Print Friendly, PDF & Email
 

AAFCPAs Helps Clients Prepare a 360 Degree Action Plan for Business Continuity

On March 11, the World Health Organization (WHO) declared the novel Coronavirus an official global pandemic. Businesses across the globe experienced interruptions, shortages, and other unexpected challenges that impacted multiple aspects of their organizations. Many continue to struggle to adapt.

Some industries, like hospitality, are dealing with acute slowdowns in their operations and revenue. Others, like manufacturers of personal protective equipment (PPE) and disinfectants, are challenged with accelerating to meet demand.

For many organizations, near-term survival is the only agenda item. However, those that remain future-focused and make the most of better insight and foresight will disproportionally succeed.

Business Continuity Management (BCM): Is your business prepared?

BCM is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause. Additionally, BCM provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

BCM is proactive, and integrates the disciplines of Emergency Response, Crisis Management, Disaster Recovery (technology continuity) and Business Continuity (organizational/operational relocation).

Where do I start?

Assemble Your Business Continuity Team

Start by identifying a program sponsor who will maintain accountability for your BCM program. This person must have authority and a comprehensive understanding of your organization’s strategy, processes, programs, services, and/or products. In cases of emergency, there is no time for laissez-faire leadership. Your program sponsor should have knowledge and authority to make quick and effective decisions. Sponsors are generally from operations, risk management, finance, or even IT.

Appoint a Business Continuity Steering Committee comprised of cross-functional team members to assist in providing input on resource dependencies, recovery objectives, and strategy options.

And finally, engage someone with experience in BCM. An AAFCPAs BCM consultant adds critical value by providing objective insight and hands-on experience developing Business Continuity Plans (BCPs). We assist with facilitating productive dialogue with cross-functional teams, identifying and analyzing risks and their potential impact on business, focusing on the details that matter, and delivering critical training so team members are well-prepared in case of crisis.

Perform a Risk Assessment & Business Impact Analysis

Risk assessment & business impact analysis is the process of analyzing all aspects of your operations and identifying and documenting resource dependencies and threats to the business that could cause potential disruptions.

The process of assessing risk is a methodical examination of two aspects: likelihood and impact. Clients are advised to evaluate a wide range of causes and effects, including global pandemics, system failures, accidents, natural disasters, human-caused catastrophes, legal costs, financial setbacks, operational freezes, etc.

Business impact analyses are also important for balancing your liabilities and your insurance costs. Among affected plans are Business Interruption Insurance and Supply Chain Insurance which, along with your business continuity plan, will minimize losses from disasters.  While insurance plays a role in the risk mitigation strategy, they are the last point in the mitigation continuum because they only compensate for damage.

Once threats are identified, the BCM team can compute the financial and logistical costs of undesirable events and assign probabilities to various scenarios. With this information, your BCM team can design and implement risk-management strategies, which prioritize the most significant risks, and devote resources where most needed.

Depending on the event and response, it may be possible that losses can be mitigated entirely. An example would be discovering the need to move critical business processes to the cloud, so your team doesn’t skip a beat when forced to quarantine and perform their jobs remotely.

Keep the Plan Alive

Once you have “completed” your Business Continuity Plan, make sure it is quickly accessible to all employees and stakeholders. Review your contingency plans annually and update them as needed. And seek a fresh look periodically to ensure you have diverse points of views on threats and safeguards.

Keeping the plan alive should also involve testing of the plan.  The plan does not need to be tested in its entirety at one time but can be tested in pieces as long as the Business Continuity Team understands the impact of one element of the plan on other elements of the plan.  A well tested plan can help ensure you are well prepared to avert a disaster.  For example, an AAFCPAs client tested with one third of their call center staff working remote before the pandemic. It was much easier for them to scale the other two thirds to a remote status because they already had the knowledge and tools for scaling up.

How can we plan for all possible contingencies?

While it may not be possible to plan for all possible threats, the process of establishing a Business Continuity Team and ongoing commitment to a risk management strategy will ensure you are well prepared for any hurdles your internal or external environment may provide.

Cross-functional and diverse teams, as well as teams which include input from objective AAFCPAs BCM specialists, will help ensure you have considered as many threats and appropriate safeguards as possible. In addition, should you face an unplanned threat, this team will be well-prepared to mobilize quickly and hit the ground running to make critical decisions that will minimize impact.

If you have questions, please contact James Jumes, MBA, M.Ed. at jjumes@nullaafcpa.com, 774.512.4062; Vassilis Kontoglis, at vkontoglis@nullaafcpa.com, 774.512.4069; or your AAFCPAs Partner.

About the Authors

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.
Vassilis Kontoglis
Vassilis is a highly-skilled IT professional with proven expertise in: business process improvement and change management, information systems gap analyses, cyber security and IT risk assessments, systems selection & implementation, IT auditing, and special attestation reporting (SSAE 18 and SOC 2). Vassilis performs comprehensive and thorough reviews of technology systems and environments, and advises clients on how to use technology to best achieve business goals and objectives.  He elicits input from stakeholders at all levels of the organizational hierarchy in order to thoroughly evaluate business performance across functional boundaries.  He analyzes current and potential business and IT processes to identify clear opportunities for improvement, which may include streamlining and automation, productivity increases, strategic alignment and cost reductions.