In this post, let’s focus on disaster prevention, and more specifically on the business continuity plan, with a simple example. We will also provide you with a free template.
This is the second post in our series of Supply Chain Risk Management, which will come out gradually over the next few months.
The purpose is to hold a planning exercise that leads to taking the right actions (e.g. adding controls to prevent or detect fraud, having a procedure ready for reacting properly to a PR crisis, keeping a sufficient buffer of liquidity to survive a recession…). These actions will allow the company to reduce exposure to disasters and/or to get hit less badly when disasters strike.
Disaster prevention & management: Let’s look at two extreme examples
First, a really bad example.
The Trump administration probably got clear information from the Taiwanese government while the Wuhan authorities were still denying any human-to-human transmission had been confirmed. They saw the confinement of Wuhan and neighboring cities. They were warned about the potential for a global pandemic. And, all that time, what did they do? Seemingly nothing.
An article in The Guardian blames them pretty strongly about these “missing six weeks”:
“The US response will be studied for generations as a textbook example of a disastrous, failed effort,” Ron Klain, who spearheaded the fight against Ebola in 2014, told a Georgetown university panel recently. “What’s happened in Washington has been a fiasco of incredible proportions.”
Now, let’s look at a great example.
A regional supermarket chain in Texas had planned ahead (they even have a full-time staff position as ‘director of emergency preparedness’) and was not caught by surprise, and they took a number of appropriate measures.
The reason for this is simple. They already had a plan and they were following it.
Let’s look into what it takes to develop such a plan.
How to set a business continuity plan (BCP)?
First, you need to be aware that this planning work may not all have to be done within your company.
If you are an importer and/or a brand owner, and you rely heavily on 1 or 2 suppliers, you can request that they set up a BCP and submit it to you for comments and approval. The objective is typically to have them demonstrate their ability to get production volumes back to 75% of expected volume with 2 months after they ran into serious issues.
Here are the steps I’d suggest.
Step 1: Make a list of all the events that could prevent your company from functioning as intended and keeping your customers (and other stakeholders) happy
Some will be internal, for example:
- A key employee leaves suddenly, leaving you unable to perform some activities at the same level
- Highly confidential information is leaked to competition, and a large customer is suing your company over that leakage
Some will be external, for example:
- A large customer goes out of business, and you can no longer cover all the fixed costs
- A serious epidemic forces all companies in the area to remain closed for 6 weeks
Note: if your company already drew a list of risks & opportunities for their ISO 9001:2015 certification, start from that list.
Step 2: Think wider!
Once all these “reasonably common and somewhat probable” events have been added, it is time to add a few Black Swans.
One of my rules of thumb is “anything with a very high impact needs to be studied and we should have an idea of how to react to it, even if the overall risk score is very low”. There is a simple reason for that — we humans are not good at computing probabilities, and computer models have shown their limits many times, too.
What ‘once in a Century’ disasters could strike? The 1918 pandemic made millions of dead on several continents.
George W. Bush pushed hard for a 7 billion USD plan in 2005, but congressmen seem to care more about ways to be re-elected… And now we are in the middle
of the COVID-19 pandemic.
What ‘once in a decade’ disasters haven’t been extremely impactful so far, but could become more impactful? With Global Warming, isn’t it possible that something even nastier than Hurricane Katrina hits a major city soon?
Another great place to start is to look at the types of events that are often invoked in contracts to let the parties off the hook. Here is an example:
acts of God or of the public enemy, fires, floods, epidemics, riots, quarantine restrictions, strikes, freight embargoes, earthquakes, electrical outages, computer or communications failures, and severe weather, and acts or omissions of subcontractors or third parties
Get input from the right people
If your company has a simple activity and a handful of people, you can target 20 rows in the first session and 20 additional rows in the follow-up session.
If you employ hundreds or thousands of people, break the exercise down per department and/or area. This is not an exercise to be handled entirely by “corporate planning”. Varied perspectives are what you are looking for.
