. While types of disasters and business interruptions are predictable, ‘don’t plan for everything,’ he advised. ‘You can’t. But as internal auditors you have one statement that you must make again and again to the board until it starts saying it back to you: “If you don‘t test your recovery plan it will fail. It will fail the first time. It will fail the second time. But by the third time it will be pretty good.”’
Setting up two crisis management teams is a good idea because at some stage team ‘A’ is going to have to have a break. Further, ‘if you cannot constitute team A when a crisis occurs, then you must be able to bring in team “B” immediately,’ Daniel said.
He offered the example of a bank in New Zealand which, recognising that at some time there would be an earthquake in Wellington, set up two boards of directors – one in Wellington and an alternative board in Auckland. If Wellington is out of contact for more than four hours, the Auckland board is empowered to be the alternate board of directors for the bank.
Building in resilience
‘Companies and people are very resilient, but are you building that resilience into your business and supply chain?’ Daniel asked. ‘Are you saying in your plan what happens if the mains power is lost for an extended time, or your local telephone exchange is gone? One of the key lessons of this is that corporate governance matters far beyond your walls. Ask yourselves: how good is the corporate governance in your key suppliers and in the organisations that you rely upon?’
What if a disaster hit a key supplier elsewhere? As an example, Daniel pointed out that almost 50% of hard drives for all personal computers came from Thailand, so the disastrous flooding that happened there in 2011 had enormous consequences for many businesses – hard disk drive prices, for example, doubled.
‘There will be future disasters,’ he said. ‘Think of the earthquakes in Christchurch, New Zealand, and more recently Nepal. There will be more earthquakes, and they will happen in funny places. In 1805 in the middle of the US an eight-point earthquake was so bad that the Mississippi river went upstream. Earthquakes are a 100% certainty. They are going to happen, but do we know where? We need to concentrate on location specific planning, which includes evacuation plans, a communications plan, basic supplies and a who to call list – not just for earthquakes, but for the range of potential events that could render a facility unstable or unusable.’
The advent of a pandemic is another 100% certainty, but your planning does not need to be about what to do for the end of the world. ‘You can plan for what happens if someone goes away on holiday and comes back with the norovirus, which spreads through the payment department,’ Daniel pointed out.
‘Suddenly your entire payments team is up the creek for a week. Are you going to miss critical payments? Not if the people dealing with liquid payments are in two parts of the building. While this might not be easy, remind them that they’re not allowed to go and visit each other. Or better still, put them in another building. It’s not that difficult, they’re all doing the same thing.
‘Of course, you can plan for a pandemic. Monitor, communicate and subscribe to alerts from a website that updates you on current disease epidemics and where they are in the world.’ A good example is ProMed, which is run by the International Society for Infectious Diseases.
Searching out ‘Greg’
‘Recovery is good planning that has nothing to do with figuring out how fast you can reinstall Windows server on a box,’ Daniel insisted. ‘It has to do with whether your board understands and is ready for it? Is your senior manager ready for it? Do you understand the basic scenarios that may impact you? It’s all about the preparation because if you haven’t prepared for it, it’s just going to happen.’
His recommendations? Do not plan for each scenario, plan for scenario types and their impact on supply chain disruption, loss of access, loss of people and social upheaval. Practise your recovery plan, build in governance flexibility and question yourselves and others constantly.
Daniel concluded with a final warning by means of an anecdote. In the early 1990s, he said, he attended a Christmas lunch held by an IT company that sold data and analytic tools. In the middle of it, the restaurant owner approached the IT director saying that he had a phone call for him. ‘The man went away and came back looking a little ashen,’ Daniel said. ‘He looked across the table at his senior network analyst and said: “Greg, the network’s down”. Greg looked up from his dessert and said “yeah, I noticed that on the way out”. All of your organisations have a Greg. Find Greg.’
So what is the difference between disaster recovery and business continuity? ‘Disaster recovery is how you plan and recover from the big crises,’ Daniel said. ‘Business continuity is: Have you found Greg? Are you ready for when Greg does something wrong?’