Business continuity plans: The new preparedness for the new normal

Resilence comes with planning.

Many businesses and individuals whose livelihood was halted during the COVID-19 stay-at-home order were unable to do anything but shut down. Due to the nature of their product or service, it simply was not possible to cobble something together to avoid shuttering. But some were able to find a way to adapt:

They demonstrated resilience–a quality all organizations, whether shutdown or not, value.

The new ‘competitive advantage’

Resilence, says Forrester VP and group director Stephanie Balaouras, “will become a competitive advantage” post-COVID-19 and throughout the 2020s. Balaouras defines business resilience as “the ability to deliver on your mission and vision regardless of any kind of crisis or disruption, be it extreme weather, political upheaval, cyberattack, or the next disease outbreak.”

As companies plot how to re-open from the lockdown caused by the coronavirus pandemic, they might want to take some time to evaluate their resilience. And part of that could include taking the time to analyze and reflect on their business continuity plan.

Scrutinizing a business continuity plan

“What the pandemic has done is laid bare the immaturity of our enterprise risk management programs and our business continuity planning and preparedness,” says Balaouras.

You don’t have to look far to see the results of the pressure of the pandemic and its economic off-switch. You might already even know the answers to the following questions. But they’re still important to ask:

As many in business are starting to realize, if they didn’t already, “it takes a village” to ensure the health of a business. And the questions above confirm that: From the C-level to IT to middle management to HR to front-line employees, the success of the business during COVID-19 depended on many people in an organization, with the CEO setting the tone. And the fate of each function or role should be thought about before the continuity of the business is threatened.

No strangers to BCPs

In the financial industry, of course, advisors and broker-dealers are no strangers to business continuity plans (BCPs). In fact, FINRA requires them: “Rule 4370 (Business Continuity Plans and Emergency Contact Information) requires a member firm to create, maintain, review at least annually and update upon any material change, a BCP identifying procedures relating to an emergency or significant business disruption.”

And FINRA has had its own pandemic-related business continuity plan for several years. It offers a list of the minimum things a BCP should account for, appropriate to the size and needs of the firm:

If the firm doesn’t include one of these elements, it must document why. And if the firm uses another entity to handle any of the above elements or systems, it must explain the relationship.

Looking at BCP weaknesses in the past

The SEC is not as detailed in its list of requirements. In fact, on its COVID-19 page, you might not find what you’re looking for in that respect. The publication Financial Planning suggests looking at the SEC’s August 2013 OCIE risk alert page.

On that page, OCIE Director Andrew Bowden is quoted: “Our staff examined approximately 40 advisers in the aftermath of Hurricane Sandy to assess their preparedness for and reaction to the storm,” said OCIE Director Andrew Bowden. “We hope our observations in this Risk Alert and those in the earlier joint advisory will help industry participants better prepare for future events that threaten to disrupt market operations.”

The Risk Alert (Vol II, Issue 3) offers observations and lessons learned from BCP review after Hurricane Sandy. Let’s look at the weaknesses they found. Not because we’re negative thinkers, but because during a crisis or disaster, what you might do wrong is more important than patting yourself on the back for what you did right.

Granted, these observations in the Risk Alert relate to a hurricane, but better to face a pandemic prepared for a hurricane than face a pandemic with no preparation at all. Here are a few:

1. The “oh that will never happen” weakness. “Some advisers adopted BCPs that did not adequately address and anticipate widespread events. These advisers generally experienced more interruptions in their key business operations and inconsistent communications with clients and employees. For example, some advisers did not have adequate plans addressing situations where key personnel, such as portfolio managers, were unable to work from home or other remote locations,” the SEC notes.

2. The “we want everyone to work in our one office” weakness. “Some advisers did not have geographically diverse office locations, even when they recognized that diversification would be appropriate. Many smaller advisers had fewer geographically dispersed staff.”

3. The “don’t worry about them, of course they must have a plan” weakness. “Some advisers did not evaluate the BCPs of their service providers…..In doing so, the advisers did not ensure that the service providers’ plans incorporated key business continuity controls that related to the advisers’ ability to execute their own BCPs.”

The pandemic laid bare many flaws, including societal and economic ones. It also exposed weaknesses and pain points for many businesses — how they operate, their policies, their culture, their revenue and supply sources, their contingency planning. Now is the time to make changes and emerge stronger, ready to face the next challenge.