A free template of BCP
If you want to start documenting your plan, we have you covered.
Download our free Business Continuity Plan Template in Excel format.
This is the same template we used for our risks & opportunities analysis (for getting ISO 9001 certified) and for the BCP some large customers requested from us.
It is filled out the same way as an FMEA, so head to this page to understand how it all works.
A simple example of BCP
Here is a simplified business continuity plan example with 2 potential issues:
These issues then get rated on the 3 dimensions of risk: severity of impact, the likelihood of occurrence, and ability to detect. (Same 2 issues, same table, moving to the columns on the right.)
It is clear the second risk is much more frightening (composite score of 20) than the first risk (score of 4).
In addition, the 2nd risk also comes with an opportunity. Taking preventive measures that can be communicated to customers and potential customers might bring more business. That’s an extra reason to act on this.
At this point, you have an assessment of the current level of exposure to risk.
As I wrote above, all this leads to an action plan.
Once all this has been done seriously, and actions have been implemented, the risks can be re-assessed, and the organization’s ability to recover from disasters can be re-evaluated.
Is that all there is to business continuity?
No. The ISO 22301 standard includes a list of requirements for a company that wants the management system behind its BCP to be certified. It is more than doing a one-time planning exercise, obviously.
But it all starts with a solid plan. If it gets full management support and is followed, it helps greatly with disaster avoidance/mitigation and disaster recovery.
Making your supply chain less likely to be totally disrupted by disasters
A good article (We Need More Resilient Supply Chains) came up a few weeks ago. It gives a wide range of suggestions to help with business continuity.
The most interesting, to me, was their list of measures that make sense when buying components for which (1) supply disruption is relatively likely and (2) the impact on revenue would be high because this is a common situation and managers are usually unimaginative:
- Know where parts are made and stored and know the sub-suppliers (including where their operations are located),
- Develop an alternative supplier, and/or ask the sole supplier to develop an alternate source (where their own suppliers manufacture, and where they manufacture),
- If your direct supplier is very reliable, have them do a risk analysis, develop alternate sources, etc.,
- Buy insurance to cover the risk of supply interruption.
Remember, it’s not just about keeping more inventory on your hands!
Transparency and visibility into the supply chain
If you don’t know your supply chain ‘farm to fork’, you don’t know if you are going to suffer shortages when a geographical area is hit. Mapping all the players (if needed without identifiers: “supplier A”…) is possible if you have sufficient clout over your suppliers, but it takes time.
For example, Japanese automakers have made sure to map their supply chain, down to tier-2 suppliers and beyond, according to Reuters:
Since 2011, Toyota, which spent weeks at the time identifying how its suppliers had been affected by the quake, and Nissan have both developed supply chain databases which offer a detailed view of their supplier base to identify how their supply chain may be disrupted during emergencies.
Oh, and what is a Disaster Recovery Plan (DRP)?
Think of it as a project plan that you set in advance, so that you can simply focus on following it if and when disaster strikes. It typically includes:
- What is a disaster, what is acceptable impact and not acceptable impact?
- Roles & responsibilities: who is the coordinator of the implementation? Who will have to do what?
- Levels of severity, and appropriate reactions
- Logical steps to follow
But the most important, by far, is to spend time thinking through the BCP and work on managing the highest sources of risk.
If your company was caught by surprise by the current pandemic and its many consequences, I hope this article will give you the framework needed to be better prepared in the future.
Have you already prepared a business continuity plan? Was it helpful? Did you notice some of its blind spots? Share your experiences in the comments!
Learn more about Supply Chain Risk Reduction Strategies here.
This FREE webinar will empower you to transform your supply chain in China to reduce risks. Two industry experts, Renaud Anjoran and Paul Adams from Sofeast, talk you through how to gain control over your product’s quality, on-time shipments, long-term pricing stability, and continuity of supply.
Ready to watch? Register by hitting the button below: