For an energy company, the threat of a prolonged outage in a critical business process can have significant effects. In an era of high availability and instant information, stakeholders demand to know an organization is prepared to react appropriately and ensure continuity of operations.
Energy companies, because they generally are not consumer-facing and lack highly sensitive operations, normally don’t face the same type of stringent business continuity demands that other organizations (such as utilities) do in terms of real-time recovery – for example, most do not need to be back online within 24 hours of a disruption. However, energy companies need to ensure that production continues, communications are maintained and processes to monitor safety are functional.
Most commonly, producers need to recover critical processes related to accounting and finance, production information, trading desks (as applicable), and most important, communications. Focusing on this approach allows for better allocation of costs and management of resources, as well as the opportunity to assess any situation and make critical decisions.
Challenges and Opportunities
Often, a company will begin the development of a business continuity management (BCM) program with the best intentions, only to have the effort shelved due to lack of interest, constrained resources or limited knowledge of how to proceed. When the unthinkable occurs, the organization is left in a state of panic with an action plan that is either outdated or nonexistent.
At the same time, developing a “best practice” BCM program is a daunting and often unnecessary task. Instead, an organization should focus on developing a “right-sized” BCM program that supports the recovery of critical operations. The key elements of a BCM program that are designed to guide an organization through an outage involve business resumption, crisis communications and IT disaster recovery. The re-establishment of critical operations should take a phased approach using defined action plans that are essential to guide decision-making processes.
Certain key processes require a short recovery time objective; other processes, while important, do not require immediate attention. The company can determine this distinction by performing a business impact analysis (BIA) that assists in ranking key business processes. It can then document the resulting recovery plans through business resumption plans. Further, a strong crisis communications plan that distributes key information is vital – it establishes responsibility and channels for the distribution of information between field and corporate offices, to the media and investors, and to employees and their families. Finally, an IT disaster recovery plan dictates how essential technology will be recovered. Consensus between the business and IT must be reached regarding the required recovery steps to ensure the recovery plan aligns with business needs.
Our Point of View
Organizations should not consider a BCM program to be a minor administrative matter or solely an IT function. BCM program development should begin with a risk assessment and BIA. The risk assessment assists with identifying potential environmental, manmade and technological risks to the organization. The BIA helps the organization reach an understanding of the business requirements, the impacts of downtime and a strategic approach toward mitigating the risk of an outage. In doing this, organizations must understand how the current IT infrastructure aligns with the business requirements.
After taking these key steps, executives will be armed with the information necessary to make a strategic decision. The strategy they employ should be based on the cost of the solution and the residual risk that management is willing to accept. Once these decisions are made, the next step should be the development of business resumption plans and crisis management plans. These will allow IT to close any technological gaps identified in the BIA process so it can implement the infrastructure changes necessary to achieve the recovery timelines required by management.
The completion of the IT disaster recovery plan marks the final phase of development. Most importantly, companies cannot just draw up their plans and be done. Any business continuity plan needs to be tested and updated over time. Organizations also must revalidate key recovery assumptions periodically. No one wants to see something go wrong, but inevitably it will. This type of planning will help executive management and the organization mitigate the issues in a rapid and organized manner, which is just the approach an organization strives for in a crisis situation.
Protiviti’s Business Continuity Management (BCM) professionals employ a proven methodology that focuses on ensuring the expedient response, recovery and restoration of critical business processes during unplanned business interruptions. Our approach is business-oriented and based upon risks related to an organization’s key business process drivers. We focus on the evaluation of processes, infrastructure, information and people that are inherent to our clients’ critical business processes.
Some companies have a greater risk tolerance than others; therefore, they are not necessarily looking to implement a full-scale business continuity approach based on leading practices. We consider it our objective to provide you with the necessary information you need to make the best decisions for your organization. We will report on our perception of the risk you face in your organization and present various options for mitigating that risk. This enables you to make the most informed decisions regarding the management of business continuity operations.
Protiviti assisted a leading independent energy company actively engaged in the exploration and production of oil and natural gas to develop a BCM program and the supporting business resumption plans, crisis management plans and IT disaster recovery plans. Through the effort, the organization determined that three key processes related to its gas marketing and accounting functions had to be restored within 24 hours of an interruption. We helped the company develop resumption plans to manage this recovery need and also facilitated a controlled IT disaster recovery test – at the direction of the company’s CFO – to confirm that the IT department was prepared to manage a failover effort when an outage situation arose.