Introduction
Planning and preparing for any natural and/or human made disasters is known as Business Continuity planning. This includes all the events that can affect the business in a negative manner, it can include a sudden death of a key player, and it can also include a financial loss, these are just a few examples about the disasters that can take place. Understanding and Presenting the topic of business continuity is one of the biggest challenges in today’s society. Business continuity plans have a huge significance in any business but, yet this subject is still ignored by a lot of researchers, scholars and even business organizations as they are almost always more focused on the other aspects of a business/ organization.
The purpose of a business continuity plan is to be sure about the security of all the elements in a business, which includes all assets. Disasters can happen anytime but successful recovery from them is what matters and is only possible if an organization is having a well-defined contingency plan.
The aim of this document is to help a selected known organization for developing a well-defined contingency plan which aims to help it reduce any impact that can be caused on its assets if it faces a disaster. Our aim is to recognize the possible threats, recognize a process to follow when that happens, to analyse the worst-case scenario impacts and then to recommend a halting and reducing plan along with creating a way for implementation and maintenance of the plan.
For this study, the selected organization that we will develop a business continuity plan for is Malaysia Airport Holdings Berhad. Malaysia Airport Holdings Berhad is an airport management firm that manages most of the airports in Malaysia; it was founded in 1991 having its headquarters in Sepang district, Malaysia. It was also recently rewarded the responsibility to manage airports in international destinations as well. Malaysia Airport Holdings Berhad closed its last year on RM 777.3 million in operating income, with the employee count of 10,000 (Root & Bruner, 2016). It is responsible for managing domestic and international flights, and links different countries in the world. The processes that we need to consider are its Functions, regulations, financials and PR.
Possible threats
Like any other business, Airport management companies also have unpredictable risks associated with them. These risks can cause a serious damage in the firm that can lead to permanent harm if immediate actions of recovery are not implemented in a timely manner and at times these recovery actions fail to bring a complete recovery as well (Elliott, 2017). Some of these threats can be but are not limited to:
• Terrorism; Airports have been at risk to terrorist attacks due to the advancement in Technology. This is not just a concern for Malaysia Airport Holdings Berhad but it is a potential concern of all the airports across the world. On many occasions travellers have been hijacked and attacked while on board (Elliott, 2017) (Boersma, 2015). On the other occasions the airport management companies and airports have experienced Cyber-Physical attacks, which also lead some travellers to be held hostage leaving the airport management company in a huge mess, if recovery actions are not implemented immediately.
• Crime; alongside terrorism, offense has also been reported at almost every airport across the globe. Crime in this situation is referred to theft, violation of law etc.
• Natural disasters; are the most unforeseen threats as they cannot be predicted. These disasters include storms, earthquakes, floods etc. These disasters leave the airport management firm with a huge bill without even a prior notice.
• Unrests; An airport management firm is responsible for handling a recognizable number of individuals at a time, which has an ongoing risk of violence and unrest. Without an immediate action plan the firm can face a lot of challenges that can cause permanent harm.
Critical functions
Critical functions are the processes that a business follows in order to recover from the disaster, in an airport management company’s perspective these are the important activities that are essential for the survival of the business and for the recovery of its smooth Functions in the event of a contingent disaster (Jain, 2016). Most of the times, critical functions in any company are as followed:
• The ones that are very time sensitive to the degree that they cannot take delays.
• The ones that continue cash flow by satisfying legal or financial obligations
• The ones that play an important part in maintaining the business name and the market shares.
• The ones those are accountable for the protection of irreplaceable assets of the company.
Considering the above mentioned critical functions, it is very important to draft the steps that will help the business to execute its essential Functions along with rating the criticality of a certain function. The steps that are involved in deciding the critical functions are:
• Recognition of the fundamental Functions of the business
• Arrangement of these Functions into three different categories, i.e., high, medium and low. High-end Functions are the critical ones whereas the medium and low ones are not that critical.
• Concluding the Functions based upon their criticality.
While determining the criticality of an Function the following should be considered:
• How frequent is the Function?
• What does the business achieves after executing the Function?
• How many departments are involved in that certain Function?
• Will it result in a financial loss if the Function is not executed? Or not?
• Are there any regulations around the Functions or not?
