A loss of 300 million dollars – this is a cost incurred by one of the largest operators dealing with containers in Europe after it has been attacked by the NotPetya virus. For the same reasons, one of the courier companies suffered from the reduced income in the amount of 300 million dollars. A number of victims of the cyber attacks was higher. Companies from all over the world could lose even one billion dollars. This is just one of many radical examples showing how rapid crisis may hit a company. Nevertheless, there is a way to prevent it. At least, the risk of a serious loss can be minimized.
Dorota Ziemkowska, Trans.INFO: How the companies should prepare for a potential crisis?
Monika Appolt-Bubacz, Risk Management Director in Raben Group: A crisis situation may concern everyone and it may take place very suddenly. Hence, a company, which wants to run its business without serious disturbances, must be prepared. Situations resulting in disturbances in the area of the companies’ business may be caused by varied factors. Therefore, a good practice is to implement a system intended to assure the business continuity. There are few stages to this process. The management board should determine which business operations must be strictly protected and included in the system and which can be suspended consciously.
First of all the companies can protect themselves by establishing the required procedures. And what is important, they must do it in a complex way. Unfortunately, some of the entities treat the crisis management procedures selectively, e.g. there are companies which have integrated management systems based on ISO standards imposing a requirement of the crisis procedures, but they fulfil the requirements regarding just certain parts of their business. Such a selective approach is definitely insufficient.
And what are the areas of the business they usually are focused on?
Frequently, when they prepare their business continuity plans the companies focus on typical operations, however, they do not go deeper into details. Without consideration to all of the related operations. For instance, for a company running its business in the forwarding sector, the procedures would concern transport of goods only. Without any thoughts about what happens if, for two days, reporting to clients needs to be suspended.
Frequently, the companies start preparing their operations from the crisis procedure that is what needs to be done after a crisis has taken place in a, particularly defined place. The procedure itself must be one of the final products of the entire continuity management system. Otherwise, the company takes a risk that on the basis of the assumptions it rejects the whole range of solutions which would enable it to defend itself from the crisis.
And the truth is that in order to prepare a company for a crisis wisely the basis is the answer to the question – what exactly we want to protect as the organization. What is critical for us? It’s clear that every company implements the business continuity management system at first in order to protect its business, and then to protect the business and interest of its stakeholders. But what does the „its business” mean? What are the company’s actions oriented to its business? This issue must be determined at the very beginning. It is obvious it is impossible to establish the procedure which would protect all of the processes in the company. There are processes which are not critical ones. Hence, they can be suspended for a short time.
Can you give us any examples?
It depends on the company’s business, the sector, the industry. Let’s analyze the accountancy. Certain booking processes may be suspended for a short time. Obviously, not all of them since in a situation any payments are critical and necessary to assure the most important operations in the company, they must be made. However, booking of invoices can be suspended for a while or delayed if necessary. Obviously, also in this case, there are some exceptions. If one runs a Shared Services Center booking of invoices is the basic business. And in such a situation this must be protected.
An example from the industry.
January 2017. Before midnight in the hall of a company dealing with vehicle services, a fire erupts. Trucks inside also set on fire. A part of the building of a nearby company is in danger. Firemen try to prevent the remaining part to catch the fire. Finally, the fire consumed the hall of the first company, it damaged a part of the building of the other company.
What processes in Raben can be called critical ones and which of them can be suspended?
In case of the transport and logistics sector, an example of a non-critical activity can be the already mentioned accountancy. In turn, the other group will comprise most of operational processes which means transport and logistics related ones. But not all of them. Among the operational processes concerning the logistics there can be such ones which can be suspended for some time in case of a critical situation in the company, e.g. reporting to the clients. We can suspend reporting even for 48 hours or 3 days in case of specific situations.
However, another company running similar business may consider different processes to be critical ones. Since it has its clients, and hence, other contracts from which it results which elements are going to cause serious loses and which of them are secured by contractual provisions. Hence, every company must individually select processes and services which it wants to protect.
How should such a company process?
