BOARDROOM BEST PRACTICES

What Role Does the Board Play in Business Continuity Planning?

Continuing in the face of adversity has been the dominant theme of the past year. When the scale of disruption caused by COVID-19 became clear, businesses worldwide were forced to adapt rapidly to the restrictions that came into force overnight. While many organisations have business continuity plans designed to keep the business operational during unplanned disruption, few have seen them tested to the extent they were in 2020.

Understandably, this has generated a renewed focus on the discipline of business continuity planning that extends to board level. Disrupted directors have worked hard to support their organisations during the pandemic and are naturally keen to implement what they’ve learned to build more secure and resilient organisations. However, they must avoid straying into management territory at a difficult time for the business. So, what is the board’s role?

Set the Tone for Crisis Management

“In the 21st Century, organizations that fail to define and implement effective responses to disasters will be defined by their ineffective responses to disasters.”

This quote, from a 2006 paper on business continuity management, holds abundantly true today. Whether disruption is specific to the organisation, or as widespread as the pandemic, businesses are judged by the quality of their response. Getting it wrong can impact the company’s reputation, revenues and future resilience. This means oversight of the plans aimed at getting it right are a key board concern.

Part of that is setting the tone the organisation will take when unplanned disruption strikes. This tone should flow from the organisation’s values and will constitute the guiding principles that inform the corporate response to a crisis.

The board must ensure that it incorporates factors such as employee and community safety and wellbeing into the business continuity plan, so the human factor is managed on an equal footing to operational challenges. By setting a strong tone and clear expectations around what it will prioritise, the board creates an anchor point that shapes business continuity planning.

Deliver Active Risk Oversight

As indicated earlier, there must be clear separation between the role of the board and that of management. Setting the risk appetite of the organisation is a key board responsibility that primarily resides in the audit and risk committee. Designing and implementing the frameworks that control operations to meet this appetite is the responsibility of management.

When management has devised a framework for the business continuity programme, the board must be confident in challenging it to ensure it aligns correctly with the risk appetite of the business.

It is also important to regularly review the business continuity plan in response to changes to the risk environment. An article from KPMG published early in the pandemic highlighted how recent events might have made previously acceptable controls obsolete, saying; “Even if risk controls are executed, past experience is no longer an indicator they will be effective in this new era. Questions of reliability should be considered in the final assessment of internal controls. This point should be addressed at audit committee or board level.”

The board should also consider the commercial, legal and regulatory environment in which it is operating and what effect aspects of activating the business continuity plan might have on the organisation’s ability to meet contractual obligations or comply with regulations. What would be the impact of any force majeure clauses that might come into effect, for example? By analysing these in advance, the board can counsel the business to limit exposure where possible.

Agree on Reporting Requirements

The board should agree in advance about the level and frequency of reports it will receive from management as disruption unfolds. This agreement must also enable a balance between getting the required information and allowing management the bandwidth to deal with a volatile situation.

Develop an Emergency Communications Plan

Depending on the severity and nature of the disruption, it may be appropriate for the board to lead on communications. A framework communications plan should, therefore, be devised that identifies all the stakeholders that could be impacted by an incident. These will include employees, customers, local community, investors and, in the case of extreme events, government authorities.

The plan should outline the tone and type of messages to be delivered to each stakeholder community, at what point and through what channels. If a professional crisis communications firm is retained, the plan should include how this team will work with the board.

Ensure the Board’s Systems and Processes Are in Order

Board continuity is itself a facet of business continuity. It was brought home during the first Covid-19 lockdown that boards need digital alternatives to in-person processes and secure communication channels if they are to continue discharging their director duties during a disruption.

The board should consider whether technology investment would make managing crises more straightforward. Since the emergence of COVID-19, most directors have become familiar with video-meetings, but they should also consider how they communicate outside this channel. Personal email is not appropriate due to its lack of security, and public file-sharing systems are not appropriate for sensitive materials. A secure board platform such as Diligent boards, served by a bespoke communication and secure file-sharing facility, ensures that security vulnerabilities don’t further intensify a crisis.

To this point, cybersecurity is critical during a crisis as threat actors thrive on disruption and take advantage of people working in unfamiliar and stressful circumstances. While recent disruption has been generalised, an issue affecting a single organisation is likely to attract the attention of opportunistic cybercriminals, meaning companies should take extra precautions.

Participate in Testing Exercises

A plan is no good unless it is tested. The board, as well as the business, should test the resilience of its business continuity plan by running exercises on different scenarios — such as a cyber-attack, environmental incident, key supplier disruption — to stress-test the plan and spot where gaps exist.

A review of the full business continuity plan should be a standing item on the corporate calendar to make sure that it is regularly updated and meets the demands of the business’s operating environment and new emerging risks.

Boards should play an active role in providing scrutiny and oversight of the organisation’s business continuity programme and the plan that results. By setting a consistent tone regarding how the business treats its stakeholders and being clear on the organisation’s risk posture, the board assists management in being prepared for the unexpected — whatever form it takes.

Featured Blog