• Is noncompliance or any regulation associated while the Functions are down?
• Does that certain Function affects the business image and reputation if not executed?
• How important that Function in question is if compared to the other Functions within the business?
It took a lot of thought and determination for this study to determine that the most essential functions are financial, operations, reputational and regulatory functions. In most of the situations these are the key functions that require immediate recovery during the incident of an unforeseen event and harm to any of these functions can collapse the business (Pereira, 2014). This means that the most critical functions of the business shall be restored as soon as possible and should be functional as quickly as it can (Rackham, 2014).
Business impact analysis
Business impact analysis is a tool to forecast the unforeseen event of a business functions failure and it also acquires information which helps in developing a recovery strategy (Stark, 2015). In particularly it is a systematic procedure of learning and assessing the possible outcomes of ending a very important business operation that could be a result of a disaster, accident or an emergency. Business Impact analysis is designed as a part of the contingency plan for Malaysia Airport Holdings Berhad, the purpose of this contingency plan is to prioritize the important business functions of Malaysia Airport Holdings Berhad during the occurrence of an unforeseen catastrophe.
The BIA is consistent of three steps:
• The importance of recovering the business processes. The important functions of the business are recognized and the impact of the occurrence of an unforeseen event is determined as well as the approximate downtime.
• Recognition of the resources required. This involves the required amount of resources needed for resuming the business operations successfully.
• Prioritizing the very important functions. This will help in reaching the recovery of business functions.
Impacts in an unforeseen event
In the event of an unforeseen circumstance, the very important functions of this company will face some challenges. Different circumstances will bring different impacts on the operations of the business.
The results will be around:
• Financial problems as the catastrophe negatively affect the financial competence and welfare of the company.
• Legal problems. This will include noncompliance in the occurrence of a catastrophe that directly affects the function.
• Loss of reputation. In the event of the occurrence of a catastrophe, the business may lose its reputation in the marketplace.
• Operational challenges. When a business is struck by a catastrophe, the operations of that business might get to a halt.
Estimated Downtime
• Depending on the importance of the function, the essential downtime for each function on the company will be:
Function Maximum reasonable downtime Goal for recovery time Goal for recovery point
Financial 72 hours 48 hours 12 hours
Operations 80 hours 60 hours 24 hours
Reputation 88 hours 65 hours 36 hours
Regulatory 90 hours 72 hours 48 hours
Recovery resource needs
• As per the nature of the business and the functions involved, the resources that will be required for recovering are financial and human resources (Levy, 2016). The requirement of these resources will depend on the extent of the catastrophe and kind of the catastrophe. Based on the importance of every function, the recovery priority will be financial, operations, reputation, and finally regulatory functions.
Prevention and mitigation plan
This plan of avoidance and improvement is planned to deal with the harm and hazards of the situation, in order to reduce their possibilities and in order to reduce the consequences of a certain risk or threat involved (Varma, 2015). As per the potential airport threats reflected previously in this document, the potential mitigation and prevention methods will be as follows.
Terrorism attacks; as one of the chief threats will be concentrated by researching for new opportunities of by creating a team of video surveillance as well as PSIM platforms, that will certainly play a key role in bringing awareness of the situation as well as to provide the quick actionable intelligence(Shin, 2014). This will be accomplished by gathering vast amounts of data from various systems and then routing it to the relevant people this will increase efficiency and decrease consumption of time.
As mentioned earlier in this document, crime is another potential and more common threat to airport management companies. Use of IP video surveillance technology that is encrypted will help reduce crime and will provide instant response in the event of this catastrophe (Wallace & Webber, 2017).
To moderate natural disasters, The most effective way to foresee a natural disaster is by the use of the AI technology, using the machine learning algorithm the AI can be taught to recognize the symptoms of an upcoming disaster based upon what has happened during the last century. This upgrade will help the officials direct the mandatory response to the situation as well as to evacuate the victims of the disaster beforehand to a safe place with ease.
The risk of Unrest can be intercepted and reduced by the use of video surveillance technology along with another AI that can determine any unusual human behaviour from the video in order to alert the authorities about anyone who can be a potential harm this can also determine the areas of high risk. This will also help escalating the report to the field personnel for any possible unrest that might happen way faster that the other mediums and will be more accurate.
