Business Continuity Plans (BCPs) are funny things.

At their most basic, BCPs are the real-world response to the old “Hope for the best, Plan for the worst” adage.  It’s honest recognition that being stuck between a rock and hard place is better with a hammer, albeit with no guarantee that the hammer is big or small enough to be helpful.

Nonetheless, a well-conceived BCP provides peace of mind, like insurance does, with the added satisfaction that only authorship (or ownership?) brings.  The rub, of course, is that every BCP is, at the end of the day, still just a plan.  As boxer, actor, felon, playwright and corporate strategist ’Iron‘ Mike Tyson once famously said, “Everyone has a plan until they get punched in the mouth.”

Indeed.  Because sometimes pipes break in the 2^nd floor ceiling of your office and leak antifreeze everywhere.  And because, other times, there’s COVID-19.

The benefit of having a BCP plan in place to manage either situation is that, well, there is at least a plan.  And despite what Kid Dynamite says, the real truth is that any company with a plan retains, at the very least, a fighting chance to get back up after they’ve been hit.

For Lowers Risk Group, like many others, COVID hit our industry, our business – our people.  We were fortunate, though: our Business Continuity Plan was 5 years in the making.  It didn’t matter, until it did.

Back in 2015, CTO David Lowers, Chief Security Officer Joe Labrozzi and Director of IT and Security Chris Sosnoski recognized the need for our growing staff to have partially, if not fully, remote capabilities.  What was initially driven by space concerns evolved with the access to and the ability of new technology to support fully secure, remote work that reduced cost, increased efficiency and enabled greater flexibility that could support new business opportunities within Lowers Risk Group.  With this foundation in place, Lowers, Sosnoski and Labrozzi were able to take the organization’s global footprint of over 550 people (spread over 3 continents) to fully remote in less than 2 weeks with zero business interruption when COVID hit.

And though Facilities might disagree, being fully remote due to COVID made the impact of that leaky pipe one less headache to manage when stress levels are already elevated.

We asked Labrozzi and Sosnoski to tell #OurStory of transition to a fully remote work environment.  We asked them what made it possible and to share a few insights that could help other organizations with the creation and implementation of their own BCPs to author their future resilience.  Below is a transcript of our conversation.

On behalf of the entire organization – thank you both for your efforts and keeping the organization on its feet as COVID hit.  How did your teams manage this transition?

Sosnoski
Our ability to go remote during COVID was strategic and began 5 years go.  Wholesale Screening Solutions, our largest division at Lowers Risk Group, was beginning to test our space limitations.  At that time, the VA HQ had about 400 people on-site.  Additionally, the Wholesale team recognized a need that they had to hire in different areas, not just in VA HQ.  We were tasked with how to support that, and it was clear we had to embrace the cloud.  Buy-in from David and other executive leadership there was the first step.

Labrozzi
What really drove the process was what was happening in Wholesale’s Georgia office, our first off-site campus.  We needed a base to get our people into the courts to do research.  That organically began to create resiliency in our operations – rather than rent out trailers, for example, in the event of something happening, our second location offered redundancies as technology matured.  As we gained more experience managing this remote location in GA from our VA HQ, we saw it was possible to have and manage a remote workforce while still doing secure work.  We then built a series of processes around this concept that laid the foundation for more remote work, and we’ve been working at that ever since.

Sosnoski
Right before COVID hit, for example, we launched phase 1 a Unified Communications as a Service (UCaaS) initiative with plans to roll-out Phases 2 and 3 in the coming months.  What would have been a much more measured roll-out was accelerated by COVID.  But, had we not been building towards that – not just with the UCaaS launch, but all the work leading up to the launch – it would not have been as easy or seamless.  However, we had our BCP in place and were able to activate it,.  Our teams stepped up and, again, the full support of leadership helped make it happen.

What were the steps you were taking to build that initial foundation over 5 years?

Sosnoski
The goal was always to keep the working experience as secure and as available as possible, so it was about taking small bites at the apple.  Exploring, testing, and implementing remote training, for example.  Cloud-based email.  Our UCaaS environment.  We were able to leverage cloud resources like Microsoft, Adobe, Salesforce, AWS and Zscaler to achieve this.

The complicating factor was the cost associated with it – we had to be willing and able to spend monthly on subscription services.  For a while, that was a barrier, but we continued to make the business case while moving from a hybrid environment to a cloud environment.  Transitioning the phone system to UCaaS, for example, was a two-and-a-half-year effort to make happen and now our teams are loving the flexibility it offers.  Our teams can do remote assessments and maintain contact with each other and clients easily.

