Building Blocks: Geographically Distributed Organizations

This is Part Three of our Business Continuity series. We recommend reading Parts One and Two first.

Building blocks: stakeholders and drivers was an overview of the various stakeholders that an organization should consider when developing a business continuity plan. The article also outlined some of the common drivers for continuity plans.This article will discuss another factor that influences business continuity plans: geography. 

When organizations are geographically distributed across two or more countries (hereafter referred to as subsidiaries), business continuity planning is developed the same way that it is in a single nation organization. However, the nature of their dispersion also necessitates taking additional factors into account.

Figure 01: Factors to consider when developing a business continuity plan

Standards that are local to the operating country - It is crucial for publicly listed organizations and private organizations operating in a regulated industry to consider the local standards of the various countries they do business in. Some countries have their own business continuity standards and they expect compliance reporting against such standards. In this case, the business continuity policy which is developed by the organization’s headquarters, needs to be high level, mandating some aspects of the planning globally, while leaving some space for tweaks based on the standards of each country. This will help multinational companies keep their plans consistent, regardless of the country they operate in. 

Another constraint is that some countries do not have a mature regulatory or government mandate for business continuity planning. In this case, the parent company would still maintain standard business continuity practice across its groups, while being mindful not to excessively burden subsidiaries operating in a less regulated location. In such cases, the parent company takes a baseline approach for all subsidiaries and leaves the rest to discretion.

Political nature of the operating country - Depending on the industry, the unpredictable nature of doing business in that particular country can take precedence over the parent company’s  requirements and certain aspects of organizational resiliency take center stage. If an office or plant of a multinational company operates in a war torn country, crisis management is typically the priority. Similarly, if the operating country is more regulatory driven, then the communications aspects of the business continuity plan should be prioritized over other aspects. In all cases, it’s crucial that subsidiaries give feedback to the parent company. Having a business continuity committee is essential and it must follow a standard mechanism.

Geographically interdependent business processes - Process interdependencies between subsidiaries and headquarters must be captured in a Business impact analysis. Even small differences in standards or processes can simultaneously be important information for some subsidiaries, while insignificant for others. In this case, such a discovery would enable the organization’s strategists to either localize those processes, or integrate them into operations across subsidiaries.  To determine how relevant subsidiary processes might be in other nations, strategists should consider local business impact analysis; and financial, operational and regulatory factors. 

Distributed technology - Once the headquarters’ continuity planning team has identified process interdependence it must analyze technology dependence and other resources to ensure the decision made on the process criticality is well supported by the technology components. In multinational companies, technology transformation programs might have led to moving a piece of technology from one data center to another data centre, closer to the entity that uses it the most. Or in some cases, technologies between subsidiaries might have been consolidated to a central location to optimize the organization’s spend. In the latter case,  further analysis is required to understand whether the recovery time objective (RTO) and recovery point objective (RPO) would support the business process RTO and RPO. 

If the analysis suggests that RTO or RPO would not be sufficiently supported, the findings must be discussed with the committee and the decision must be implemented accordingly, outside the scope of the business continuity plan. If the implementation of such a decision is going to take longer than the time it takes to finalize the business recovery strategy, the plan must take the current situation into consideration rather than waiting for an ideal one. Once the ideal situation is reached, the relevant portion of the business continuity plan must be updated.

Crisis management - Mature organizations have a well integrated business continuity plan which includes crisis management. The tactical aspects of crisis management are usually influenced by geographic location of the organization. However, the management processes may involve more than just the subsidiary, due to the parent company’s oversight requirements and the subject matter expertise not available at the local level. Also, depending on the nature of the local crisis, the management and oversight could be escalated to the parent company, which may comprise members from other subsidiaries. The parent company may also have to manage the overall communication that is sent out by a subsidiary, which if not managed properly, could result in an overall reputational damage for the group. Thus, the crisis management plan must be integrated into the business continuity plan.

Communication - When an organization doesn’t manage their communications properly, it can lead to an unfavorable market response. Communication plans contain processes that are management and tactical in addition to guidelines and sometimes even templates for external and internal communications. A good communication plan will also specify the threshold of crisis — i.e. the point at which communications management should be transferred from a subsidiary to the headquarters.  When a disaster does strike a subsidiary operating critical infrastructure (resulting in a loss of manpower, massive destruction to the assets or extended disruption), the headquarters directs communications for the subsidiary that aligns with their overall communications strategy and instills confidence among local authorities and investors.

Overall scope - The scope of the continuity plan should be restricted to the organization where the planning is being developed. However, the scope must be reasonably flexible to partially allow extending the scope beyond that location, as necessary. The above factors must be considered, discussed and agreed upon when documenting the scope, communicated to the affected entities, whose concerns must then be addressed.

Group business continuity plan - Multinational organizations should have a plan  that formalizes the role of the parent organization in business continuity planning during a disaster —  this plan can be part of or distinct from the parent company's overall continuity plan. An organization-wide business continuity plan exists mostly as a means to provide oversight for its subsidiaries. As part of this plan, it’s a good practice for organizations to form a group that comprises members across subsidiaries When a subsidiary reaches a threshold of impacts, It’s this group’s job to take a dominant role in close coordination with the affected local entities.

Conclusion

When developing a business continuity plan for an organization that is geographically dispersed, factors such as the operating country’s standards, political nature, business processes, technology, crisis management, communication and overall scope must be considered.

Previous
Previous

Security Data Analytics and Reporting, Developing reporting viewpoints: Board of Directors

Next
Next

Security Data Analytics and Reporting: Business Expectations and value - Part 2