The first step is to convince people that the critical situation may occur. Frequently it is very difficult. When we ask questions about disruption in the logistic process in a warehouse a natural reaction of employees is resistance. They say this cannot happen since there are a lot of protective measures. However, they need to understand that at this stage we do not discuss protective measures but what can happen if they fail. People must imagine what happens if a process has been stopped. Then we test effects coming after 1, 4 hours, after one day, three days and five days.
Why exactly 5 days?
Since observations prove that if within 5 days in relation to a process in a company, no great loses have been produced, it means it can be consciously suspended. Obviously for a short time. In mature organizations where the business continuity management system has been implemented, types of operations to be suspended during the crisis are determined clearly. For example, there are determined departments where the employees are sent on vacation since their computer stations are necessary to manage the crisis. But in order to find these departments it is necessary to test effects at particular time intervals which I mentioned before. What is important, the effects, the countable and uncountable ones. It is necessary to estimate which process would produce the greatest loss.
And how to compare countable loss to this uncountable one?
I will tell you how we do it in Raben Group. All effects are brought to a common denominator. We apply the scale from 1 to 5 in relation to both, the countable and uncountable ones. Sometimes, in the course of such a comparison it turns out that suspension of such a process will not cause serious financial loss but it produces gigantic uncountable loss – e.g. related with death of employees or the general goodwill. Then such a process may be recognized by the company as the critical one and it needs to be included in the business continuity management system.
An example from the industry.
October 2018. In the area of forwarding company from Pruszcz Gdańsk a leak of 200 liters of toxic hydrofluoric acid takes place. The acid causes hard to heal injuries. 71 employees have been evacuated, rescue teams established 150m security zone. The acid originated from the load which the company was supposed to deliver to one of the plants in the Pomeranian region.
What is percentage of actions in a company which can be called critical ones? It seems to me that a tendency in companies it is to classify the highest possible number of processes in a company in this way.
On one hand yes, in fact every company would always like to have a complex customer service. On the other hand no, since if a situation is critical a company very rarely is able to complete 100% of its economic activity. Hence, in a conscious way it must give up something.
Is there any maximum which we can protect when it comes about processes?
The maximum is determined by a common sense which is evaluated by every company when designing the business continuity management system. There are no clearly established recommendations which would tell us, e.g., one must not exceed 20% of processes.
Ok, so what percentage of processes in Raben is called to be critical ones?
Raben Group is a large organization having its companies in 12 countries of the Europe. In this case every company carries out such an analysis individually and it looks differently in every of them. In Raben Group in case of bigger companies 15% of all processes are recognized to be critical. While in case of smaller scale of the business, sometimes as much as 40% of all processes taking place in an organization are considered to be critical. However, it does not have to be a principle. E.g., it depends on whether it a single entity, which transformed into a bigger organization or a company, which was established as a merge of a few individual entities.
Let’s go back to the development of the business continuity management system. Who makes a final decision on processes to be protected in a company?
After there has been established a list of processes, along with estimation of loss, the managing board on the basis of the company’s strategy makes a decision on what must be definitely protected.
It takes varied forms. Certain companies are more prone to take a risk. For example, they do not consider mandatory reports, required by law, to be critical ones. In their opinion in case of a crisis reports are delivered later since the people are necessary to perform other jobs. Finally, a company may pay 2,700 dollars in fines.
In formalized organizations this stage of the project results in a Management Board’s resolution defining clearly which processes are critical for a company.
An example from the industry.
Middle of October 2018. Thieves steal a truck with a load from the parking lot of a forwarding company. And the load was not a casual one. 19 tonnes of fresh salmon was stolen worth more than 160,000 dollars. Exactly the same tractor and the same semi-trailer (empty those days) was stolen one month earlier. It was found a few days later.
The company has its critical processes. What then?
After determination of a few critical process so called risk analysis can be performed. However, to perform the analysis one needs to know processes he/she wants to protect and to divide them into essential elements. Hence, it is necessary to determine which resources we need for these processes. And we need to do it as accurately as it possible and we can check at the same time out pool of resources and what is our minimum.
It is a very important distinction. I will give you an example – we have a client for who we transport white equipment (household equipment/devices) and we need a special lift truck. If, during the stock count it turns out there is just one lift truck and the minimum is one as well, we need to answer the question what happens if it spoils?
