A FEW YEARS AGO, before I gracefully retired, a person from Empire Today asked me to create a business continuity plan
I told Empire Today’s caller that
- covering only the retail outlets would not protect the business, and
- that I don’t create instant plans over the phone.
End of conversation.
I HAVE FOR MANY YEARS been a proponent of Enterprise Risk management.
Business Continuity, I decided, focused too much on an owned operation. In my not-at-all humble opinion, to protect a business, the practitioner must start with the vendors — and sometimes the vendor’s vendors — and follow the risk “yellow brick road” to the product or service’s final destination: the consumer.
In the case of Empire Today, the company gets its wood from the Far East.
I’m not certain WHERE in the Far East — my caller told me not to worry about supplies, only about the stores — but China’s coronavirus reminded me of the call.
Nothing new under the sun
Most practitioners remember, or should have read about, the last bird flu epidemic, or more accurately, bird flu panic.
Business leaders worried about missing personnel.
Being “facility focused,” they failed to consider
- Their vendors
- Movement of materials from the vendor site to the facility — even electronic data transfers
- In-house personnel, both profit centers and support staffs
- Are sales personnel available and active
- Movement of product to wholesaler or to customer
- Accounts Payable and Accounts Receivable — are the financial institutions functioning
- And, rarely considered, government interference — quarantines, lack of staff at international air and sea ports and border crossings
And these are just “off the top of my head.”
From Disaster Recovery to Enterprise Risk Management
Most people think that risk management started with IT disaster recovery.
It did not.
Back in the early 1960s, when I wore Air Force blue (on the few chilly days we had at Orlando AFB — now also retired), the military was practicing risk management pretty much across all operations.
Preventive maintenance for personnel and equipment was Standard Operating Procedure (SOP). We lined up to either give or receive inoculations to prevent illnesses wherever our Favorite Uncle sent us.
Hurricane threatens? The Charge of Quarters (this scrivener) went out to start the generator of each of the wards and the clinic. If a critical generator failed to start, patients were moved to a ward where the generator DID start.
Checking to see if the generators would crank, I learned after collecting my DD214, is the last step in generator testing. Making certain there is fuel and that the fuel is not contaminated precede the start-up test.
For all that, “disaster recovery” gained a following with the increasing dependency on IT.
As a consultant with what was then DMR in Tampa FL, I did a job for GTE Data Systems. The company wanted to map its national data network and to identify areas that needed to be improved.
Not long after the project completed, the network crashed, but thanks to the project, the network quickly was restored.
Not everyone learned the lesson.
I worked for ZIM Integrated Shipping Services in Norfolk VA. Zim’s headquarters in Haifa, Israel hired IBM to create a “business continuity” plan for the Norfolk (U.S. headquarters) operation. IBM produced a fine disaster recovery plan for the IT operations, but never stepped outside the data center. I later convinced the IT boss that his machines were of zero value if there was no one to use the data and Zim got a true Business Continuity plan — that promptly was shelved until after a storm closed the business for a week.
American Express realized the value of end-to-end risk management.
I was fortunate to work on an Amex project that covered several states and a multitude of vendors.
I suggested to the project manager that Amex request business continuity plans from each critical vendor for my review. It did.
The exercise (a) gave each vendor a free critique from another practitioner and (b) broadened my expertise by seeing what concerned other planners. Amex made getting vendor business continuity plans part of its contracting process.
We discovered that Amex needed to arrange back-up for some critical vendors.
No two plans are alike
I have created plans for national retail outlets, so creating a plan for Empire Today was well within my expertise.
But it is impossible to create a plan sans input from profit center personnel.
It is foolish to create a plan that covers only one aspect of the business.
I can imagine risks to individual sites — Lucent Technologies built a beautiful building and put its profit center behind huge glass windows on the building’s ground floor. Trouble was, the building was constructed on a flood plain.
Too late for enterprise risk management? True, but it pointed out the need to involve risk management practitioners early on in the planning.
But Empire Today wanted a single plan for all of its retail outlets.
Instantly, over the phone.
In all the years I created plans, only one other person demanded an instant, over-the-phone plan. He also didn’t get a plan.
Involve everyone
While at DMR I was part of a team creating a plan for a State of Florida department.
The State encouraged its people to candidly work with us and they did.
At one point the discussion turned to communication options.
The State uses microwave towers for much of its communications, especially law enforcement.
As everyone knows, Florida sometimes gets windy — very windy.
What happens if a microwave tower does down?
A retired Florida Highway Patrol office, working for his second state pension, suggested “Get a crane and hoist the dish high until the fallen tower is replaced.”
At Zim, I asked the HR manager what risks his department faced.
None, he replied.
Then his more experienced assistant entered the conversation and reminded him that missing federal I-9 forms can be expensive if the Feds want to check employee eligibility to work in the U.S.
Finally, the manager offered that a neighboring business might be a target of protesters and that a protest might spill over to Zim property, preventing personnel from entering or leaving the building.
Sometimes a planner has to “prime the pump.”
A long way from the coronavirus
We have come a long way from considering the impact of the Chinese coronavirus, but with enterprise risk management, nothing is “out of scope.” Very often one thing leads to another, as with the case of Zim’s HR personnel.
While all plans have the same basic skeleton, every plan is unique.
Plans cannot be created without input from both management AND the people doing the work.
Plans cannot be created instantly over the phone. (Usually, when that is the requirement, the “customer” is looking for a “freebie.”)
Finally, a true enterprise risk management plan is all inclusive and includes business continuity and disaster recovery.
PLAGIARISM is the act of appropriating the literary composition of another, or parts or passages of his writings, or the ideas or language of the same, and passing them off as the product of one’s own mind.
Truth is an absolute defense to defamation. Defamation is a false statement of fact. If the statement was accurate, then by definition it wasn’t defamatory.
Web sites (URLs) beginning https://tinyurl.com/ are generated by the free Tiny URL utility and reduce lengthy URLs to manageable size.
No comments:
Post a Comment