When bad things happen: The 10 best practices for retail business continuity during disasters
September 17, 2018
Retailers are not immune from the perils and calamities— both natural and manufactured—that can threaten and damage businesses and communities
BY RANDY SCOTLAND
WILDFIRES whipping through Fort McMurray. A catastrophic train derailment in Lac-Mégantic. A deranged gunman on a popular shopping street in Toronto. Cybercriminals hacking into corporate databases. The aforementioned are all examples of harrowing events with profound implications for those caught in the crosshairs, retailers large and small included. And they are all examples why every organization should have plans in-place for disaster recovery and business continuity if and when misadventures arise.
Ideally, such plans should adhere to industry standards as set out by Disaster Recovery Institute International (DRI), says John Yamniuk, a veteran business continuity management specialist.
Headquartered in New York, DRI is a non-profit group with a mandate to educate, train and certify organizations in a series of professional practices. Since its founding in 1988, it has certified 15,000 professionals in more than 100 countries. Its Canadian affiliate has been active since 1996.
Calgary-based Yamniuk is President of DRI Canada and has been a certified DRI instructor since 2007.
“WE HAVE SEEN OVER THE LAST PERIOD OF TIME MORE RETAILERS INTERESTED IN PARTICIPATING IN TRAINING AND CERTIFICATION, REALIZING THEY NEED TO BE PREPARED. THEY’RE MAKING AN INVESTMENT IN THE SURVIVAL OF THE ORGANIZATION.”
JOHN YAMNIUK
Disaster Recovery Institute Canada
“We’re starting to see more engagement from the retail side. It’s been one of the sectors that has not been as active as others, in the private sector particularly,” he says, adding: “We have seen over the last period of time more retailers interested in participating in training and certification, realizing they need to be prepared.”
It takes a number of years and several levels of training—combining course work and on-the-job experience—to earn DRI’s top Master Business Continuity Professional designation. But for companies that undertake the commitment, the payoff can be significant.
“They’re making an investment in the survival of the organization,” Yamniuk notes.
According to DRI protocols, there are ten interconnected professional practices that business continuity management professionals must address. Together, they outline a blueprint for preparing and executing an industrybest corporate survival plan.
1. Program initiation
“The first step is program initiation management,” says Yamniuk. “In other words, getting a program started.”
Crucial to making that happen is designating the appropriate candidate to spearhead the program.
“It could come from any area within the organization. It could be, for example, from the risk management area. It could be from the technology area. It could be from an operations area. It would typically be someone who knows the organization a mile across and an inch deep.
“Typically, they’re coming from the management ranks as opposed to front-line workers. They are then responsible for [putting] the boots on the ground.”
He adds: “In conjunction with that you need senior management support. If you don’t have senior management support your program will not go anywhere. If it was there, and that support disappears, the program will ultimately fail.
“The senior managers provide the oversight, the guidance and the resources, whether that’s human, physical or financial. They will ultimately need budget dollars, whether it’s for training or for an emergency operation centre, for example. Providing training materials, building materials, getting messaging out to the folks.
“And you need the subject-area experts, whether it’s HR, finance, legal, operations, logistics, facility, security—you need those resources in order to pull together a plan that will keep the organization functional should it be experiencing a human caused, natural or technological disaster.”
2. Risk assessment
Next comes the pivotal stage of risk assessment. “What you do is identify the top threats that your organization will face. You prioritize those, and you evaluate the controls or counter-measures that are [already] in-place,” Yamniuk says.
“Those could be policies, equipment or procedures. So, for example, sump pumps are a control. Fire alarm systems and warning systems are types of controls. [Having a] clean desk policy is a type of control from a policy perspective. So, you prioritize your top threats and you make a decision in terms of ‘here’s what could happen’.”
The list of threats can be long and can vary by geography, such as the likelihood of earthquakes in British Columbia, tornadoes on the prairies or severe winter storms almost anywhere in Canada.
Then there are the man-made threats.
“How close are you, for example, to an airport or a major thoroughfare? What’s being carried on that thoroughfare? Are you in close proximity to a chemical plant? And are you upwind or downwind from it?”
He adds: “Are you going to worry about the zombie apocalypse? No. Are you going to worry about a meteorite crashing into your facility? No.”
But depending on your location, you will want to consider such things as the frequency of train derailments in your area, he says, citing the LacMégantic disaster as an example.
“You can’t plan for everything. But through professional practice two you prioritize, you look at what controls you have in place currently, and how effective they are. And as part of that process you then say, ‘these are new controls we could implement’.
“The organization will then decide whether they will invest in those new controls or whether they are going to accept that risk.”
