Business Continuity Management – More Valuable Than Ever
Business Continuity Management (BCM) ensures that a company can continue to supply products and services in acceptable pre-defined quantities after sudden disruptions, emergencies, or disasters.1
In addition to risk management, security management, emergency management, and crisis management, BCM plays an important part in strengthening a company’s ability to adapt to a changing environment and to make itself resilient to the possible effects of an adverse event.2
The ongoing COVID-19 pandemic is, of course, a notable example of how an event can radically disrupt a businesses’ trading and operating environment over a long period, though you don’t have to look far for other examples. In recent times, natural disasters such as windstorms, earthquakes, tsunamis, volcanic eruptions, floods, and forest fires have wrought havoc around the world.
BCM defines different threat levels in terms of their dimensions and associated effects. The scale ranges from incidents, to emergencies, to crises, to full-blown disasters. These terms indicate the level of response required should an event occur and who is responsible for managing it.
For example, “incident” describes a situation where an organisation’s processes and functions are disrupted but the resulting damage can be classified as minor in relation to the overall annual result of the company. The expectation is that the fall-out can be dealt with by of integrating troubleshooting into day-to-day business. While some incidents may appear to be trivial, losses can still escalate quickly if the issues are not resolved promptly.
At the other end of the scale, a “crisis” or “disaster” describes an event where the disruption could expand to such an extent that the existence of the company and/or the health of its employees are endangered. Often, these events are of such proportions that the fall-out can only be managed with extreme effort on the part of the company, or, in the case of a disaster, only with outside help.
If a company is to be prepared for such calamitous events, it needs to use a process of threat analysis to identify possible dangers. Then, in tandem with Business Impact Analysis (BIA), the potential direct and indirect consequential damage to a company through the associated failure of one or more of its business processes can be determined and analyzed. Using this knowledge, an effective BCM process can be established.
This article outlines the steps that underpin a fully functioning BCM programme and discusses their implications from a property insurance perspective. It also offers advice on how to assess the quality of BCM in a company in relation to property insurance underwriting.
BCM is a concept whose core task is to safeguard business functions in the event of an incident, emergency, crisis, or disaster and to minimize the potential consequential damage caused by the resulting business interruption. BCM deals with the question of how business/production processes critical to the success of the company can be maintained with reduced resources so that the existence of the affected company is not threatened.
BCM comprises the following components:
- A Business Continuity Plan (BCP), the so-called emergency plan, which describes all immediate measures to be taken after the occurrence of an event;
- A Crisis Response Plan (CRP), which describes the most important measures to be taken by the crisis management team to overcome the crisis, and;
- The Business Recovery Plan (BRP) or Disaster Recovery Plan (DRP), which describes all measures needed to restart the company after a failure or interruption of business processes.
BCM requires a proactive investigation of failures of critical procedures and processes in a company. To determine potential worst-case scenarios, both internal factors (such as organization, infrastructure, information, and decision-making processes) and external factors (such as customers, suppliers, environment, natural hazards, epidemics, etc.) must be considered.
In doing so, BCM neither eliminates the causes of the loss nor prevents the occurrence of an incident/crisis/disaster. Rather, it should create the conditions and measures needed to avoid (or at least reduce) any impairment of business capability.
Cost considerations are not the main focus of BCM. However, maintaining business operations may be associated with increased costs to reduce the potential extent of damage and the duration of the impairment of the company. BCM is, therefore, an integral part of corporate management and requires the full attention and support of the management.
Due to its importance, several BCM principles are outlined in legal regulations, such as the European Solvency II directive and KRITIS in Germany.
Setting up a BCM programme is complex and involves considerable effort. It must be individually and holistically tailored to the existing characteristics of the respective company. One difficulty here is that the probability of disruptions occurring is uncertain and thus, only a qualitative approach ultimately works in the context of BCM decisions, combined with subjective and individual decision-making.
To help companies establish their BCM programme, several standards exist in different countries, with business associations and risk management institutions offering advice. Here in Germany, the BCM standard BSI 100-4,3 describes a systematic approach to emergency management to ensure the continuity of business operations. The recognized international standard specifying BCM requirements is ISO 22301:2019.4
Essential elements of a BCM strategy
Setting up a company’s BCM programme requires risk analysis (also known as threat analysis), business impact analysis, and a business continuity plan.
Risk analysis involves assessing the possible dangers that could lead to an interruption of a business process and its associated risks. The aim here is to make the existing risks transparent so that suitable strategies and measures can be developed to reduce these risks in advance and to identify scenarios to develop individual emergency plans.
The classic risk management instruments such as risk identification, risk assessment, development of loss scenarios, identification of risk strategy options (risk transfer, risk assumption, risk avoidance, and reduction) are used in this process. Possible considerations in this context include:
- What effects would a loss event have on the company?
- What consequences would the failure of critical functions in the company have?
- How long can downtimes in business operations be tolerated concerning customers, partners, and markets?
- How would a loss of x days/months affect customers, employees, and suppliers?
- Which existing solutions are already in place in the company to minimize any failures?