How did you each manage the workload during the COVID transition to remote work?

Labrozzi
Teamwork.  At VA HQ, Chris and I have sat next to each other for years, so we have a great working relationship – that’s part of the culture at LRG, which is probably also a reason the transition was smooth.  But it’s about the quality of who you work with.  Chris’ IT team knows what needs to get done – they’re reliable and fast.  I focused on the human capital element, making sure that we were dealing effectively with any productivity concerns, making sure teams were staying connected.  We all operate from a leadership mindset and depend on each other to play our parts.

Sosnoski
The real risk in remote work is not technology, it’s management process.  My team trusts each other to get things done.  When COVID hit, we found a useful strategy was to use quick, daily stand-up meetings.  For the most part, these types of meetings continue in some capacity across all departments; I know upper management remains committed to finding one-on-one time for their direct reports.  Process is super important in all this, but equally so is everyone’s ability to do their job.

Any key takeaways to offer other organizations from your experience?

Sosnoski – I think there’s really three that worked for us:

• We started planning early and had already explored the risk environment, developed the processes that would provide us a path of least resistance to continuity and had leadership buy-in.
• We identified the right digital tools and had assessed, budgeted for and tested them as part of the plan strategically; having to do this during COVID would have been very difficult.
• We were all aligned on the work that had to be done to achieve the vision; for us that was finding a secure, scalable and available environment to perform our risk mitigation work.

Lowers Risk Group provides comprehensive enterprise risk management solutions to organizations operating in high-risk, highly regulated environments and organizations that value risk mitigation.  Our human capital and specialized industry enterprise risk management solutions protect people, brands, and profits from avoidable loss and harm.  With Lowers Risk Group you can expect a strategic, focused approach to risk assessment, compliance, and mitigation to help drive your organization forward with confidence.  Contact us.

A catastrophe, by definition, is an event that causes great and often sudden damage or suffering. Catastrophic events, such as those caused by natural disasters, are difficult, if not impossible, to fully predict yet recent events have shown us that preparing for the unpredictable is critical to business survival.

According to the Federal Emergency Management Agency, 40% of small businesses will not reopen after a natural disaster. One year later, 25% more affected small businesses will close. By year three, 75% without a business continuity plan will fail.

In 2018, droughts, hurricanes, flooding, and wildfires caused $225 billion in economic losses around the world, according to the Weather, Climate & Catastrophe Insight 2018 Annual Report.

Because these catastrophes are low-probability events, many businesses fail to plan for their aftermath in the form of a business continuity plan. Here are four keys to helping your business continue to operate in the wake of a natural disaster.

1. Analyze the Business Impact

If a wildfire were to run through the town of your business headquarters, how would your business be affected? If an earthquake were to destroy the warehouse where your inventory is held, what would be the impact? Ask the same of each type of natural disaster. These very fundamental first questions are critical to forming your business continuity plan. By analyzing the business impact in this specific and personal way, you can begin to see how you will need to prioritize critical business functions and determine which processes are most critical to recover, how quickly they must be recovered after a disaster, and how much you are willing to pay to protect them.

2. Assess the Risks

How likely is it that you will face a wildfire, hurricane, earthquake, tsunami, etc.? Create a list of potential disasters and prioritize them based on their severity and likelihood of occurrence. Remember that by their very nature, natural disasters have a statistically low probability of occurrence so we’re really talking about the likelihood based on a relative scale. Looking at potential disasters this way will help you determine which should attract the most attention during your business continuity planning.

Another aspect of assessing the risks is to look at the recovery plans you have in place now compared to what would be needed. How wide is the gap? The wider the gap, the greater the possible threat.

3. Prepare the Plan

With insight from the first two steps, you can formulate your business continuity plan (BCP). The plan should document strategies and procedures to maintain, recover, and resume critical business functions and processes and it should include procedures to execute the plan priorities for critical and non-critical functions, services, and processes.

Unlike a more general business disruption event, such as a small localized fire or a burglary, catastrophic natural events tend to impact a wider area and have a much longer recovery time frame. The focus often starts with limiting the loss of life and crisis management. As such, your continuity plan needs to have elements you might not normally think of including. Here are some of those elements:

1. Ensure fire protection systems, generators, redundant systems, and gas tanks are in proper working order, filled, and fully secure.
2. Work with local police and fire departments to have procedures in place for receiving and responding to warnings from outside agencies and emergency responders.
3. Designate a crisis response person(s) and have internal and external communications prepared in advance.
4. Review your emergency preparedness and evacuation plans for everyone in the building. Identify and designate safe areas in the building, such as an interior reinforced room or bathroom, for different scenarios.
5. Ensure the emergency supply kits are fully stocked with water, medical supplies, batteries, flashlights, etc.

