The recent earthquake (and its aftershocks) in Christchurch can't help but bring to mind the following questions: "What would my company do if we suffered such an event? How would we keep operating? What would our priorities for interim operations and recovery be?"

For all companies, both fire safety and OSH regulations require that certain hazard prevention and emergency response procedures be in place; but those are focused primarily on prevention or minimisation of injury to people (and that's a good thing!) What about your business though - e.g., your operations, your IT/telephony infrastructure, your brand identity and reputation, and your ability to recover quickly with minimal loss of revenue and profits in the face of an emergency?

The threats a company can encounter include the usual "suspects" - fire, floods, severe weather, earthquakes, epidemics, and terrorism. But don't overlook such things as utility failure, transportation stoppages, computer crashes, interruption of a significant supplier's operations, or the loss of a key employee. All of these threats, and more, can disrupt your company's normal operations, throw things into a tailspin and create uncertainty for staff, customers and other stakeholders.

You can, however, build into your business both resilience and recovery capability if you plan ahead of time how to minimise the risk of a threat, lessen the impact of an event, and safeguard the interests of key stakeholders, reputation, brand, and value-creating activities.

Business Continuity Management

This planning process encompasses both Business Continuity Management (BCM) and Disaster Recovery Management (DRM - refers mostly to IT recovery). These are methodologies that take you through the steps necessary to put in place and integrate within your business the procedures and activities your company will go through to recover from a business interruption. They fall into the following categories.

1. Set out the scope, goals and governance of the BCM programme (the policy)
2. Through training and communications, embed the BCM into the company's culture
3. Understand the organisation - how it functions and the constraints of the environment in which it operates
4. Develop a BCM/DRP response - strategic, tactical and operational, including people, premises, resources, suppliers, critical documents and information, etc.
5. Exercise, maintain and review the BCM plan - practice, evaluate, revise

While all of these steps are important, the one that will take the most time and careful evaluation is Step #4 - Develop a BCM/DRP response. This contains the list of activities, roles and responsibilities, and timelines necessary to lessen the impact of a threat and to speed the recovery process. A good way to approach this step is to start by:

• Listing your assets (building, IT, manufacturing line, suppliers, key personnel, etc),
• Examining which threats would have a negative impact on those assets
• Assessing what specifically is the point of vulnerability
• Determining the level of impact (low, medium, high) of the threat
• Developing the means by which you can mitigate the negative impact

Staff Confidence and Safety is Key

As part of BCM/DRM programme, it is important that you help employees deal with emergency situations not only at work but also at home. The more prepared they are at home the more likely they will be available to help the company get back on its feet. Their level of preparedness at work will give them the confidence to do what's necessary.

Involve the staff in the planning process, make them part of the solution and help them realise how important they are to the ongoing operations of the business. If an emergency does arise, you'll need the whole team working together to get back to normal as soon as possible.

Plan A: Go through the BCM/DRM planning process
Plan B: Implement Plan A

The BCM/DRM is by no means a quick or easy process, but it is necessary if you want to protect your business when a threat arises. This article just skims the surface of what is needed for a proper programme. It's easy to put off the planning process with excuses - don't have the time, it's too complicated, don't know where to start, nothing's likely to happen to us. Keep in mind, though, that if a disaster does strike and you're not prepared, your likelihood of business survival decreases substantially.

There are many resources (e.g., handbooks, templates, case studies) available on the Internet to guide you. Here are just a few: The Business Continuity Institute (www.thebci.org) and Civil Defence [www.civildefence.govt.nz, www.GetThru.govt.nz (home and family), and http:/tinyurl.com/2cqhsk8 (business)]. A simple Google search will get you going on the path to resilience and recovery.

Submitted by Managing Director, Gaye Harford in collaboration with Lorraine Warshaw