Role of HR Director in Business Continuity Planning

The victims of chemical spills, explosions, machine accidents and other workplace safety incidents often include not only a company’s staff but its operations. The company may need to close down all or part of the workplace for cleanup, repairs and internal and government investigations. It may need to replace damaged equipment, materials and machinery. And it may have to make up for the production losses of workers who have to miss work due to injury. If the company isn’t prepared, these disruptions could cause operations to slow down or even grind to a complete halt. And once a company suffers a blow like that, it might not fully recover.

That’s where a business continuity plan comes in. Such plans enable companies to continue to provide critical services or products after workplace safety and other incidents with the least possible disruption until normal operations can resume. But surprisingly, only 25% of Canadian organizations have such plans, according to an IDC Canada study. Even if a company does have a business continuity plan for general emergencies, such as floods, pandemics and power outages, that plan may not be set up to deal with the impacts of a workplace safety incident.

Business continuity plans are typically created by senior management committees. HR directors have an important role in business continuity planning even if they’re not on the committee. You need to make sure that your company’s plan is designed to deal with the effects of workplace safety incidents and not just with general emergencies. We’ll explain why your company needs a business continuity plan that specifically addresses safety incidents. We’ll also tell you about some business continuity standards you can base your company’s plan on and what this plan should cover.

The Importance of Business Continuity Plans

Many if not most companies have emergency management plans that address how the company will prevent emergencies or deal with them if they occur. Such plans typically include response measures designed to limit the impact of and help the company recover from emergencies. In fact, under the OHS laws, many companies are required to have to such plans.

Although emergency management plans and business continuity plans are related, their goals are different. An emergency response plan is designed to save lives, prevent injuries and minimize property damage; a business continuity plan is designed to enable the company to continue to meet its business and legal obligations in the aftermath of a crisis.

Without a business continuity plan, a safety incident could cause a company to lose significant revenue. For example, the incident may disrupt production causing the company to default on contractual obligations to customers. To prevent such harm to the company’s brand, reputation and customer relations, business continuity plans do 2 key things:

  • Spell out the steps, measures and arrangements needed to ensure the continuous delivery of critical services and products; and
  • Identify the resources needed to support operations continually, including personnel, information, equipment, finances and infrastructure.

Standards for Business Continuity Plans

If your company has a business continuity plan in place, how can you judge whether it’s adequate? One way to ensure that your company’s business continuity plan is effective is to base it on an established standard. Such standards include:

CSA Z1600. The Canadian Standards Association (CSA) has developed a Canadian business continuity standard called “CSA Z1600 Standard on Emergency Management and Business Continuity Programs.”

NFPA 1600. CSA Z1600 has specifically been harmonized with the U.S. National Fire Protection Association’s (NFPA) 1600: Standard on Disaster/Emergency Management and Business Continuity Plans. NFPA 1600 is a comprehensive framework standard that integrates emergency management and business continuity using a risk based, all hazards approach.

BS 25999. The British Standards Institution’s BS 25999 Business Continuity Management is designed to improve a company’s resilience when faced with the disruption of operations. BS 25999 provides a process that a company can follow to restore its ability to supply critical products and services to an agreed level and within an agreed timeframe following a disruption. Adopting the standard can also enable the company to develop the capability to manage a disruption and protect its reputation and brand. BS 25999 has two parts:

  • 1:2006: a code of practice that establishes the processes, methods, principles and terminology for business continuity management; and
  • 2:2007: a specification that details the requirements for a business continuity management system. The requirements are auditable—that is, your company could be audited for compliance with the standard’s requirements and earn certification.

What Plan Should Cover

As a starting point, you should ensure that your company’s plan has at least the five sections recommended by Public Safety Canada’s guide:

1. Governance Structure

Someone in the company needs to create, implement and oversee the business continuity plan. Typically, these tasks are done by a senior management committee. The plan should define the committee’s roles and responsibilities and spell out who the members of the committee are.

2. Business Impact Analysis

The purpose of a business impact analysis is to:

  • Identify the company’s mandate and critical services or products;
  • Identify impacts of disruptions to operations, such as how long the organization could function without a service or product and how long customers would accept the unavailability of that service or product;
  • Identify areas of potential revenue loss, additional expenses and intangible losses that a disruption to operations might cause;
  • Spell out insurance requirements and coverage;
  • Rank the critical services or products based on potential loss of revenue, time of recovery and severity of impact a disruption would cause; and
  • Identify “dependencies”—that is, those services or products that are dependent on the delivery of other services or products.

3. Steps, Measures and Arrangements

This section is the meat and potatoes of the plan—that is, the actual steps to be taken to ensure that the company’s business continues after a safety incident. The company should establish teams to implement these steps and lead recovery and response operations.

The plan should initially try to mitigate the disruption of the company’s business, such as by having stand-by generators available in case, say, a worker on a crane inadvertently takes down a power line, cutting electricity to the facility. If mitigation isn’t possible or sufficient, the plan should address the steps necessary to respond to events as they unfold. These steps should anticipate increasing levels of disruption. For example, if a safety incident causes a pipe to burst and flood the facility, the initial step could be to move work to another floor of the facility or to another section of the facility. If the flooding proves more extensive than initially believed, work may need to be moved to another building or facility in an entirely different location. So, the plan should address the availability of other facilities.

4. Readiness Procedures

A business continuity plan can only be implemented smoothly and effectively if:

  • All workers and staff are familiar with the plan and aware of their individual responsibilities under it; and
  • Workers on teams responsible for implementing the plan and leading response and recovery operations are properly trained on their functions as well as those of the other teams.

Thus, training is a key part of a business continuity plan’s success. But training isn’t enough. To ensure adequate preparation, you also need to conduct exercises that simulate a safety incident and require workers and teams to respond accordingly. Although exercises are time consuming, they’re the best way to ensure that the plan is effective. If there are holes in the plan, you want to identify them during an exercise not an actual emergency. You can then integrate the knowledge gained from these exercises into the plan.

5. Quality Assurance Techniques

You can’t simply create a business continuity plan, train workers and team members on it, run a few exercises and then throw the plan in a drawer until you need it. As a company’s business and operations change, the plan will need to change accordingly. So, companies should review their plan internally:

  • On a regular basis, such as annually or bi-annually;
  • When workplace hazards change;
  • When substantive changes to the company occur; and
  • After an exercise to incorporate the lessons learned from it.

In addition, the company should consider having an outside consultant audit the plan to verify the procedures used to determine the critical services and processes and the plan’s overall methodology, accuracy and comprehensiveness.

Conclusion

Whether or not you’re a member of the senior management committee that’s responsible for your company’s business continuity plan, as a safety coordinator it’s your responsibility to ensure that senior management understands the implications a safety event could have for the company’s operations—and its bottom line. If your company doesn’t have a business continuity plan at all, talk to senior management about creating one and make sure the plan addresses all possible disruptions to the operations, including safety incidents. If the company already has a plan but it doesn’t address safety incidents, try to convince senior management to revise the existing plan so that it does. Your efforts could spell the difference between whether your company recovers from a safety incident or is financially crippled by it.