“YOU NEED THE MOST CURRENT USABLE PLAN IN THE HANDS OF THOSE WHO HAVE BEEN IDENTIFIED IN THE PROCESS AS NEEDING THAT PLAN…WE HAVE TO MAINTAIN THE PLAN, OR PLANS, TO ENSURE THEY ARE CURRENT AND USABLE.”
JOHN YAMNIUK
Disaster Recovery Institute Canada
3. Business impact analysis
After risk assessment comes the business impact analysis.
“That’s looking at your business functions or the operations within your organization and prioritizing those, and prioritizing them in terms of impacts,” Yamniuk says.
In other words, should a negative episode occur, what would be the impact financially, legally and on a regulatory basis? And what about the impact on your customers, employees, your corporate reputation and branding?
“You look at your functions from both a core and support perspective, prioritize those and identify what the impacts are for each of those functions. And that determines what will be the most important to continue [post event].”
He adds: “It’s having those processes identified, and then senior management signs off and says, ‘yes, we agree these are the core functions.’ If you’re in an event you’re able to then have minimized the chaos and confusion that could occur.
“And people then know ‘this is what’s most important, this is what we will focus on’.”
4. Developing strategies
The next professional practice is all about strategic development.
Explains Yamniuk: “You’re looking to ensure that the strategy you select is going to address the top threats identified in professional practice two, the risk assessment, and the functions that were identified through the business impact analysis.”
5. Incident response
The fifth practice is incident response.
“That is how we’re going to respond to an event. It’s having procedures in-place, evacuation procedures, for example” he says.
“Who do we notify, when do we notify them? What level of response do we need? What teams do we want to have in place?”
6. Plan development
“Six is actually now taking that information that we’ve gathered from the previous practices and putting it into, and developing, the plans for the organization. That includes the operational plans, the continuity plans, emergency plans, disaster recovery plans. It’s building the actual document.”
7. Awareness and training
“It’s getting the information out to the organization, in several different ways and for several different reasons,” Yamniuk says. “One is making the organization and stakeholders aware that we have a program. That’s the awareness piece.”
The second component is training. “For example, if you’re using a notification system, then people need to be trained to use that notification system.”
This could take the form of formal classroom training by a group such as DRI Canada, or inhouse training.
Yamniuk adds: “It could be information, for example, on a website that says ‘here’s the policy, here’s what it is, here’s who is involved, here are the players from HR or legal or operations or sales or marketing or security’. So, it’s a number of different ways of making the organization and stakeholders aware.”
Your supply chain is a key stakeholder in this equation, too, he says.
“If you look at the Japan earthquake and tsunami of 2011, if you were looking for a tuxedo black vehicle, you couldn’t get it because tuxedo black paint was made in Japan,” he says, adding: “I was doing some work with a photography organization. They couldn’t get certain cameras or accessories.
“My neighbour had his vehicle involved in a collision. It took six months to get a new hood because the supply chain was disrupted.”
8. Exercise, maintenance and auditing
In this practice, the plan under development is validated through exercise, maintenance and an audit assessment.
As Yamniuk puts it: “We exercise people, we test equipment.”
“You’re going to validate through an exercise that your plan will work as designed. We [might have] said in the business impact analysis in professional practice three that we need to have these functions recovered in six hours. You do an exercise and find out that your planning assumptions were perhaps either validated—that yes, we can—or they weren’t—no, we can’t. You might find through the exercise that it takes 12 hours to recover the function.”
Next, you do maintenance to keep the plan current.
“You need the most current usable plan in the hands of those who have been identified in the process as needing that plan. Whether that’s, for example, a security team or a damage assessment team. We have to maintain the plan, or plans, to ensure they are current and usable.”
Finally, there’s the assessment piece. “You can do either internal assessments or external,” Yamniuk says.
This could be an in-house review, or one of the professional services networks (Ernst & Young, Deloitte Touche Tohmatsu, PricewaterhouseCoopers, KPMG) could be brought in to do an audit.
9. Crisis communications
In this professional practice the structure is put in place to communicate in a crisis situation.
Key to this is designating the appropriate spokespeople from within the organization, whether that is the emergency response director, president & CEO, or a corporate spokesperson.
The business continuity team would work with corporate communications “to ensure that you have a crisis management plan in place that you can communicate to the stakeholders, whether that’s through press releases, conference calls, websites or anything else [applicable],” Yamniuk says.
10. External partners
The tenth and final professional practice is coordination with external agencies, such as police, fire and other emergency services.
This is a proactive step, Yamniuk says. It could mean, for example, bringing in the fire department to tour and evaluate your premises and offer safety advice.
“It’s working with them so that if they do need to respond they know what they’re facing, and you as the organization know what to expect from them.”
The store type and location will also dictate the external agencies that should be taken into account. For example, a mall tenant will want to coordinate with the facility’s security team.
“It’s a partnership,” Yamniuk concludes. “You can’t do it in isolation.”