Execution and preservation of the plan
This reflects the formulation of the strategies into preparation of how to handle them for the betterment of the business during a catastrophic event. The execution of a business continuity plan is important to the general success of any hazard mitigating planning (Chung, 2015). The execution method of this continuity plan for Malaysia Airport Holdings Berhad will be:
• Goal setting. Goals for the entire process will be set by the planning team of personnel that will be involved and the tools that will be used. These goals are necessary inputs in the execution method, and they create an understanding and motivation amongst the stakeholders.
• Recognition of the risks. The threats and the possible dangers of the method of execution will be recognized. This will give an insight of the plan of how to go about the execution method.
• A judgment of when to initiate the method and tools. The decision will be made by the team on when to opportunely start off the entire method to the broader audience, business stakeholders, and all other relevant persons. On this stage, a decision of how to initiate the launch will be made utilizing the training and looking like a team will be the key elements.
• Preparation for training. The competence of the stake holders will be studied by the business. Key areas of where the stakeholders are needed to raise their level of expertise will be recognized, appropriate tools will be developed and the training will be completed (Sahebjamnia, 2017). During the process the team will be trained on how to deal with dangers like a fire outbreak, crime, terrorism or any other contingency.
• Mentorship programmes. Mentors are very important to the execution of the method as each critical function will need a mentor to mentor the team by sharing their expertise and experiences with the team. Mentorship will be provided in this step.
• Final acquisition and exercise. The whole team, fully aware of the plan will execute the method and will do all that is in the plan to ensure that the contingent threats are mitigated.
The preservation process
Continuity plan management is one of the most important processes as it ensures that the plan is up-to-date and that it is operating effectively in a given business (Yuasa & Nakano, 2017). It is a method in which the planning team tracks the executions improvement and recommends on the compulsory upgrade. This preservation plan must include the methods and procedures for assessing, updating and monitoring the plan in a given period of years. (Furfaro, 2016). The preservation process will be as follows:
1. Monitoring the execution. This will include the tracking of the execution method over time. The monitoring team will be accountable for the tracking of the mitigation actions and give a report quarterly (Hawkins, 2016). Each and every function will be monitored ranging from financial to regulatory function. In this case, the development team will identify the agency and will inform it about the mitigation actions to monitor. In the case of spreading the message to the public or installing video surveillance/AI systems, the monitoring agency will study whether the method is happening as planned or not, they will also report it in real time.
2. Evaluating success. The chances of the plan’s success are in the achievement of its goals this will also be assessed by the monitoring team (Haji, 2016). Due to the determination of increasing the knowledge of the public on risks and hazards, the monitoring team will keep on conducting researches on yearly basis to be aware of how much knowledge the public has on risk and hazard management. An evaluating agency, that will be spelled out by the development team will annually prepare a report that will reflect the progress of the plans performance (Kiessling, 2015). For effectiveness, it will also assess the number or percentage of performance that has already been implemented.
3. Upgrading the plan. The world changes at the speed of a blink, considering which the development team will reassess and modify the plan once in every five years to make changes in the development, and in the progress of the planned mitigation efforts as well as the differences in priorities (Setiawan, 2017). This will help correct the flaws and will ensure effectiveness of the plan to suit the ever changing world and people who might be affected. The upgrading procedures will be set by the development team that will ensure that the plan is kept up-to-date and implementable.
Conclusion
Unforeseen circumstances are the only constants in the world of business and no business can avoid it, they are unpredictable and can always strike. The damage depends on how well the company is prepared to face such instances. Being well prepared will help a quick response that can mitigate these contingencies by reducing the effects caused by them and most importantly by helping the business in keep running its operations due to the back up plans and a process that the business has developed in order to ensure effectiveness. In order to achieve success in getting over the catastrophic event a business needs to not only have a business continuity plan but it also has to have a command on its execution by training and providing the team with the very best resources so that it can respond in the correct manner. The maintenance of the method is as important as the execution because the world is changing at a very fast pace and not keep upgrading a plan is like preparing to fail. On the whole, time in such events is of the essence as the sooner the business recovers the lesser money it loses and that can only happen if the execution is perfected by practicing and reporting the method to keep a track of progress and upgrades.