Business Continuity 3 : Cascading Risks | #ECC2023 | Energy Continuity Conference

Business continuity is the ability of a business to get back to work after something has disrupted it: hurricane, fire, flood, pandemic, or whatever. Business continuity planning is all the planning you do to prepare for disasters before they happen, so you can get back to work smoothly afterwards.

In Part One, I described a basic risk-handling protocol. In Part Two , I described the elements of how you turn regular risk-handling into business continuity planning. But of course it’s complicated. Some risks can wipe you out; others are nuisance level; many are somewhere in between. Some risks require specialized expertise to address them, but their consequences are grave enough that you can’t just delegate them to the specialists and then forget about them. How do you focus?

The answer is that you have to distribute risk-handling throughout your organization so that risks are addressed by the right people, but in a way that always traces back to top management (who have, after all, final responsibility for the organization as a whole). Let me talk about it.

Back in Part Two I said that each member of the Executive Team has to go back to his (or her) people to work out the details of that area’s approach. That step is the key to setting up a system of cascading risk management.

After all, even though business continuity affects everyone, there will always be some actions or some risks that are specific to a particular department or to a particular kind of disaster.

• In case of fire or flood, your operations functions have to think about shutting down their work in a controlled way and getting to safety. Your warehouse function (if you have one) has to think about how to protect your inventory. But your office functions may be able to resume work remotely (once they have all gotten to safety), provided they still have access to your network.
• In case of a pandemic, there should be no significant risk of physical destruction, but you may have more concerns around isolation or availability of personnel.

So yes, you have to start at the top. And the risks you track at the top level are the ones that can wipe you out. But then the members of your Executive Team go back to (let’s say) the middle managers who work for them, to do two things:

• Figure out in detail how to implement the overall strategic approach. (All these steps should be traceable back up through the elements of the high-level strategy.)
• Do an independent risk analysis at that level to see if there is anything special to their areas that was missed at the higher level. Use the same method described in Part One —the very same method that the Executive Team already used.

And then the middle managers do the exact same thing again, engaging with their employees at the working level, to achieve the exact same two goals.

Naturally if (during one of these lower-level reviews) anyone discovers a risk that affects a wider group (or even the whole organization) but was accidentally missed, escalate it on up the management chain to where it belongs and then ask everyone to update their work to account for it.

In the end, every unit in your organization—every division, every department, every plant, every team—ends up doing some level of business continuity analysis, and tracking the measures that apply at their level. And every year, the whole organization repeats the analysis: to identify what’s changed and to check if all the defined measures are still correct and current.

**************

Michael Mills has spent over 25 years managing quality and documentation systems for large companies and small ones. Now he does internal audits and consults on Quality projects, while regularly posting online. He publishes every week at the Pragmatic Quality Blog (pragmatic-quality.blogspot.com), and writes the Management Light column for the Organizational Excellence Specialists Group on LinkedIn. You can find him on LinkedIn at Michael Mills | LinkedIn.

**************

Oil & Gas Global Network “OGGN”

Texas Quality Assurance and the #QualityMatters podcast

Houston Young Professionals Network

Business Continuity 2: From Risks to Business Continuity | #ECC2023 | Energy Continuity Conference

Business continuity is the ability of a business to get back to work after something has disrupted it: hurricane, fire, flood, pandemic, or whatever. Business continuity planning is all the planning you do to prepare for disasters before they happen, so you can get back to work smoothly afterwards.

I said in Part One that business continuity planning is a part of risk management in general. Specifically, business continuity planning means identifying all the risks that could interrupt your business, or some part of it, and then taking action to mitigate those risks or planning contingency actions in case they take place. The basic approach is exactly what I described in Part One , but a few features are unique.

In the first place, you have to start with your Executive Team. This is not a job you can delegate to the Safety Committee. The reason is that every entity inside the organization—every division, every department, every plant, every team—has to be engaged. They have to contribute to defining how to secure their work (because they know it better than anyone else); and they have to know what to do in case disaster strikes. So you start at the top.

When you start to identify business continuity risks, remember that you are looking for anything that can interrupt any aspect of your operations. This means you have to look not only at your direct operations, but at any support functions: billing, payroll, purchasing, and the rest. It also means you have to think about anything that can interrupt your customers or your supply chain. If you were unscathed by a disaster, but your main customers are out of commission and won’t be ordering for another year, you could have a problem. Likewise with your supply chain.

When you identify a risk, you cannot assign it to just one Owner. This is one of the big differences between business continuity planning and other kinds of risk management. If disaster strikes—hurricane, fire, flood, earthquake, or whatever it is—it’s probably going to strike everybody. So you can’t assign the whole problem to Fred or Max and ask him to figure out a solution for the entire company. Instead of that, each member of the Executive Team goes back to his people (or hers, of course) to determine how they have to secure their parts of the business. Depending on the size of your organization, some of them might have to go back to their people as well, to work out the details. Do whatever you have to do, but come back to the rest of the Executive Team with a plan for your area.

Then the Executive Team as a whole reviews the plans to make sure they are consistent. You can’t respond to a disaster by pulling in different directions: so while every team has to figure out what they specifically need, the plans still have to mesh together. As just a single example, if you are going to tell the office folks to work from home they should all be using the same communication platform to keep connected. If your team is the odd one out, you might have to change your plan a little to align with the rest of the company. Make sure you engage all the people you engaged before, so that everyone understands what’s changed.

Finally, when all the details have been worked out, document your plans in the simplest format possible, and store them somewhere that’s easy to find in an emergency. Remind people periodically where to look. (If you do regular fire or emergency drills, you might be able to incorporate pulling a copy of the emergency plan.) And mark a day on the Executive Team’s calendar—six months out, or maybe twelve—to do the exercise again.

**************

Michael Mills has spent over 25 years managing quality and documentation systems for large companies and small ones. Now he does internal audits and consults on Quality projects, while regularly posting online. He publishes every week at the Pragmatic Quality Blog (pragmatic-quality.blogspot.com), and writes the Management Light column for the Organizational Excellence Specialists Group on LinkedIn. You can find him on LinkedIn at Michael Mills | LinkedIn.

**************

Oil & Gas Global Network “OGGN”

Texas Quality Assurance and the #QualityMatters podcast

Houston Young Professionals Network

Workplace Safety | #ECC2023 | Energy Continuity Conference

Workplace Safety

Take a few moments and think about the health and safety programs at your workplace?  Then think about the results of these programs. What are the first few words that come to mind? In an ideal world, words like: secure, protected, prepared and confident come to mind. But if you’re like so many people in the industry, words such as: unsure, nervous, and unprepared, and maybe good enough might come to mind.

When it comes to workplace safety, employee communication and participation is critical and cannot be overstated.  This goes beyond, but definitely includes, a well developed and executed occupational health and safety training program and regular tool box talks.  Engagement with the team, understanding their perception of events and policies is more valuable than best safety assessment. 

Workplace safety has business continuity & disaster recovery ramifications, not to mention the impact on human resources when incidents occur and the ultimate result on job security and productivity.  A well-functioning Workplace Safety program may be your best defense against business continuity disasters.  We’ve seen the role health and safety can play in preventing incidents from occurring and how it can not only protect the lives of your workforce during an incident but ensure workforce stability.  Engage your people early and often and build systems based on a culture of safety and accountability.

Oil & Gas Global Network “OGGN”

Texas Quality Assurance and the #QualityMatters podcast

Houston Young Professionals Network