- What dependencies exist between suppliers/customers and what are the consequences of their failure?
- Identification of core suppliers and customers (e.g., degree of dependence on total sales/profit)
- Is it possible to switch to other suppliers/customers?
- Can production processes be shifted to other companies/third parties and if so, to what extent?
- What are the contractual penalties?
The main valuation parameters for the effects of defined default scenarios are:
- Probability of occurrence;
- Extent of the consequences of the damage;
- Dependencies of business processes (interdependencies/contingency effects, including infrastructure, energy supply, etc.);
- Cost-benefit analysis.
The biggest challenges in connection with a threat analysis are:
- Determination and validation of the worst-case scenario;
- Calculation and validation of interdependencies;
- Calculation and validation of contingency effects;
- Estimation of the duration until alternatives are functional;
- Estimation of dependencies at machine level (technical risks).
Business Impact Analysis (BIA)
The goal of Business Impact Analysis (BIA) is to collect and identify processes and functions within an organization to capture the resources underlying the processes. It describes and evaluates what happens if a business function or production process fails. Key questions include:
- What are the critical activities and business processes (manufacturing processes, suppliers, IT, infrastructure) and their influencing parameters according to their importance and scope?
- How could the respective loss and its consequences for the individual business areas develop (e.g., expected monetary loss)?
- Which business processes are to be secured and which can be neglected, i.e., how long can the company continue to operate without existential damage?
- How long would it take to get the operation up and running again?
- What resources are needed, and when, to maintain business operations?
- What is the expected loss as a function of sales/profit, considering the probability of occurrence and the severity of the loss?
The possible effects of any damage are considered and evaluated according to their severity:
- Financial effects;
- Impairment of the performance of tasks;
- Infringement of laws, regulations, and treaties;
- Negative internal and external effects (reputation damage);
- Impairment of personal integrity.
The results of the BIA are:
- The identification of all critical business processes, the resources they require, and the interdependency between business areas and processes;
- An understanding of the level of damages that could result (and the probability that they will);
- Estimated restart times for all critical business processes;
- Necessary emergency measures, and;
- BCM strategies for each of the respective failure scenarios.
Business Continuity Plan (BCP)
The BCP describes the necessary plans, such as the emergency plan, crisis management plan, business recovery plan, etc. They contain damage-limiting measures and precautions that are necessary to maintain critical business processes and minimum service levels and to reduce downtime to a tolerable level. The following should be considered in this context:
- Which measures are useful (development of alternative concepts)?
- What is the cost/benefit ratio for the possible solutions?
- Are the possible solutions suitable for the site/area/process in question?
The BCP also covers:
- Establishing and training emergency response teams to manage the situation (their size depends on the organization, function, and structure of the company);
- Setting internal communication points for alerting customers, employees, suppliers, business partners, and insurers;
- Forming an external communications team to inform customers, authorities and the media about emergency processes, e.g., order processing, expected delivery time bottlenecks;
- Holding important business documents, e.g., from banks, insurance companies, contracts, accounts, and;
- Identifying alternatives for the continuation of business processes, e.g., buildings, plants, machines, energy, networks, supply chain.
The following should be considered:
- What options are available to the company?
- How realistic is the implementation of these measures for the company?
- Expanding production to days off/shifts;
- Moving production to other locations;
- Contract manufacturing;
- Other emergency measures;
- How effective are the individual protection/emergency measures?
- What costs are triggered by the respective measures?
- Who are the responsible persons and what are their duties and instruction/decision-making powers?
- What is the communication strategy for updating suppliers, customers, employees, and markets in an emergency?
Keeping BCM up-to-date
To be able to react quickly and effectively, the existing BCM should be adapted to the changing circumstances of an organization. For this purpose, it is necessary that:
- The BCM plan is regularly checked for its functionality;
- The assumed damage scenarios, as well as the existing emergency measures/strategies, are regularly reviewed to ensure that they are up-to-date;
- Existing plans are continuously improved and adjusted in the light of knowledge gained from claims or the experience of other companies;
- BCM plans are adapted to changes in business organization, constraints, and business processes;
- All employees are regularly informed about the necessity of, and cooperation in emergency management and, if necessary, trained accordingly;
- BCM teams regularly practice possible emergency situations in order to be able to act correctly and routinely in an actual emergency;
- The developed BCM plan is audited by a competent third party, if possible, and improved if necessary, and;
- Changes in responsibilities and persons within the BCM are considered, departing team members are replaced immediately and new team members are trained.
Business interruption (BI) insurance and BCM
BCM and BI have the same aim, namely, to reduce the negative impact of loss events that can affect a company. But the differences are:
It should be noted that not all damages affecting a company are covered by insurance. For example, would an existing insurance policy help if you lost your market/customers?