For additional ideas, the Federal Emergency Management Agency (FEMA) has prepared comprehensive emergency preparedness materials to help with disaster preparedness.

4. Test the Plan

Your business continuity plan will be a living, breathing document that will need to be updated, practiced, and tested regularly. Here are some considerations:

• Develop training, testing, and maintenance schedules
• Conduct training with the business continuity planning team
• Conduct orientations for all team members, customers and/or clients, as applicable
• Perform a business-wide simulation exercise to test elements of the plan. Have a small group develop the simulation but keep the details under wraps so that the team doesn’t know what to expect.
• Perform a post-simulation review to uncover weakness or gaps in the plan
• Update the continuity plan to include lessons learned
• Continue to test the plan two to four times a year, keeping an eye to business processes, infrastructure, or personnel that may have changed in the interim

The main factor that puts businesses at risk, post-catastrophe, is their failure to prepare. If you’d like help getting started with a business continuity plan, we welcome you to request a conversation with a risk management expert.

To stay prepared, organizations must expect the unexpected. Business Continuity Planning (BCP) addresses the need to have contingency plans in place to deal with potential threats that can turn an organization on its head. Continuity planning is a necessary part of coming out on top in the face of the most challenging circumstances such as a natural disaster, a significant market crash, or a serious hit to a company’s brand or reputation.

As a risk manager, CEO, or any party responsible for the long-term success of an organization, you need to have a plan in place to clearly outline what you would do if the worst were to happen tomorrow. Here are four phases to putting your BCP in place.

1. Business Impact Analysis (BIA)

The first step to building your company’s BCP is to consider the potential impact of each type of disaster or risk event that your company may face. For example, a company in the finance industry may consider the role of the stock market, data breaches, or the possibility of a fraud scandal. The BIA helps you discern which processes are the most critical to recover or initiate in a state of a disaster and assigns a monetary value to the protection of assets involved in specific business processes.

Key goals of the BIA should include:

1. Identifying the impact of uncontrolled events
2. Prioritizing critical functions
3. Establishing maximum tolerable outages

2. Risk Assessment

Upon identifying the impact of the risks facing various functions across your business, the next step is to determine the potential magnitude of these risks. This is a critical assessment to perform, as it helps establish which risks should be most emphasized in the BCP. Priorities can be established by looking at which risks are most likely to occur to determine the breadth of coverage for your company’s BCP. To do this, you can run a gap analysis to compare your company’s current contingency plans against that of the proposed risks to identify any holes you need to fill. With knowledge of these gaps, you can analyze various threats to identify their respective impact.

To aid in this process, it is helpful to work from a list of potential emergencies or viable threats as well as the likelihood and impact of such events such as to personnel, assets, or monetary impact. These can help formulate different scenarios to plan for, such as natural disasters or terrorist threats, as well as minor events such a power outage.

A best-practice risk assessment report should cover the following:

• Summary of Business Operations
• Risk & Vulnerability Analysis
• Critical Support Infrastructure
• Physical Environment
• Recovery Time Objectives
• Business Recovery Strategies & Priorities

3. Business Continuity Plan Preparation

During this step, the BCP is developed, taking into account the likelihood, magnitude, and potential impact of the risks that were identified in the previous step. The BCP preparation stage will take it a step further by documenting strategies and procedures to maintain, recover, and resume critical business functions as quickly as possible. Part of this preparation will entail a list of procedures to address priorities for critical and non-critical functions, services, and processes.

The BCP should include:

• Business Operations
• BCP Organization
• Plan Activation & Operation
• Preparation & Readiness Checklists
• Emergency Operations
• Facility Restoration & Relocation
• Emergency Communications
• Emergency Forms & Terms
• Incident-Specific Response Checklists

4. Business Continuity Plan Testing and Table Top Exercises

Once a plan is established, it’s time to put it to the test with table top exercises. During this final step, key staff members and management will come together to simulate their response to various emergency situations that were identified as likely risks. Using the procedures outline in the BCP, these exercises will identify gaps in the plans to improve them in a controlled setting. This process can also help establish the different roles and responsibilities across team members.

When it comes to risk mitigation, hope for the best but plan for the worst. Take your risk planning to the next level by getting started with your Business Continuity Plan. Talk to a risk mitigation expert today.