In this way we need to catalog everything. Employees, infrastructure, technological resources. Next, we can start a local vision.
In all of locations? There can be plenty of them.
Obviously, not for all of them, but in those which are essential ones to the Managing Board. At the stage of the risk analysis such travels would require a few months.
Naturally, when procedures for critical situations are developed they are prepared for the entire organization. However, at the stage of analyses we travel to selected locations only. There we look at the access roads, a distance from the river, from the airport. We familiarize with neighborhood, e.g. we check whether or not there are animal farms. There were cases in numerous companies that the sanitary-epidemiological station implemented the quarantine and it closed a whole area. Then there is a problem.
We also check the location itself. How is it equipped? What is a safety system there? Can a part of such a location been isolated and used in case something goes wrong in the entire object.
Then, after the inventory has been completed we make a risk analysis and think about actions already implemented in these places. We analyze: what sort of risk occurs in a particular area and what is a way we control them presently. Is it enough? We prepare recommendations. For example, looking at the access road to the warehouse we wonder if there is a chance to use another road in case the main one is blocked. Or perhaps a second outlet needs to be erected. Or there could be a need to agree with the police use of roads where heavy trucks are normally prohibited – obviously in case of a crisis.
What happens with these recommendations?
All of these recommendations are summed up in form of a catalog submitted to the Management Board. The Board, which implements the solutions, makes a decision on acceptance of the risk. Sometimes the solution is expensive, nonproportional to the loss we want to avoid.
When we know what the risk is, we know what and when we want to implement, we can think about what is our reaction to the crisis as the company. Obviously we agree this issue with the Management Board again. The Board makes a decision on the strategy of the business continuity management system. That is about accurate reaction during a crisis, what is acceptable and what is definitely unacceptable. E.g. in the Raben Group in relation to certain clients we apply the on-line orders transmission. Hence, we had to answer the question if we accept the data is lost in any way. And yes, we can ask a client to send data once again. The point is if we, as a company, accept such a behavior. The answer was clear. We must not this situation happen.
Such details must be considered. Next, details are entered into a single document which is the afore-mentioned strategy.
Who has the access to this document?
The business continuity management system is accessible for all persons defined in the crisis management diagram. If they are supposed to take actions during the crisis they must know what they can do.
Are there any ordinary employees in this group?
The assumption is that members of the crisis team must be aware of what a company wants to protect and how. Members of the teams are different in different companies. It happens that ordinary employees have the access too. However, frequently an employee, let’s day from the transport department, does not know the entire strategy of a company. He/she knows only that part which concerns his/her area. Hence, the employee has just a limited knowledge about the process he/she deals with. E.g. he/she might not know the procedure for logistics in case of a crisis.
And what is the way the organization defends itself from loss of information related with, e.g., employees rotation?
We have job regulations regarding confidentiality of the information. And apart from this, this is the issue of professional ethics of our employees.
How frequently is this document amended? The company has been growing up, the growth must be included in the strategy as well.
In case of the BCM strategy we talk about the process instead of a one-time action. Every serious change in the company makes we have to go back to documents and think if the analysis we made is still adjusted to the reality.
More accurately, what does the „serious change” mean? Erection of a new plant, new warehouse? Commencement of cooperation with a new client?
All factors which you enumerate may cause necessity to analyze the entire risk from the beginning. Let’s go back to the example of the client with „white equipment”. Let’s assume we had just one such a client in the past so operations were insignificant. Suddenly, we make a decision to focus on services addressed to such companies. It turns out we need other resources. 5 thousand square meters warehouse is not enough but we need 20 thousand. One lift truck is not enough, we need a few or several ones.
Hence, with every new client, in case of every re-construction, every fundamental change in the company one needs to go back to the risk analysis. Invalid procedures can cause fatal effects since we take key decisions on the basis of data which is out of date already. Hence, the company making a decision on having the business continuity management system must be aware of the fact it changes regularly. And the organization changes as well.
Next part of the interview, which is published next week, includes information on tests of scenarios during a crisis and how to combine own business continuity management system with clients’ systems, which are sometimes based on different assumptions than ours.