An up-to-date BCM programme is helpful for both the policyholder and the insurer and provides valuable information on how to determine the necessary insurance coverage and the framework required, as follows:
- Determining an appropriate BI insurance sum/loss limit based on the worst-case scenario;
- Identifying scenarios/damage that cannot be covered by insurance (i.e., they should be prevented or at least reduced by BCM);
- Identifying measures and alternative options to be prepared for to limit possible damage;
- Supporting the insurer in determining the maximum possible loss scenario (Probable Maximum Loss (PML)/Maximum Foreseeable Loss (MFL));
- Support for policyholders as well as insurers in determining the BI vulnerability of a business (BI analysis);
- Establishing the necessity and scope of BI insurance;
- Determining the required BI insurance sum during the period of disruption (net profit, fixed costs, damage mitigation costs);
- Determining the realistic and necessary indemnity period;
- Determining the necessary limit for interdependencies, as well as supplier and customer extensions, and;
- Determining additional costs and initial risk positions/extensions (e.g., access and official reconstruction restrictions, failure of public supply).
An existing BCM system does not, as is often assumed, lead to a reduction in the BI PML/MFL – but it does influence the probability of a PML/MFL event occurring in the event of a loss. BCM is inseparably linked to BI insurance. Since BCM also takes the future business development of a company into account, it helps to determine the correct BI insurance sum and indemnity period of the BI insurance, thus helping to avoid underinsurance. Furthermore, it also provides information on what possible preventive measures can be taken to avoid a possible loss scenario, or at least mitigate its effects.
However, just like BI insurance, BCM offers no guarantee that a company will recover economically after a loss event.
Accumulation risk for insurers
Loss accumulation is a potential threat that insurers need to consider. For this reason, insurers and reinsurers use analyses to identify possible scenarios that may affect several policyholders or policies which would lead to an increase in the number of claims to be paid.
Such accumulations can result from various situations: it could be that further liability claims arise from disruptions in the supply chain or at customers, or that a large number of insurance policies are affected simultaneously by regional or even worldwide losses.
Such scenarios arise, for example, from natural hazard events in which entire areas of land are affected, or in the event of a breakdown of infrastructure facilities (e.g., energy or water supply), or from the fact that a policyholder has various insurance policies with the same insurer that are affected simultaneously by a loss event (e.g., liability, D&O, cyber, or other insurance policies in addition to the property policy).
In such cases, policyholders’ BCM can support the insurer’s accumulation liability assessment to some extent.
A BCM plan provides an underwriter with a wide range of indicators for estimating the liability potential of an existing BI insurance policy, as risk potentials and their effects are considered in different ways. It is therefore helpful for an underwriter to assess the quality of BCM at a company seeking insurance and, if necessary, to take it into account positively in the underwriting process.
A “good” BCM programme can be determined through the following questions:
- Is BCM implemented in the company and is it an integral part of the company policy/strategy?
- Does the BCM responsibility lie with the management/top management?
- Does BCM awareness encompass all management levels?
- Is BCM systematically integrated into the management of projects, restructuring, and changes in business processes?
- Has a BCM team been named and have their roles, responsibilities, and authorities been defined?
- Is the BCM plan up to date and is it regularly reviewed/tested and adapted to current business processes?
- Have the key areas of a company, as well as the critical processes (supply-chain), been identified and retroactive events recorded?
- Are interdependencies included in BCM?
- Are critical suppliers and customers identified and possible alternatives described?
- Have the possible damage scenarios been described, along with their effects on the organization and business processes?
- Are critical infrastructure failures (climate control, energy, water, IT, telecommunications, etc.) and corresponding emergency measures factored in and described?
- Do backup strategies (hardware, software, data) exist for the company’s own or outsourced IT and telecommunications?
- Are critical personnel positions identified and emergency measures considered (loss of personnel due to strike, epidemics, dismissal, death, accident, malpractice, etc.)?
- Are the political, legal, and economic conditions considered?
- Are the possible emergency measures described, and are alternative measures and redundancies available?
- Has an external and internal crisis communication strategy and procedure been defined and tested?
- Has the BCM plan been audited by a third party and found to be conclusive?
Further information on underwriting BI insurance can be found in Gen Re publications: Business Interruption Exposure – An Underwriter’s Guide to Getting in Right5 and Business Interruption Insurance – a German Perspective: Quo Vadis?6
BCM is a concept for securing business functions against serious crises and minimizing the consequential damages of business interruption. It answers the question of how, in an emergency, a business/production process critical to the success of the company can be maintained with reduced resources so that the existence of the affected company is not threatened.
BCM plans are very individual and must be carefully adapted to the specific operations and environment of a company. It is therefore difficult to establish a uniform assessment standard for the timeliness and effectiveness of a BCM plan.
If a BCM plan is in place, it will provide good support to the company in the event of a loss, helping it take the right countermeasures to maintain or re-establish business processes as quickly as possible. It provides the company with valuable information for the sensible design of its insurance coverage, e.g., BI insurance, and supports the insurer in its underwriting.
The COVID-19 pandemic has revealed how well prepared many individual companies were for such a crisis and to what extent they were able to maintain their business processes in emergency mode, thus securing their customer relationships and market share.
The crisis has certainly presented companies with an opportunity to check how well their BCM preparations perform and to identify any possible weaknesses. Many are making adjustments to strengthen their resilience against future crises, if and when they arise.
Download PDF Version for Further Reading & Endnotes.